How would you protect your own home? Would you invest in only one of the following: a strong fence, a set of security cameras, a very loud alarm, or motion detectors to monitor dark corners? Or would you rather use all of these to improve protection? Keeping your business network safe requires similar questioning. Using a security system based on a single type of technology is a good start, but what will stop cybercriminals from stealing valuable information if they find a way to bypass that?

"A company aiming to build reliable and strong cybersecurity defenses should opt for a solution offering multiple complementary technologies."

A company aiming to build reliable and strong cybersecurity defenses should opt for a solution offering multiple complementary technologies with high detection rates and a low number of false positives. In other words, one that catches thieves but doesn’t react when a neighbor’s cat walks across the lawn.

Both malicious code and malicious activity can take several forms, but often what they both have in common is their effort to stay under the radar of implemented security solutions. Malware creators go to great lengths to pursue this aim, and their methods evolve in step with advances in cybersecurity.

Nevertheless, some post-truth vendors argue that to counter all cyberthreats, companies only need a single layer of protection that uses the “latest” machine learning algorithm. No updates, no cloud and no pointless extra layers. Naturally, this single-layer solution is the product they offer.

Despite the latest advances in AI, which have been achieved primarily by large players such as Google, Facebook and Microsoft, even the most recent cybersecurity algorithms do not amount to a silver bullet against all threats. In fact they offer only a single further step that can improve endpoint security, but can also be easily overpowered by adversaries when complementary security systems are absent.

While overcoming a single layer can lead to an infection, multiple barriers that are able to detect malicious items, even when modified, make attacks more difficult and more costly, forcing adversaries to laboriously change the behavior of their code.

Why more is better

Company networks are similar to complicated organisms. They consist of various nodes – organs – each assigned a different role, importance and rights. Identifying malicious activity in such a complex system can prove messy and difficult, especially if the protection solution is trying to track everything through a single point.

It is true that a strong perimeter can improve a business’s cybersecurity, thus freeing endpoints from constant scanning of every item for malicious activity. However, if it’s the only protective barrier for attackers to overcome, once they succeed there is nothing further to stop them.

"With multi-layered solutions, even if one technology is bypassed, an array of other technologies remains to take action at a later point, or in a specific situation."

Remember, avoiding protection solutions is a cybercriminal’s daily bread and, as has been proved again and again in the past, any feature or system can be circumvented given enough effort. With multi-layered solutions, even if one technology is bypassed, an array of other technologies remains to take action at a later point, or in a specific situation.

So even if malware is stealthy enough to avoid detection in an email, it doesn’t mean that it will not get blocked and deleted later, when it tries to wreak havoc in the system’s memory. The same goes for a malicious code betting on a delay in its fraudulent activities to elude detection, or sitting in a system for several months while waiting for a specific file-type to trigger the next malicious processes.

Even a smart machine can be fooled

Many of the post-truth vendors argue that their solutions work on a different basis. They say that their machine learning solutions are able to learn locally and uncover many of the techniques used by attackers. But the truth is that most cybercriminal methods evolve – and can be sophisticated enough to fool even the newest so-called smart machines.

"The truth is that most cybercriminal methods evolve – and can be sophisticated enough to fool even the newest so-called smart machines."

To name just a few examples, let’s look at steganography. Attackers just need to take malicious code and smuggle it into harmless files such as pictures. By burying it deep into a pixel setting, the machine can be fooled by the (infected) file, which is now almost indistinguishable from its clean counterpart.

Similarly, fragmentation can also lead to a detection algorithm returning an incorrect evaluation. Attackers split the malware into parts and hide it in several separate files. Each of them is clean on its own; only at the moment when they all converge on one endpoint or network do they begin to demonstrate malicious behavior.

With only one layer of monitoring, such activity can go unnoticed, as the “smart” algorithm would require more complex optics to see the whole problem. Using multiple technologies, combined with global context and updates, can offer the necessary big picture view and successfully block even new and sophisticated attempted attacks.

Why not block these techniques?

While the approach described above can be used for malicious aims, they are perfectly legitimate in other contexts. Every business client is different and endpoints can have very diverse settings. Some companies, for example, use software or files that look very suspicious but are entirely legitimate for their purposes.

Sure, if you are a small cybersecurity vendor with a user base of tens of thousands or maybe hundreds of thousands of endpoints, you can contact those few who might encounter some issues. But what if the number grows to tens, or hundreds of millions?

Only years of experience and testing can prove how best to fine-tune solutions to suit such a significant group of business clients. Similarly, it takes an investment of years to devise the protective layers that proactively help outsmart cybercriminals and protect today’s masses of internet users.

Analysts in the field of cybersecurity have also come to see the problems associated with using only a single protection technology and advise caution when choosing between so-called “next-gen” and established vendors, citing the first as complementary – but not an alternative – to the latter.

The whole series:

  1. Editorial: Fighting post-truth with reality in cybersecurity
  2. What is machine learning and artificial intelligence?
  3. Most frequent misconceptions about ML and AI
  4. Why ML-based security doesn’t scare intelligent adversaries
  5. Why one line of cyberdefense is not enough, even if it’s machine learning
  6. Chasing ghosts: The real costs of high false positive rates in cybersecurity
  7. How updates make your security solution stronger
  8. We know ML, we’ve been using it for over a decade

With contribution of Jakub Debski & Peter Kosinar