By Michael Xie
THE world never stands still. In the technology space, this means that constant innovation and discovery is the key to a solution provider’s survival and growth.
In the cyber-security arena, this creed is even more vital. Many hackers are brilliant people. There’s only one way to get the better of them—be even more brilliant. And faster and more creative. Which is why research and development (R&D) is crucial in the security-technology business.
Cybersecurity solution providers must deliver open, integrated security and networking technologies that enable enterprises to see and react rapidly to changing attack techniques, increase proactivity, and scale and provision their security along with business growth. To cope with this breadth of demand, technology providers need to be able to cross traditional boundaries, allowing them to innovate across the entire ecosystem.
However, the cyber threat landscape is continuing to become more challenging in 2017. Here are a few areas that Fortinet has identified for intensive R&D during the coming year:
Deep learning for attack analysis
DIFFERENT types of detection technologies have emerged over the years. It started out with signatures (a technique that compares an unidentified piece of code to known malware) and then heuristics (which attempts to identify malware based on behavioral characteristics in the code). Sandboxing (in which unknown code is run in a virtual environment to observe if it is malicious or not) and machine learning (which uses sophisticated algorithms to classify the behavior of a file as malicious or benign, before letting a human analyst make the final decision) followed.
Now, the latest technology—deep learning—has come onto the market. Deep learning is an advanced form of artificial intelligence that uses a process that is close to the way human brains learn to recognize things. It has the potential to make a big impact on cyber security, especially in detecting zero-day malware, new malware, and very sophisticated advanced persistent threats (APTs).
Once a machine learns what malicious code looks like, it can identify unknown code as malicious or benign with extremely high accuracy, and in near realtime. A policy can then be automatically applied to delete or quarantine the file, or to perform some other specified action, and that new intelligence can then be automatically shared across the entire security ecosystem.
This year Fortinet will continue to develop technologies designed to make our appliances learn more intelligently and identify unknown malware more accurately.
Big data for log correlation
IT is deeply entrenched in both our businesses and personal lives, leading to an increasing amount of data being generated, collected and stored around the world.
And since the working principle is that the more things a security solution provider sees, the more opportunities there is for it to connect the dots, understand the threats, and hence protect the network, leveraging big data to make sense of exponentially growing event logs will be an important area of research for us in 2017.
We will continue to refine our Security Information & Event Management (SIEM) capabilities in the new year, and increase our solutions’ ability to harness FortiGuard Labs threat intelligence data for even deeper insight into cyber attacks.
Strengthening container security
RUNNING applications in containers, instead of virtual machines (VMs), is gaining momentum. At the heart of this ecosystem lie solutions like Docker, an open-source project and platform that allows users to pack, distribute and manage Linux applications within containers.
There are several benefits to Docker technology, including simplicity, faster configurations and more rapid deployment, but there are also some security downsides. These include:
Kernel exploits. Unlike in a VM, the kernel is shared among all containers and the host. This amplifies any vulnerability present in the kernel. Should a container cause a kernel panic, it will take down the whole host, along with all associated applications.
Denial-of-service (DoS) attacks. All containers share kernel resources. If one container can monopolize access to certain resources, it can cause DoS to other containers on the host.
Container breakouts. An attacker who gains access to a container should not be able to gain access to other containers or the host. In Docker, users by default are not name-spaced, so any process that breaks out of the container will have the same privileges on the host as it did in the container. This could potentially enable privilege escalation (e.g. root user) attacks.
Poisoned images. It’s difficult to ascertain the sanctity of the images you are using. If an attacker tricks you into running his image, both the host and your data are at risk.
Compromising secrets. For a container to access a database or service, it will likely require an API key or some username and password. An attacker who can get access to these keys will also have access to the service.
This is especially a problem in a micro-service architecture in which containers are constantly stopping and starting, vis-à-vis an architecture with small numbers of long-lived VMs.
Our 2017 research will address the above areas. Such research is important because container technology can only gain wider adoption in the coming years.
STILL in the domain of virtualization and cloud, virtual customer premise equipment (vCPE) is another growth area ripe for research.
Today business requirements are changing quickly, and firms need the flexibility to adapt their branch offices to those changing requirements in a fast and secure manner. They need to be able to turn on new services on-demand from a single platform, without the cost and complexity of deploying and managing additional devices.
The vCPE is a way for managed service providers (MSPs) to deliver network services to enterprises, such as firewall security and VPN connectivity, by using software rather than dedicated hardware devices. By virtualizing CPE, providers can simplify and speed up service delivery, remotely configure and manage devices, and let customers order new services or adjust existing ones on-demand.
Leveraging Network Function Virtualization (NFV), Fortinet has made substantial progress in consolidating advanced networking and security services on a single device (FortiHypervisor), eliminating the need for multiple CPE while enabling on-demand service delivery. We will continue our development to broaden coverage, increase performance and improve customer experience in 2017.
Helping enterprises leverage SD-WAN
A growing number of enterprises are demanding more flexible, open, and cloud-based WAN technologies, rather than accept the installation of proprietary or specialized WAN technology that often involves fixed circuits or costly proprietary hardware.
This heralds the rise of Software Defined Wide Area Networks (SD-WANs), which eliminates expensive routing hardware by provisioning connectivity and services via the cloud. SD-WAN technology also allows connectivity to be flexibly controlled through cloud software.
SD-WAN has the potential to improve network security in a number of ways, for instance:
- SD-WAN allows traffic to be easily encrypted.
- SD-WAN allows the network to be segmented, limiting the impact of a breach or an attack to a small, manageable area.
- The growth in cloud traffic has made direct Internet access from the branch a reality, and an SD-WAN can be used not just to provide the connectivity but to also secure the connection.
- By providing a vast amount of visibility into the amount and types of traffic traversing the network, SD-WANs allow attacks to be discovered sooner.
This year Fortinet will conduct R&D on the above areas to make SD-WAN a feasible endeavour for enterprises.
Thanks to our technology vision and development of the Fortinet Security Fabric, we have the capability to tackle many of the security issues raised above in order to support the digital transformation organizations are going through. We will continue to expand the coverage of our Fabric, with our R&D focus moving from visibility and awareness to measurement and benchmarking, and finally to understanding how close an enterprise is to the prevailing best practices within its industry.
With so much planned development on the horizon, cyber security will remain an exciting sphere for enterprises to watch during the new year.
Michael Xie is the founder, president and chief technology officer of Fortinet Inc. Xie’ views in his article do not necessarily reflect those of the BusinessMirror’s.