Next Generation Security: No, Dorothy, there is no magic wand

Backup software – your best friend

Sysadmin blog Hardly a day passes without some kind of major security breach. The type of attack that was once considered staggering in scale has now become the norm.

When a Yahoo! breach was found to have lost a billion accounts, it seemed the only thing anyone found unusual about it was that Yahoo! had a billion accounts to lose.

Don’t become complacent. As the threats have evolved so the industry has coalesced around new product categories and definitions - next-generation security.

But go to any security conference and you'll find the same vendors promising to save the world, only this time using some AI-enhanced machine-learning proxycondom replete with coloured charts presented in smell-o-vision will spend half their keynotes banging on about "preventative best practices".

The truth is, that the next-generation security software that's out there really isn't that good and you're not nuts because you look at it and see nothing but holes.

Forewarned is forearmed. Here, then, is a quick run through how the vendors and their products have coalesced around next-generation security.


One area where hype is giving way to usable solutions is ID as a Service (IDaaS). Identity management technology has been around for ages, with Microsoft's Active Directory having dominated the identity and access control for more than 15 years. That's changing as identify management grows to encompass public cloud solutions and integrates directly into applications.

Microsoft is still a major player with Azure Active Directory, but all the big names are represented here. Google, Facebook and even Twitter increasingly are increasingly providing individuals' online identity and - in Google's case at least - that of organizational employees.

Smaller organizations like Centrify are looking to take over, though some governments are rising to the challenge as well. Estonia's electronic ID card is the canonical example.

It is right and proper that of all the categories of security hype in 2017 IDaaS is the furthest along. Everything else in IT security hangs off of identity. Without secure, reliable ID, everything else is suspect. With so many different services, platforms and applications to integrate, "as a Service" is the only sane way to do it.

While the majority of IDaaS deployments seem to be centred around enabling identity and authentication for or across multiple SaaS applications, it's worth noting that this is slowly changing. Some organizations are using Google's IDaaS (though not, to my knowledge, Facebook or Twitter) for internal directory authentication, via services such as JumpCloud.

This is increasingly common in, for example, education. "Google Schools" are a really big thing in North America, and in many cases the Google-provided identity has more relevance than a Microsoft Active Directory provided one, leading some organizations to do away with it altogether.

Where Twitter, Facebook and the like are pushing outside of their traditional SaaS utilization is as customer-facing authentication services that then map back to an internal directory solution. This is used for situations where external-facing users (typically consumers) are to be granted limited access to internal resources.


Cloud Access Security Brokers (CASB) seek to prevent stupidity leaking from an organization's premises onto the wider internet. In a perfect world, they would monitor everything from social media to cloud storage and have a tantrum whenever idiocy was afoot.

Some CASB vendors have primitive solutions to the problem of people putting things into Dropbox that they really shouldn't. Others search Twitter for naughty words and most will sniff email for undesirables.

Despite there being huge feature gaps in these next-generation hybrid proxies, CASB startups sell for a lot of money. For example, veteran Symantec bought Bluecoat for $4.65bn last year.

CASB can reasonably be described as a must-have technology for businesses of all sizes at this point, but they should be consumed with a high dose of caveat emptor. It is likely that the CASB vendors will never truly catch up to the explosion of SaaS solutions, social media and cloud storage they must defend against, making this a category of solutions perpetually in development.


Security Information and Event Management (SIEM) is the younger, hipper name for monitoring software. As with all monitoring software SIEM solutions are miserable to use, even more miserable to configure, integrate poorly with a reasonable chunk of the things you need to monitor and aren't aware at all of the other things you want to monitor.

What sets SIEM apart from plain old monitoring is that some consideration has been given to concept of information overload. Apparently people with money cottoned on to the concept that simply flooding sysadmins with alerts about every minor hiccough from every subsystem of every application under management just leads to sysadmins ignoring their alerts inbox. Who knew?

SIEM ranges from Big Panda with Nagios to more full blown offerings from the likes of Solar Winds and from relative newcommers such as Splunk to more traditional enterprise players including HPE, IBM and Intel Security.

SIEM isn't so much a new security category as an old one that's being reborn. Everything here is about machine learning, newer more AI-enabled filters and analytics that come in flavours. As always, the solution you really want is three times the budget you actually have.

Malware, phishing and scams

Speaking of machine learning and AI, so-called Next Generation Anti-Virus (NGAV) promises to use the power of big data and slightly tweaked algorithms to usher in a new era in the battle against Malware, phishing and various email scams. Marking claims for this category elicit doubt.

NGAV solutions as a whole are better than signature-only based solutions. Of course, most of us haven't really been using signature-only based solutions for some time now. Claims that NGAV is better than traditional heuristic systems are still awaiting large scale independent verification, but there's no reason to think they won't be.

Much of the scepticism stems from the hard fact that no endpoint security system is 100 per cent effective. Vendors moved on from signatures to heuristics to public-cloud based machine learning and AI. This was promptly responded to by black hats employing machine learning and AI to defeat the NGAV being deployed by the vendors. It's the same cat-and-mouse game it's always been, only the tools have changed.

