Read Bennett Gold LLP's privacy policies and practices regarding this web site.
LINK TO: Bennett Gold LLP's Privacy Policies and Practices. is part of the Bennett Gold LLP web site network.
LINK TO: Bennett Gold LLP, Chartered Accountants, home page.
LINK TO: Home Page.
CLICK to GO BACK to Main Page.

Research and retrieval of news articles by Bennett Gold LLP, Chartered Accountants

Effective December 31, 2012, articles are no longer being updated on this web site.
The site is now maintained as an historical archive, covering articles from the period 1999 to 2012.


Source: Forbes

Posted on October 29, 2012

Ashar Aziz has an urgent message for you. Much of the money you are spending on computer security is focused on fighting the previous generation of threats, not the current ones that are the most dangerous that compromise over 95% of organizations.

Aziz, who is founder, CEO and CTO of FireEye, which offers a solution that addresses the current style of attacks, presents a compelling case. What was even more interesting to me was the design of FireEye's solution, which combines aspects of machine learning and cloud computing into a system that gets better the more people use it. I believe that FireEye's architecture shows the way toward the next generation of applications and provides lessons that CIOs and CTOs can apply right away in areas outside of security.

Why Most Computer Security is Broken

Aziz's analysis begins by distinguishing between the previous generation of malware that represented most of the threats up to about 2005, and the current generation.

Previous generation threats were often a form of vandalism. Kids or people with a childish appetite for destruction created clever but easy to detect viruses that were intended to do damage but not much else. In a sense, these viruses travelled around the internet checking for unlocked doors and then bursting in to wreak havoc. The remedy was to look for known patterns (a.k.a. signatures) of this malware in content and network traffic that arrived to your computer. Most of the current generation of security technology is a pattern matching system that looks to find previously identified threats in the most typical places these threats are embedded. Aziz's describes this approach as a "defensive architecture".

"The new offensive threats are stealthy and you are not going to find them because they are not saying, 'Hey, I'm going to spray paint your website.' They're actually much more subtle and trying to hide themselves," Aziz said.

The current generation of threats is not the work of kids but of serious professionals of three varieties:

• Criminals are using advanced malware to find valuable information or to commandeer computers for illegal or nefarious purposes.

• State and non-state actors are seeking to penetrate computer networks for espionage.

• State and non-state actors are waging war using malware, seeking to damage critical infrastructure to harm other nations or companies.

None of these three groups want their malware to be found and they go to great lengths to conceal their existence. In addition, as the footprint of devices, user interfaces, and software grows the attack surface is dramatically expanded. Naive pattern matching methods are useless against these threats. "We needed a new approach. This is a very different fundamental problem, a defining problem of the 21st century," Aziz said. "The digital infrastructure has become essentially untrustworthy. Bits are moving around, malicious bits that we cannot distinguish from good bits, and they are attacking the foundations of our modern society."

Finding Threats that Don't Want to Be Found

Finding threats that are expertly concealed and utilize multiple steps to take over a system, takes a three stage approach that combines aspects of machine learning and a cloud-based knowledge repository. Here's how FireEye works from a high level:

• On the way in to an environment, the initial attack malware is embedded inside 'good' traffic, such as within Web pages, emails, or in documents. But at some point it has to do something incriminating to kick off an attack. The challenge is separating unusual but harmless actions of a Web page or email attachment from embedded malware attempting to do dirty work. The first thing that the FireEye system does is scan for suspicious Web traffic, email attachments, and/or documents on file shares tag it for further analysis. In other words, FireEye starts with a bunch of weak signals that could or could not be pre-cursors of a problem.

• For example, once a web page does something potentially suspicious, FireEye then sets up a virtual execution environment in which to safely execute, or 'detonate', that Web page in the safe confines of a virtual environment. Inside the virtualized environment, the suspicious Web objects are all run through its paces and observed. If it is a normal page, then FireEye learns that the potentially suspicious behavior wasn't a problem. If the malware starts an attack, say by exploiting the PDF plug-in, the malware activities all happen inside the environment so no harm is done while full malware forensics and outbound communications are captured. At that point FireEye can say for certain that malware has been identified and stop the attack from exfiltrating data.

• So, the malware forensics can then be shared by all FireEye systems through a 'protection' cloud network. The malware knowledge repository gets smarter at an increasing rate the more systems are involved. The sharing of machine learning enables the protection of the rest of the system before they get hit. Participants do not have to wait for an updated virus detection file to be installed to be protected. This reduces the window of vulnerability during day zero of an attack.

