News
Architecture and Hardware

Locking Out the Hackers

Posted
IBM president and CEO Ginni Rometty.
IBM president and chief executive officer Ginni Rometty discusses the company's new line of z System mainframes at the recent IBM Partnerworld Leadership Conference 2016 in Orlando, FL.

Hackers, criminal gangs, foreign governments, and other "bad actors" often seem to be one step ahead of cybersecurity, only being discovered after the damage is done. Sometimes their malware goes unnoticed even after it has been installed for months (malware goes unnoticed an average of 205 days, according to Denis Kennelly, vice president of Development for IBM Security).

All that time, the malware is "phoning home" what is thought to be secure data to its criminal masterminds. Now, however, the tide may be turning, thanks to special hardware matched with new software algorithms that programmers claim can ensure accurate authentication of every user gaining access to a computer.

In some cases, new security measures can even identify impending attacks before they happen, using cognitive software like IBM’s Watson and others–sometimes even setting traps to identify and physically track down the perpetrators.

"Our IBM Security team has Watson at this very moment learning how to distinguish normal user behaviors from those of hackers, such as ascending to higher and higher levels of security clearance, in order to identify bad actors before they can do any harm," said IBM president and chief executive officer Ginni Rometty at the recent IBM PartnerWorld Leadership Conference 2016 in Orlando, FL.

Leading the way, say computer/software analysts, is IBM, the oldest vendor around, which announced at the IBM PartnerWorld event "the most secure, unhackable, and tamper-proof" mainframe computer on Earth.

Included in that announcement, said Mike Kahn, managing director of technology acquisition consultants and publisher Clipper Group, are "many new security offerings" that "focus on the hybrid cloud that can be created with the mainframe, and the need to secure such ecosystems and to identify threats (both internal and external) as they are happening by using cognitive analysis."

While these mainframes look almost identical to the racked servers used at Google, Yahoo, and Amazon, the z System mainframes contain extra hardware that keeps security software, input/output channels, and authentication systems running on specialized processors that are isolated from the processors that run the applications software. For instance, the z System z13 has a base configuration of 141 configurable cores delivering about 111,000 MIPS (million instructions per second) to applications, with an additional 27 cores dedicated to secure authentication, secure input/output, and secure system-health operations.

With its latest iteration of the z Systems, analysts say security may be getting the upper hand on "bad actors."

Said Laura DiDio, principal at Information Technology Intelligence Consulting and director of Enterprise IoT and Analytics, Systems Research & Consulting at Strategy Analytics. "What IBM has done with its latest release is give IT managers the most advanced tools for embedded security built right into their mainframes by default at all levels, enabling them to repel intrusions before they happen."

The z Systems Cyber Security Analytics and the pending support of IBM’s Watson and its predictive abilities, however, are not unique. In fact, a new category of companies is using neural networks, other "deep learning" cognitive programming (sometimes with Watson), and other advanced techniques to catch "bad actors" before they can do major damage.

For instance, Cisco Cognitive Threat Analytics software runs entirely on its servers monitoring other companies’ network traffic, claiming to detect malware behaviors within two to three hours after penetration.

Another company, Cylance Inc., makes it their business to predict and stop advanced threats before they can execute–especially multi-attack campaigns targeting critical infrastructure.

SparkCognition Inc. claims its SparkSecure software can identify imminent threats and excise them from computers before they can execute. "SparkSecure detects suspicious activity, and when it has a high confidence level, can be authorized to change the universal resource locator (URL) to be accessed, redirect the user to a ‘honeypot’ that looks like the real website but really just collects information about the bad actor, or it can block the user altogether," said the company’s CEO, Amir Husain.  "We just flag suspicious users to customer and give them the evidence on a dashboard for their security personnel so they can take action; thumbs up or thumb down in minutes, instead of hours."

ThreatMetrix Inc. is yet another provider, serving thousands of customers with billions of transactions constantly reviewed to determine their authenticity, activity, and motives. According to co-founder Alisdair Faulkner, the company’s datacenters on three continents (Asia, North America, and Europe) monitor and detect cyberattacks in real time using its Digital Identity Graph algorithms. By comparing anonymized user activity, ThreatMetrix can interdict fraudulent online transactions, account logins and suspicious new account registrations in real time, according to Faulkner. "All our algorithms are run on our own cloud datacenters, where the user’s identity is reduced to an anonymous token, so that even if our computers are hacked, none of the data will be useful to cybercriminals."

ThreatMetrix makes all its threat risk decisions independently, without bothering the user with any questions, said Faulkner. It works on landline and wireless mobile devices as well as computers, and allows the customer to set their own risk level tolerance. No additional ThreatMetrix software needs to be downloaded to the customer or user’s computer, as it is embedded in the webpage or mobile app from a software development kit (SDK). While it is constantly monitoring activity, ThreatMetrix only charges a fee when the customer asks for a risk assessment on a particular user using an application programmers interface (API), which can be evaluated in a few hundred milliseconds, according to Faulkner.

R. Colin Johnson is a Kyoto Prize Fellow who ​​has worked as a technology journalist ​for two decades.

Join the Discussion (0)

Become a Member or Sign In to Post a Comment

The Latest from CACM

Shape the Future of Computing

ACM encourages its members to take a direct hand in shaping the future of the association. There are more ways than ever to get involved.

Get Involved

Communications of the ACM (CACM) is now a fully Open Access publication.

By opening CACM to the world, we hope to increase engagement among the broader computer science community and encourage non-members to discover the rich resources ACM has to offer.

Learn More