Redefining the future of cybersecurity
13 January 2020
An arms race to detect harmful traffic has reduced the usability of essential business functions such as e-mail, web browsing and content sharing. In wanting to balance the inversely correlated security and usability in favour of better productivity, enterprises have become resigned to a state of insecurity. An approach termed ‘Hardsec’, which uses hardware to extract and verify harmless traffic, has the potential to overhaul this status quo radically. Defining what is ‘good’ is easier than trying to identify the ever-changing ‘bad’. Doing so using simple hardware instead of complex software greatly reduces the risk of compromise.
Threat detection has been the focus of many cybersecurity advances.
This has evolved from just being able to identify known-knowns (eg, virus signatures and website black-lists) to being able to identify known-unknowns (eg, sandboxing and behaviour analytics). Enterprises, however, continue to suffer attacks from unknown-unknowns (ie, threats we didn’t even know that we don’t know!). Between better-resourced attackers, ever-increasing threat surfaces (eg, IoT) and perennial human error, an easy-fix has proved elusive.
What if we focus on extracting and verifying harmless traffic instead of trying to detect harmful traffic? Conversely, this means all traffic is treated with zero-trust. The definitions of popular mark-up languages (eg, html and Word) are well understood, making it easy to detect harmless traffic. The first step is to ‘transform’ all relevant traffic into easily ‘verifiable’ formats (eg, a browsing session can be turned into a video stream or a complex Excel file can be rid of its unnecessary active content). A verification engine can then test for the content’s purity before passing on to the user. This ‘transform and verify’ methodology is already in use within the UK’s national security apparatus.
We can then solve the ‘who polices the police’ problem using hard-to-hack hardware.
Simply implementing the aforementioned, conceptually elegant ‘look for the good instead of the bad’ methodology still leaves some attack-vectors open. Think of an international border that switches from identifying potential threats to only allowing pre-vetted people through. Despite the ease of management, the border control officials can be compromised. In cybersecurity, an Achilles’ heel is typically the software implementation. This risk is reduced by using computationally simple hardware like FPGAs to implement the verification engine. This reduces the risk of compromise in the verification phase of the ‘transform and verify’ methodology. The use of hardware is the secret sauce of the methodology, and underpins pioneering implementations by the likes of Garrison and Deep Secure. Known as ‘Hardsec’, it opens an enterprise market worth cUS$7bn. In a world where every internet user is protected by ‘Hardsec’, the market could be worth a quarter-trillion dollars pa!
The problem with software
Much of cybersecurity innovation has been about advances in software. The progress here has been rapid, from traditional solutions that only dealt with known-unknowns (eg, signature-based malware detection) to a new generation that can deal with known-unknowns (eg, behavioural anomalies in the network using machine learning). To a large degree, these solutions have increased security while lessening the impact on usability. However, there remains a major weakness in this progress. Software, by its very nature, is burdened by:
- Complexity – The increasing complexity and size of code is making software more error-prone than ever. Think of any software product that you use, and how the necessity for constant ‘updates’ has grown over the years.
- ‘Componentisation’ – Very few applications are built from the ground up, as it makes little sense to reinvent all the wheels. The result is the pervasive use of third-party components that are largely outside the OEM’s control.
- Ecosystems – Any enterprise-grade software today sits within an ecosystem of other software, making for a higher likelihood of unstable, unpredictable and unintended interactions.
- Malleability – By its very nature, software encourages developers constantly to add features in through updates, potentially introducing new vulnerabilities to a secure product. This malleability also makes it extremely difficult to prevent completely software being modified post deployment.
This inherent weakness in software also means that software-based cybersecurity platforms are vulnerable by design, creating in essence the ‘who polices the police?’ problem. Unlike many other types of software, cybersecurity software, by necessity, has greater access to the deepest levels of an enterprise’s IT systems. This means a piece of compromised cybersecurity can be one of the most dangerous attack-vectors.
Hardware to the rescue
While the boundary between hardware and software continues to blur (‘software is eating the world’), hardware will always have ‘some’ advantages over software. Why some? As the reader will be aware, generic hardware designed for ‘one-size-fits-all’ functions will have vulnerabilities of its own (see Spectre and Meltdown exploits). This is the downside to the increasing complexity in hardware (and all technology). However, if the hardware can be functionally limited by design (as opposed to a CPU that can do ‘anything’), the advantage over software can be extended. For example, any exploitable weakness due to design error will be very limited in scope due to the limited functionality.
Limited functionality hardware will likely conjure up images of custom semi-conductor chips that are prohibitively expensive to design and manufacture. This is where advances in technology and scale economies have changed things. For example, FPGAs (field-programmable gate arrays) have unlocked the ability to ‘programme’ hardware post manufacture, while smartphones have super-charged the economics of specialised hardware (eg, cheap image processing chips). This means we could economically make use of specialist, limited-functionality hardware that can be programmed. If these hardware-based systems can then be physically locked out of any further changes, we can be in possession of hardware-defined cybersecurity solutions that can overcome many of the software disadvantages.
The hardware in Hardsec
The Hardsec approach makes use of aforementioned FPGAs. They are particularly effective in implementing the verification stage. In order for those FPGAs to be secure, one must prevent them from being re-programmed once they have been deployed. Like any chip, these FPGAs have input and output pathways (think of pins in a microchip). However, unlike many chip variants, FPGAs also have a ‘management’ pathway that is used in programming the FPGA. Once programmed, this pathway can be physically blocked, introducing a physical airgap that prevents the FPGA from being re-programmed.
