From the CTO's Desk: Detecting Threats with "Whole-Brain" Technology
April 25, 2017
I've been designing and programming computer systems for a long time (longer than I'm willing to admit in a public blog post).
On many occasions throughout my career I've come across problems that were proving to be very difficult (if not impossible) to solve using pure combinatorial logic – meaning logic that is based exclusively on what we know now.
On many, if not most, of those occasions I've been rescued by one of two things: recursion and/or finite state machines.
Recursion, strictly speaking, is the technique of having a computer algorithm invoke itself, potentially many times, each time with successively more knowledge, until it finds a solution. In a more general sense, recursion enables us to keep digging deeper and deeper into a problem until we get to the bottom of it.
Finite-state machines are physical or logical devices that can make decisions based on both current conditions and current state, which is a function of previous conditions. This is also known as sequential logic.
The thing that both these techniques have in common is that they combine what we know now with what happened before to find a solution. One of the reasons humans can solve certain problems more easily than machines is because human brains do this naturally.
Just think for a second about how you, as a bona fide, Class A Humanoid, solve problems every day. In virtually every case you will use a combination of what you know now and what you have experienced in the past.
Computing systems can do it, too, but they need to be designed to do it - they don't do it "naturally." At least, not yet. Network security systems in general - and traditional intrusion prevention systems in particular - are examples of systems that have not been designed to do this. They were designed with instantaneous, combinatorial logic in mind. They don't have enough short-term memory to do deep, recursive analysis. They don't have the rich, long-term, non-selective memory needed to do sequential analysis. In short, they only have "half a brain".
Modern next-generation intrusion prevention solutions need to take more of a whole-brain approach.
At Fidelis we've worked very hard over a number of years to build both real-time, instantaneous decision-making capability and non-selective memory into both the network and endpoint components of our solution. This enables us to detect certain kinds of threats that are impossible to detect using pure combinatorial logic alone.
With these capabilities we can:
- Detect malicious objects traversing the network -- even if they are hidden under multiple, opaque layers of encapsulation, encoding, embedding, compression and obfuscation.
- Automatically apply new threat intelligence to historical network and/or endpoint behavior to detect threats that occurred in the past.
- Use sequential logic and finite-state analysis on network and/or endpoint metadata to identify threats that can only be identified by looking for a pattern of malicious behavior that occurs over a period of time.
- Leverage data science, machine learning, and artificial intelligence techniques to reduce the dependency on a priori threat intelligence, and achieve data-driven detections that are timely, accurate, adaptive and self-updating.
If this sounds like a bunch of quasi-academic technical geekery to you, just think for a second about how you solve problems every day and how far technology has come in the past 20, 10 – or even 5 years. Isn't it time your IPS got a whole brain?
-- Fidelis Cybersecurity CTO Kurt Bertone