There was a simpler time when keeping malicious code off of a machine meant knowing what it looked like. Early anti-viruses scanned for signatures. They’d look for specific strings of code and quarantine the ones they recognized.
For example, when the Happy99 virus dropped in (unsurprisingly) 1999, AV software had to learn what it looked like to begin to combat it. On the surface, this makes sense. It’s a model that’s based on our immune system. If we can vaccinate against the viruses that are out there, then we can keep our machines healthy.
Now, Happy99 was pernicious. You’d get an email and click to see some pretty fireworks while it installed in the background and set itself up to send from your account. Still, once we knew what to look for, it could be stopped in its tracks.
But there’s the problem with treating security like an immune system. Germs and viruses operate randomly out in the world. Digital viruses, on the other hand, have a designer who can react directly to countermeasures. If Happy99 is on the no-fly list, hackers put a fake mustache on it, and the ExploreZip virus walks right through security.
Sure, AVs can update for the new threat, but now those companies are just chasing their own tails. That’s the reason why modern malware protection had to evolve. How’d they do it? By thinking beyond the immune system.
First, we can’t think about malware in terms of what has happened. Modern protections perform behavioral analyses on software. Are there chain reactions that seem suspicious like changing files, making an API call, and then accessing the network? That’s suspicious, so now it’s going to dig a little deeper to see if this code is doing similar things to code, we know is malicious. You can’t slip by with a piece of felt glued to your face on this.
On top of that, we extended the scope of protection. Now we have endpoint detection and response (covering the endpoints like old AV did). But on top of that, there is extended detection and response (at the network level). The people making these threats are smart though, so we have to have someone at the gates to look out for the edge cases that can creep in.
That’s where managed detection and response comes in. People can beat machines because we can think around them. All those things that give hackers an edge over software like intuition, creativity, and unpredictability though, the good guys have that too.
But what can you take away from this?
Aside from the history of security being cool and interesting (it’s not just me, right?), we get a lot by knowing how we got to where we are right now. Modern cybersecurity is immensely complicated, but it’s not that way by accident.
Hackers are counting on the end user not knowing something to get in. That’s why we need software watching our computers and networks.
What’s more, this is also why we need people watching out for the next devious little trick hackers have in store.
