Talking Endpoint with Sam Curry

Endpoint security, in my estimation, suffers the widest gulf between the intensity of emphasis from cyber technology providers, and the amount of exploitable risk that remains on deployed PCs, mobiles, and other end-user devices. To that end, I try to spend as much time as I can with the finest minds in this area, trying to understand how this important aspect of cyber security will evolve – hopefully, toward improved protection. My good friend Sam Curry is one of those individuals, having traveled our industry for many years, and now serving as Chief Product Officer for Cybereason. I caught up with Sam recently and asked him to make some observations and predictions about endpoint security, including the scourge of ransomware, which has the potential to create much more havoc than we’ve seen to date. Here is a brief summary of my discussion with Sam:

EA: Sam, what role does endpoint protection play in the context of enterprise security?

SC: Ed, as you know, the endpoint has become the modern cyber battlefield. It’s not only cliché to denigrate the perimeter, but adversaries have smashed through. And while they might take refuge in routers and target firmware, and this will increase with IoT, the terrain, assets, data, accounts, processes, services, and repositories of choice are on the endpoints. The attacker is a fundamentally human one, and he or she doesn’t turn up with convenient binaries that have recognizable hashes – they turn up with exploits, file-less malware, and advanced toolkits that can be used to break open, own, and abuse the endpoint.

EA: Do you see attacks such as ransomware increasing in frequency and intensity?

SC: Ransomware is used for many purposes, from simple smash and extort cash schemes to diversions and cover for more malicious attacks. NotPetya is probably one of the worst examples of this. It looked like ransomware, but ultimately had a more destructive goal. For a long time, attacks were becoming more subtle and persistent, without damaging the host directly. The value to the adversary was proportional to the length of time that attackers exerted control. This is no longer the case. Instead, ransomware and its toolkits are proof of the resurgence, and it will only get worse.

EA: What’s on the horizon in terms of future endpoint use in the enterprise? Do you see the mobile continuing to move ahead as the primary business tool?

SC: While the battlefield may be on the endpoint, our industry is too focused on yesterday’s tools. Malware is a thing of the past. Sure, it’s still present and can still hurt, but it’s mostly noise and a distraction. The trick isn’t to secure every endpoint, although we want to, and by inference, to say that the enterprise is secure. Instead, we need to look for the attackers moving through and developing their beachheads. Hollywood has done us a disservice: An attacker starts typing and flashily hits enter and says “Done!” Unfortunately, it doesn’t work like that. While things like ransomware might be fast and deadly, the most lethal attacks take time to convert inevitable infrastructure breaches into control, information breach, or asset theft and breach. Future attacks will move to mobile devices, which are starting to look a lot like traditional endpoints, if not more connected and vulnerable, and to the emerging class of embedded systems, of which the IoT is a big part. These represent new terrain on the cyber battlefield, new assets, and new tools for exploitation.

EA: Has signature-based security officially failed? Or do you see it more as a complementary feature in an integrated program?

SC: Signature-based security has had its day. Just as the perimeter is not dead – yes, it’s still there – so too the signature based tools of yesterday remain. While they aren’t dead, they are no longer the lions of security. They are no longer the primary or even an important part of defense. The time to turn off the antivirus isn’t here yet, though its much closer than it used to be. Instead, we should be looking to new tools, like endpoint detection and response, and advanced, dynamic, and deep ways of looking for new and emerging, never-before-seen threats. The focus needs to be on stopping bad people as opposed to trying to identify bad code, and for the most part, that means a behavioral approach.

EA: You’ve been in the cyber security industry for many years – what prediction are you willing to share with respect to future cyber risk in our society?

SC: This is always a dangerous game to play, but I’ll try anyway. Cyber security is pulling away from the traditional IT security. I apply the word “cyber” to strategies, tools, processes, and people that strive to stop an adversary. Authentication, antivirus, firewalls and vulnerability management comprise IT security, rather than cyber security. I predict that this gulf will widen. We will see a rise in state-sponsored attacks from more and more countries, as everyone realizes the importance of having offense and defense options. The “cyber cold war” will continue to heat up. From the perspective of the US, China has quietened, while attackers have pseudo-privatized there. But other actors like Russia and North Korea have become bolder. We will also see a rise of financially motivated cybercrime, and more blackmail, bribery, and the like. On the positive side, I expect more companies will develop specifically cyber defense capabilities; and I hope that machine learning and artificial Intelligence will make an appearance to help automate and find best use of our carbon-based intelligence, which are obviously people. Finally, I’d like to see internationalization of risk management frameworks, standards around cyber capabilities and more international cooperation. We have a long way to go, but the appeal and value of communities that work together is a force that won’t be stopped.