CybersecuritySpotting, neutralizing hackers when they are already inside your systems

Since the Internet gained popularity in the 1990s, the traditional model of cybersecurity has been to build systems and software which could keep hackers out of computers. As hackers continue to tap into complex security systems, however, some cybersecurity experts are advising companies to focus on tricking or neutralizing hackers once they have infiltrated networks, rather than spending money only on trying to keep them out.

The idea has been received with skepticism by companies who already spend large sums of money on traditional cybersecurity software, but according to cybersecurity company FireEye, 229 days is the average length of time hackers spend undetected in their victim’s computers, highlighting the weakness of current cybersecurity solutions.

Hackers who stole information from U.S. health insurer Anthem, may have been inside the company’s system for more than a month before being detected, according to the company. In some cases hackers have hid themselves for years in computer systems. The traditional defenses must “have a description of the bad guys before they can help you find them,” said Dave Merkel, chief technology officer at FireEye. “That’s just old and outmoded. And just doesn’t work anymore,” he said.

“There’s no way to guarantee that you never are the victim of cyberattack.”

According to the Dallas Morning News, organizations should not stop relying on traditional defenses such as antivirus software or firewalls to weed out common or less sophisticated attacks, but trapping hackers who intend to steal the most sensitive information and cause great harm, could complement a company’s cybersecurity strategy. Ed Amoroso, chief security officer at AT&T told the AP that relying strictly on a firewall is like building a fence around a building complex but not hiring a guard to patrol the interior.

Employees at Sony Pictures were unaware that their systems had been infiltrated by hackers until the studio’s information was released on the Internet. Mike Potts, head of Lancope, a network security company in Alpharetta, Georgia, said the amount of data copied and removed from Sony’s network should have triggered alarms long before employees learned about the breach.

Those long-term intrusions or advanced persistent threats (APT), are often sponsored by states and target commercial and military information. In South Korea, where government networks are repeatedly attacked by hackers linked to North Korea, security firms are developing systems that analyze network activity to detect suspicious patterns, rather than scanning for known threats.

Kwon Seok-chul, CEO at computer security firm Cuvepia Inc., acknowledges that it has been challenging to convince businesses that it is more effective to neutralize intrusions rather than trying to keep them out, which he considers to be impossible. Cuvepia’s latest monitoring program sounds an alarm when it detects certain activity like a series of unauthorized logins. He explains that under that scenario, a response team can watch what hackers copy and then respond by cutting off the hacker’s connection or trick the hacker into stealing empty files, before damage is done. “Because hackers are in your palm, you can enforce any measures that you want,” said Kwon, member of an advisory board for South Korea’s cyberwarfare command.

Installing Cuvepia’s least expensive monitoring product on 1,000 computers cost roughly $410,000 for a year — much more expensive than installing antivirus software — though the cost of Cuvepia’s products drop significantly after the first year. Kwon wants businesses to see cybersecurity as an investment not a cost, but as FireEye’s Merkel notes, many companies are in denial about their vulnerability or just reluctant to spend more on cybersecurity. In the United States, financial firms have adopted strict cybersecurity guidelines, mainly to comply with regulatory requirements. In South Korea, courts have limited the liability of companies faced with lawsuits over stolen customer data, as long as those companies used encryption. Hwang Weoncheol, a former chief information security officer at KB Investment and Securities in South Korea, said that reinforces a security strategy focused on compliance with regulation.