At a glance
Five days before Christmas in 2017, the US and Australia followed the UK’s lead by publicly denouncing North Korea for an attack on our soil. The statement from the Australian Government was unequivocal in condemning the actions.
The attack, however, had nothing to do with traditional military action or the missile threat that has kept alive a war of words between US president Donald Trump and North Korea’s supreme leader Kim Jong-un.
Instead, it was a cyber attack that had happened seven months earlier, in May 2017, when a ransomware cryptoworm known as WannaCry paralysed over 200,000 computers in more than 150 nations. Once it locked the user’s system and encrypted the data, the ransomware demanded a payment be made in bitcoin before the computer and its data would be freed from its digital prison.
WannaCry is an example of one of the many cyberthreats that businesses, individuals and government departments worldwide deal with on an increasingly regular basis.
Ashley Wearne, general manager, Australia and New Zealand, for security software and hardware company Sophos, says that every day in the company’s labs his technicians see about 500,000 new pieces of malware (short for malicious software). That’s half a million new pieces of malware detected every 24 hours, and only the tip of the cyber-iceberg.
“Eighteen months ago, malware was 80 per cent of the problem,” Wearne says.
“Now those 500,000 pieces of malware that we see every day represent just 14 per cent of all attacks. It’s staggering. The other 80 per cent is ransomware (a type of malware that encrypts data) and other types of attacks.”
A good strategy is vital to successfully defend against attacks. In the early days of viruses and other manmade cyber nasties, the authorities were the heavyweights and hackers were relatively easily knocked to the canvas. The strategy at the time was to land a knockout punch whenever a threat was detected.
Soon, however, the cybercriminals learned to duck and weave, to parry and dodge. Those whose job it was to defend businesses had to learn to punch fast and smart, and keep their opponent on the back foot. Yet even that couldn’t stop the bad guys winning a round every so often.
Bigger, smarter cyberthreats
Wearne started earning his IT stripes back in the early 1980s, working in sales for Burroughs.
“I moved from there, through to [computer] networking when it first became a big thing, and worked at Novell,” he says.
“Networking changed where people could do their computing from.”
Networking, which linked desktop computers to a common server, made it easier to share information. However, with the threat of viruses infecting the system, it also created a new business challenge.
An industry grew around virus protection and, in 2002, Wearne joined security software specialist McAfee Asia Pacific, first as regional vice president across Australia New Zealand, India and South East Asia, then as general manager Australia New Zealand.
After McAfee, Wearne spent three years with Adobe, before returning to cyber security in 2012 when he took the reins at Sophos.
During his decades in IT security, Wearne has watched cyberthreats mushroom from small, rare issues to full-blown events.
“It’s now on a different scale to anything we’ve ever seen,” he says.
“When we first started seeing these types of things, they were annoyances driven by pimply teenagers doing something they thought was smart. Now, you have groups of people who are incredibly smart – some of the smartest people in the world – doing this to make a fortune, and they’re using tools at the level of those developed by the National Security Agency [in the US].”
In addition, the ever-increasing number of internet-connected items – from fridges to Google Home and wi-fi-connected light bulbs – has created a target-rich environment for cybercriminals. Researchers at Gartner have predicted that by 2020, more than 25 per cent of identified cyber attacks in enterprises will involve the Internet of Things.
Turning strategy on its head
When Sophos technicians first identify a piece of malware, they give themselves a maximum of 20 minutes to write code to block it, then they send that solution to client computers and servers. It’s a very quick response, but that 20-minute gap means some computer systems will already be infected.
There’s another problem, too. When 500,000 pieces of malware are being discovered every day, up to 20 minutes spent negating the effects of each one adds up to hundreds of thousands of working hours. No business in the world can afford such a level of manpower.
Sophos, like a boxer being worn down by a faster, fitter opponent, needed a drastic change in strategy to cope with the increasing number of threats. It needed to know exactly what type of punch cybercriminals were going to throw in order to block it before it had a chance of landing.
Two years ago, the business radically changed its approach. Dealing with threats one by one was no longer sustainable, and Wearne and his colleagues realised the same data that hackers used to break down the barriers of business systems could also be used against them.