"The attack surface area is too huge for it to be handled explicitly. You have to handle it differently," Aziz said. "Instead of having pattern matching, what you have is environment matching, and then the malicious activities declare themselves. Then of course the process of propagating machine learning about that weakness can go on, and as new threats are understood your petri dishes get better, your anomaly analyses get better and you just move on forward that way."

Implications of the Architecture

The dozens of machine learning techniques used by FireEye, the way their Virtual Execution engine works, and the systems for evaluating and consolidating all the evidence are all topics for future consideration. So far, FireEye has won an enthusiastic and growing base of customers based on its approach.

But what interests me is the larger lessons of the FireEye architecture, which demonstrates some new patterns that characterize the next generation of applications that apply machine learning techniques and centralized repositories of knowledge. CIOs and CTOs can directly put these lessons to work to enhance their current application portfolio using systems like Splunk,Pervasive Data Rush, Alteryx, and others to provide the plumbing.

The Triumph of Weak Signals:

First of all, FireEye, like other applications such as Marketo's and Eloqua's systems for marketing scoring and Opera Solutions Vektor platform, is designed to create knowledge out of many potentially weak signals. Marketo and Eloqua gather evidence from all sorts of marketing activity and create a composite score to indicate the potential value of a lead. Opera Solutions Vektor platform applies machine learning and other statistical techniques to generate predictions that can be combined together to create predictive models. FireEye tracks unusual behavior of all sorts which may or may not mean something and then adds more and more of that evidence together until something is confirmed to be malware. The ability to gather weak signals from as many sources as possible will soon become a competitive advantage.

The Value of Normal:

So much of the world of machine learning and statistics is really about establishing what is normal and then raising a flag when something unusual happens. But we often think of statistical norms in terms of smooth curves and narrow ranges. In fact, when it comes to complex systems normal has a very funny shape. For example, MessageBus, a company that provides a system to ensure large volumes of mail get delivered, has to track what each large recipient considers spam and other indications that block email from being accepted. This type of normal is really a set of rules and policies that have been painstakingly identified over time and change frequently. MessageBus uses Splunk as a knowledge repository for these rules and to monitor for compliance. In the same way FireEye establishes a complex, irregular idea of normal and then figures out when those boundaries have been crossed. Finding ways to define normal behavior in sophisticated ways is going to pay great dividends in many application categories.

The Ensemble Approach:

Both when looking for evidence of unusual behavior and when examining suspects in the virtual environment, FireEye is able to use multiple approaches at the same time. In the world of predictive analytics this is known as the ensemble approach and it is used by systems likeZestCash, which performs a credit underwriting process using a multitude of different data sources and machine learning algorithms. The challenge when using an ensemble approach is weighing the importance of each input. The weights are often adjusted in a feedback loop and may change according to the context. The ensemble approach allows for new techniques to constantly be introduced without degrading the performance of the system.

A Central Brain that Grows Smarter:

FireEye's malware cloud, as Aziz calls it, is a knowledge repository that is constantly being updated as each customer installation scans for more and more weak signals and as the virtual environment identifies malware. This central repository grows stronger as more and more information is collected and also becomes the source of differentiating intellectual property. Imagine the kind of economic statistics that could be developed if SAP worked with its customers to create industry specific indicators based on that activity tracked by ERP? It would leave most economic reporting in the dust in terms of breadth and accuracy. CIOs and CTOs should be on the lookout for ways to create central knowledge repositories in the ecosystems in which they participate.

Convergence of Real Time and Batch:

Both FireEye and Opera Solutions Vektor Platform share the ability to combine both batch and real-time processing. Opera Solutions has pioneered the idea of "signals", a convenient abstraction for a prediction, which is similar in my way of thinking to what is referred to in other situations as an event. Signals can be created from batch processing or from real time monitoring. In systems that employ many different machine learning algorithms, rules for identifying normal behavior, and other techniques, signals provide a way to unify what has been discovered for presentation to developers and analysts who are building models and figuring out who to take the right action. Most advanced applications now operation with both batch and real time aspects.

While FireEye is showing that these principles work in its security application, I think CIOs and CTOs do not have to wait around for vendors to package these principles into products. Existing applications can be enhanced by them and new applications can be developed to break new ground.

CLICK to GO BACK to Main Page.

E-Commerce Alerts are issued by Bennett Gold LLP, Chartered Accountants as situations develop. Bookmark this site and check back often. Our e-mail address is:

In accordance with United States Code, Title 17, Section 107 and Article 10 of The Berne Convention on Literary and Artistic Works, the news clippings on this web site are made available without profit for research and educational purposes.

Final Entries

LINK TO: Bennett Gold Chartered Accountants: A Licensed Provider of WebTrust Services.

WebTrust Is Your
Best Defense
Privacy Breaches.

Get WebTrust
Working For
Your Site.