CHANGE #3: Collect and react –> Real-time adapt.
It shouldn’t be news to anyone that traditional anti-malware detection rates are diminishing over time. This has sparked several new approaches in security to help bridge the gap between the time of release and the time or protection of malicious code. Many of these approaches are about generically detecting malicious threats through heuristics, improving collection methods and faster analysis.
Unfortunately the threat surface is expanding dramatically through the innovation of new technologies outside of security. The obvious big areas are the use of social networks, cloud technologies and mobility. The expansion of the threat surface has also created demand for new research approaches to protection.
Pushing updates is not always possible now and the ability to adapt in real-time is paramount. Research needs to move from a collect-and-react approach to a real-time adapt approach. Key components in order to be successful are: systems that are deployed in the cloud, data collection and new research approaches.
I believe that three critical areas of expertise need to work together and have colliding ideas. This is where there are distinct teams of experts in their own domain.
The three areas are as follows:
Security researchers that understand malicious code, exploits and a deep understanding of the criminal underground and threat landscape.
Mathematic / Algorithmic experts in machine learning that understand how to build feature sets, training systems and classifiers that can work in real time.
Big Data experts that can build sustainable, scalable infrastructure that feeds the systems for building, training and re-training systems.
Over time, these groups will need to share ideas and brainstorm collectively on how to solve the big problems we face in security in this new and evolving landscape. With that we will see the next great set of research and technologies that protect customers.