Take a web browsing session. Instead of sending across all the processing instructions to render a website, which can contain malicious code, its browsing session is rendered into a video stream. In a video stream, each frame is just colour instructions across a dense, two-dimensional grid, which can be verified by a FPGA. Given such a picture contains no processing instructions, it is difficult to think of a scenario in which the stream can be used to attack some security hole in the FPGA. The user will therefore experience the web browsing session as a harmless streaming video session. Commercial implementations have solved the keyboard/mouse interactions required to make the whole thing seamless. The method effectively creates an airgap between the website’s instructions and the display of that website via the FPGA verification process that sits in between.
Making the jump from James Bond to ‘enterprise’ Joe Bloggs
Through the ‘transform and verify’ process, an enterprise is able to receive data, be they webpages, e-mails or even API calls, that are free from known, unknown and undetectable threats. This is a better balance between zero-trust security and usability. The methodology uses hardware with limited functionality, reducing the attack surface of the process itself. Use of well-entrenched technologies such as FPGAs allows for viable economics. This in essence is ‘Hardsec’, a methodology that is already becoming standard practice across multiple Western government security agencies worldwide. Companies like Garrison and Deep Secure are in the process of commercialising the methodology for the private sector. We think this foundational technology will be key to achieving a better balance between security and user experience in the enterprise. Even more important is the fact that increasing chunks of a nation’s ‘critical infrastructure’ is today run by the private sector. It therefore becomes important for the private sector to adopt the same methodologies that are being used by security agencies.
Sizing the market
Technology is just a tool. In most cases, despite all the strategic posturing and the marketing buzz, it is treated as a cost rather than an investment. Cybersecurity spending, on the other hand, is thought of slightly differently given the ever-rising cost of data breaches. With the adoption of GDPR and similar regulations across the world, there is a fear-driven need to spend more to contain these costs.
Reports like ‘Cost of a Data Breach Report’ from IBM and ‘Data Breach Investigations Report’ from Verizon are treasure troves of data. Taking insights from those reports for 2019, we estimate that just across 25m Fortune 500 information workers, cost of breaches came to US$100bn. We think the principles behind Hardsec, productised to protect the information workers (eg, Garrison, Deep Secure), could help contain a third of these costs (cUS$33bn). Therefore, we think it is realistic to consider a market opportunity worth a fifth of that (cUS$7bn), implying a 4x return on investment. This is about a third of the investments that today go into securing the border between an enterprise and the wider internet.
This is only an estimation of the higher-end enterprise opportunity. We also think that the risk to the consumer, in an era where cyber privacy and security are dominant societal issues, is also great enough to create an opportunity for Hardsec. Here the assumption is that such technology will be deployed not at the consumer end-points, but at access gateways such as the internet service provider (a bit like how content filtering is used today) or cloud content solutions such as Office 365 and Dropbox. If we take Avast’s (the world’s largest consumer cybersecurity company by installed base) estimate of its addressable market as a guide, this opens up another cUS$7bn (Source: Avast IPO prospectus) opportunity for Hardsec.
The need for government-grade security has never been greater
In 2004 the cybersecurity market was worth US$3.5bn (Source: Cybersecurity ventures). By 2017, it had grown to 30x that size and has been growing at high single digits pa every year since (Source: Gartner). Despite this growing investment, the cost of breaches has also grown at the same rate since 2017 (Source: IBM’s ‘Cost of a Data Breach Report’). There clearly is a disconnect between current investments in cybersecurity and the continued deterioration of enterprise cybersecurity. In many cases, the enterprises are not even in total control of their cybersecurity estate. For example, there are instances of external technology infrastructure that enterprises rely on being found wanting when it comes to security (eg, ElasticSearch server exposing 1.2bn people).
Despite spending vast sums (JP Morgan alone spends US$600m pa), financial services, a vertical that takes security seriously, was still experiencing major attacks. First American, where a breach hit 885m sensitive financial records, and Capital One, where 106m customer accounts and credit applications were stolen, were notable examples from 2019. The costs of these breaches are also becoming more direct (BA fined £183m, Yahoo US$118m, Uber US$148m, Marriott £99m, Facebook US$5bn, Equifax US$700m, etc) due to new regulations like GDPR.
More worryingly, government-grade attacks are deployed in the consumer-facing cybersecurity space. Allegations include use of WhatsApp by Israel, and the iPhone by China. It will not be long before government-grade attacks go beyond monitoring of citizens and damaging physical infrastructure (Stuxnet targeting Iran’s nuclear programme) to direct economically-motivated attacks on private enterprises. There has already been major IP (eg, Philips’ medical research, Rio Tinto’s prospecting secrets) and financial (eg, US$81m from Bangladesh Bank) theft by government-sponsored hackers. The only way to protect from such government-grade attacks is for the enterprises to adopt a similar security mentality to those of the government security agencies. This is perhaps the strongest case for Hardsec; the need to step up from enterprise-grade security that has been a sinkhole for investments to government-grade security, which, at least for now, has mostly kept to its mandate.
Einstein’s definition of insanity is doing the same thing over and over again and expecting different results. This definition can also be used to describe enterprise cybersecurity. This is why we have ended up in a world of increasingly complex, software-based, ineffective threat detection. Hardsec has a differentiated approach to this problem by treating all traffic as harmful (zero-trust). At its heart is a methodology used by the government security agencies to eliminate threats. Doing so using hardware that is harder to hack (FPGAs) reduces the risk of compromise and performance bottlenecks. This could, to start with, rewrite the playbook for established cybersecurity sub-domains such as ‘web-isolation’ and ‘content disarm and reconstruction’. Longer term, it has the potential to deliver the reversal of the cybersecurity arms race in favour of the good guys. The price for doing so can be lucrative. There are 4.5bn active internet users in the world. How much will each of these users on average be willing to pay to adopt a zero-trust stance? Across the West, the average monthly cost of internet access is cUS$50. If they paid US$5/month on top for such safety, the market opportunity for Hardsec could be well over a quarter-trillion dollars!