In 1942, Winston Churchill, referring to his political adversary Stanley Baldwin, was quoted saying, “Occasionally he stumbled over the truth but he always picked himself up and hurried on as if nothing happened.” Over time Churchill’s remark was morphed into a statement about mankind in general. Today, Churchill’s statement could be further morphed and used to describe the cyber security industry over the last 30 years.
Picture courtesy: AZ Quotes.
In 1987, Dr. Fred Cohen, who coined the term “computer virus,” published a paper demonstrating that no computer algorithm can perfectly detect all possible viruses. Looking back over the last three decades (see accompanying chart), it would appear that the only people who have paid serious attention to Dr. Cohen’s seminal work are those who develop malware. Today, the prevailing approaches to malware prevention are still based on the assumption that it’s possible to reliably detect the presence of malware or the evidence of its activity. In 1987, the ability for malware to propagate was still somewhat limited, but given our global connectedness and dependence on the Web and email, organizations are constantly exposed to content that can originate anywhere. Attackers are on a spree, regularly breaching the walls of even the most sophisticated prevention systems.
But wait - what about the newer systems that use technologies like network sandboxing or big data analytics - don’t they represent something new, different and more effective? The simple answer - based on regular reports of new breaches - is an emphatic “No!” Regardless of the underlying technology used, if a malware prevention system makes a “good vs. bad” decision and allows content deemed “good” to reach its target, then it’s a detection-based system that, as history has proven, will fail. So just as no one has been able to create a perpetual motion machine, no such solution has yet been successful detecting and blocking 100% of malware. Nonetheless, onward we stumble, introducing generation after generation of detection-based technologies that attackers reverse engineer and thwart with increasing speed and effectiveness.
There is another approach to preventing malware, namely isolation. Unlike detection technologies, isolation technologies make no attempt to distinguish between “good” content and “bad” malware. With isolation, content is contained and executed in a virtualized environment and never allowed to reach the end user. The promise is near-perfect security, with no false positives and no false negatives. Isolation isn’t new, but it’s proven very challenging to deploy at scale and without negatively impacting the user experience. But the situation is changing. Menlo Security is delivering an isolation-based security system that makes it impossible for malware from Web to infect user devices without the need for special endpoint software and with a transparent user experience. With isolation, we’re reaching a turning point in security and can start progressing purposefully, rather than stumbling, towards a more secure future.