Sign In

Communications of the ACM

ACM News

Locking Out the Hackers


Locking out the hackers.

New hardware and services from IBM and others are aimed at identifying malware before it has the chance to execute.

Credit: ecoXplorer

Hackers, criminal gangs, foreign governments, and other "bad actors" often seem to be one step ahead of cybersecurity, to be discovered only after the damage is done. Sometimes their malware goes unnoticed even after it has been installed for months (malware goes unnoticed an average of 205 days, according to Denis Kennelly, vice president of Development and Technology, IBM Security Systems).

All that time, the malware is "phoning home" what is thought to be secure data to its criminal masterminds. Now, however, the tide may be turning, thanks to special hardware matched with new software algorithms that programmers claim can ensure accurate authentication of every user gaining access to a computer.

In some cases, new security measures can even identify impending attacks before they happen, sometimes even setting traps to identify and physically track down the perpetrators.

"Our IBM Security team has Watson at this very moment learning how to distinguish normal user behaviors from those of hackers, such as ascending to higher and higher levels of security clearance, in order to identify bad actors before they can do any harm," said IBM president and chief executive officer Ginni Rometty recently at the IBM PartnerWorld Leadership Conference 2017 in Orlando, FL.

Computer/software analysts say IBM, the oldest vendor around, is leading the way in this arena; the company announced at the IBM PartnerWorld event "the most secure, unhackable, and tamper-proof" mainframe computer on Earth.

Included in that announcement, said Mike Kahn, managing director of technology acquisition consultants and publisher Clipper Group, are "many new security offerings" that "focus on the hybrid cloud that can be created with the mainframe, and the need to secure such ecosystems and to identify threats (both internal and external) as they are happening by using cognitive analysis."

While these mainframes look almost identical to the racked servers used at Google, Yahoo, and Amazon, the IBM z System mainframes contain extra hardware that keeps security software, input/output channels, and authentication systems running on specialized processors that are isolated from the processors that run the applications software. For instance, the z System z13 has a base configuration of 141 configurable cores delivering about 111,000 MIPS (million of instructions per second) to applications, with an additional 27 cores dedicated to secure authentication, secure input/output, and secure system-health operations.

With its latest iteration of the z Systems, analysts say security may be getting the upper hand on "bad actors."

Said Laura DiDio, principal at Information Technology Intelligence Consulting and director of Enterprise IoT and Analytics, Systems Research & Consulting at Strategy Analytics, "What IBM has done with its latest release is give IT managers the most advanced tools for embedded security built right into their mainframes by default at all levels, enabling them to repel intrusions before they happen."

Other players

The z Systems Cyber Security Analytics service and the pending support of IBM's Watson and its predictive abilities, however, are not unique. In fact, a new category of companies is using neural networks, other "deep learning" cognitive programming (sometimes with Watson), and other advanced techniques to catch "bad actors" before they can do major damage.

For instance, Cisco Cognitive Threat Analytics software runs entirely on its servers to monitor other companies' network traffic, claiming to detect malware behaviors within two to three hours after penetration.

Cylance Inc. makes it their business to predict and stop advanced threats before they can execute, especially multi-attack campaigns targeting critical infrastructure.

SparkCognition Inc. claims its SparkSecure software can identify imminent threats and excise them from computers before they can execute. "SparkSecure detects suspicious activity, and when it has a high confidence level, can be authorized to change the universal resource locator (URL) to be accessed, redirect the user to a 'honeypot' that looks like the real website but really just collects information about the bad actor, or it can block the user altogether," said the company's CEO, Amir Husain.  "We just flag suspicious users to customer and give them the evidence on a dashboard for their security personnel so they can take action; thumbs up or thumb down in minutes, instead of hours."

ThreatMetrix Inc. is yet another provider, serving thousands of customers with billions of transactions constantly reviewed to determine their authenticity, activity, and motives. According to co-founder and chief products officer Alisdair Faulkner, the company's datacenters on three continents (Asia, North America, and Europe) monitor and detect cyber attacks in real time using its Digital Identity Graph algorithms. By comparing anonymized user activity, ThreatMetrix can interdict fraudulent online transactions, account logins, and suspicious new account registrations in real time, according to Faulkner. "All our algorithms are run on our own cloud datacenters, where the user's identity is reduced to an anonymous token, so that even if our computers are hacked, none of the data will be useful to cybercriminals."

ThreatMetrix makes all its threat risk decisions independently, without bothering the user with any questions, said Faulkner. It works on landline and wireless mobile devices as well as computers, and allows the customer to set their own risk tolerance level. No additional ThreatMetrix software needs to be downloaded to the customer or user's computer, as it is embedded in the webpage or mobile app from a software development kit (SDK). While it is constantly monitoring activity, ThreatMetrix only charges a fee when the customer asks for a risk assessment on a particular user using an application programmers interface (API), which can be evaluated in a few hundred milliseconds, according to Faulkner.

R. Colin Johnson is a Kyoto Prize Fellow who has worked as a technology journalist for two decades.


 

No entries found