Crime fighters of a different persuasion had for years been using patterns and trends to make their jobs easier. Police might identify the same modus operandi to link seemingly unrelated events, or match fingerprints or DNA to connect various crime scenes.
What if Sophos was able to identify similar patterns created by cybercriminals, to profile their work and group cyberthreats into more easily recognisable batches? Threats could then be dealt with in batches, instead of one by one.
27 shades of malware
“As you write software that detects 500,000 potential attacks per day, it becomes very large, unwieldy, and slow,” Wearne says.
“It’s powerful and accurate, but it’s a bit of a nightmare for customers to distribute. It became clear that we needed something different; something that works without us having to react to every threat individually.”
The Sophos team began to look at the way malware works, with the aim of stopping it before it caused any damage. It was a complete shift in strategy, proactive rather than reactive, and would not have been possible a few years earlier.
“For a little while, we knew this was where we had to get to, but we had no way of automating the search to protect against attacks,” Wearne says.
“Then we found a technique in artificial intelligence (AI) that allows for complex learning. We could teach it to continue learning what’s good and what’s bad, even if it has never seen the malware before. It constantly tunes itself.”
The technique doesn’t work unless the AI function is fed masses of data in the first place, so it can start to recognise what is good and what is bad. In the case of Sophos, that data comes in the form of every piece of malware it has ever discovered – hundreds of terabytes of web nasties.
“We have a business that is full of data, and now we have a solution that gobbles up data,” Wearne says. “It’s a match made in heaven.”
The AI system has identified 27 techniques malware developers use to get into the computer systems of individuals and businesses. It can now recognise when these specific techniques are being used and put solutions in place automatically before any damage can be done. It will also recognise and learn new patterns.
Rather than dealing individually with 500,000 threats each day, the new system simply recognises one of 27 techniques and puts a stop to them. Instead of suffering an endless series of jabs and body blows in order to protect itself from a knockout, the software boxer can now dodge every punch thrown. Its cyber opponents won’t be knocked out, but their efforts will be rendered useless.
Such innovation is par for the course for Sophos, which is essentially a research business, Wearne says. It is in its DNA to constantly evolve and to make major strategic shifts every so often to stay ahead of its increasingly strong and wily cyber opponents. However, for Wearne, success is about more than protecting clients – it is about the survival of Sophos.
“If we have one bad day, we’re out of business,” he says. “It’s a very thin line.”
Protection for all shapes and sizes of companies
The global average cost of a cyber breach, the Ponemon Institute’s 2017 Cost of Data Breach Study claims, is US$3.62 million. That’s a crippling cost for a small to medium enterprise (SME) to absorb, but cybercriminals don’t offer SMEs a free pass. This is why Sophos prioritises simplicity over all else, to ensure all businesses can be covered.
How does Sophos develop systems that are as affordable and practical for a 10-person company as they are for a 2000-person organisation? It all comes back to strategic planning.
“This is a fundamental question for us,” says Ashley Wearne, Sophos general manager, Australia and New Zealand.
“Small businesses, mid-sized firms and enterprise face exactly the same threats. They’re all plugged in to the internet and they’re all being hit by automated hacking tools.
“We build our strategy backwards from the customer, starting with the fact that businesses with less than 500 employees typically have no dedicated security expertise on staff. Companies with 500 to 2000 staff might have one or two people with security expertise. In businesses beyond that, there are teams of people whose only job is computer security. When we looked at that market we saw that because many businesses had little or no security expertise, we had to design solutions that were very simple.
That is a lot easier said than done. “It is much harder to design a simple solution,” admits Wearne, “but we feel that’s what the market needs. In everything we do, we deliberately remove as many buttons and knobs as possible.”
As Wearne emphasises: “Our industry already suffers from too much complexity. By the time you have security in the network and on the end points, on computers and phones and every other web-connected device, it all becomes very complex. That complexity is the enemy of security.
“It’s about getting the technology to do most of the work in the background. It’s about technology working in unison – security systems communicating with firewalls, for instance – and without human intervention, so that most of the work happens automatically.”