The real threat is the same as it has always been with endpoint security: that end users and organizations might actually believe that NGAV makes them secure. We all want to believe that we can simply install a security package and never think about the bad guys again. It's simply not true.


Technically a type of malware, ransomware has matured into its own category. Traditional malware tried simply to infect your computer in order to copy your data or turn your system into one of the millions of zombie bots clogging up the internet with spam. Ransomware, however, encrypts your data and holds it hostage until you pay a hefty fine to get it unlocked.

Peddlers of NGAV are trying to cash in on the ransomware with vague claims about being "better" than traditional antivirus systems. But even the best at detecting ransomware or its behaviours will eventually let some through. It's the nature of the beast.

The bad guys are still iterating far faster than the antivirus companies can keep up, next-generation or not. The best defence against ransomware is still proper backup software. This is true today and it will be true for all the foreseeable tomorrows.


Next-generation security is all being rolled into a category called Endpoint Detection and Response (EDR), even though many elements of EDR don't happen on the endpoint. According to Gartner, EDR consists of incident data search and investigation, suspicious activity detection, threat hunting or data exploration, stopping malicious activity and alert triage or suspicious activity validation. All of the various categories discussed above blur into EDR.

There are a lot of players seeking to claim a slice of the pie. A by-no-means comprehensive list includes Barracuda, Bit Defender, Carbon Black, Bromium, Cisco Systems, CounterTack, CrowdStrike, Cybereason, Cylance, enSilo, FireEye, ForeScout, Hexis, Invincea, Malwarebytes, Mandiant, McAfee, Microsoft, RSA Security, Palo Alto Networks, SentinelOne, Symantec, Tanium, Trend Micro, Triumfant, Webroot, and Ziften. Some are established players, many are startups.

EDR is about more than simply sending samples back to the mothership. It is the latest buzzword for defence in depth. At the edge, at the endpoint, tracking odd authentication behaviour and yes, bringing as much data – including application behaviour and malware samples – into public cloud-based machine learning analysis tools as possible. Then spitting it all back out into logs, dashboards and alerts that humans can cope with.

Security approaches are evolving, and a lot of data is being collected by next-generation offerings. What remains to be seen is if these vendors will spend the next product cycle trying to convince us that they and they alone have the solution to all our ills, or whether they'll pool their knowledge and resources for all our benefit. In the meantime, we have new tools to learn.

Other stories you might like

  • Lonestar plans to put datacenters in the Moon's lava tubes
    How? Founder tells The Register 'Robots… lots of robots'

    Imagine a future where racks of computer servers hum quietly in darkness below the surface of the Moon.

    Here is where some of the most important data is stored, to be left untouched for as long as can be. The idea sounds like something from science-fiction, but one startup that recently emerged from stealth is trying to turn it into a reality. Lonestar Data Holdings has a unique mission unlike any other cloud provider: to build datacenters on the Moon backing up the world's data.

    "It's inconceivable to me that we are keeping our most precious assets, our knowledge and our data, on Earth, where we're setting off bombs and burning things," Christopher Stott, founder and CEO of Lonestar, told The Register. "We need to put our assets in place off our planet, where we can keep it safe."

    Continue reading
  • Conti: Russian-backed rulers of Costa Rican hacktocracy?
    Also, Chinese IT admin jailed for deleting database, and the NSA promises no more backdoors

    In brief The notorious Russian-aligned Conti ransomware gang has upped the ante in its attack against Costa Rica, threatening to overthrow the government if it doesn't pay a $20 million ransom. 

    Costa Rican president Rodrigo Chaves said that the country is effectively at war with the gang, who in April infiltrated the government's computer systems, gaining a foothold in 27 agencies at various government levels. The US State Department has offered a $15 million reward leading to the capture of Conti's leaders, who it said have made more than $150 million from 1,000+ victims.

    Conti claimed this week that it has insiders in the Costa Rican government, the AP reported, warning that "We are determined to overthrow the government by means of a cyber attack, we have already shown you all the strength and power, you have introduced an emergency." 

    Continue reading
  • China-linked Twisted Panda caught spying on Russian defense R&D
    Because Beijing isn't above covert ops to accomplish its five-year goals

    Chinese cyberspies targeted two Russian defense institutes and possibly another research facility in Belarus, according to Check Point Research.

    The new campaign, dubbed Twisted Panda, is part of a larger, state-sponsored espionage operation that has been ongoing for several months, if not nearly a year, according to the security shop.

    In a technical analysis, the researchers detail the various malicious stages and payloads of the campaign that used sanctions-related phishing emails to attack Russian entities, which are part of the state-owned defense conglomerate Rostec Corporation.

    Continue reading
  • FTC signals crackdown on ed-tech harvesting kid's data
    Trade watchdog, and President, reminds that COPPA can ban ya

    The US Federal Trade Commission on Thursday said it intends to take action against educational technology companies that unlawfully collect data from children using online educational services.

    In a policy statement, the agency said, "Children should not have to needlessly hand over their data and forfeit their privacy in order to do their schoolwork or participate in remote learning, especially given the wide and increasing adoption of ed tech tools."

    The agency says it will scrutinize educational service providers to ensure that they are meeting their legal obligations under COPPA, the Children's Online Privacy Protection Act.

    Continue reading
  • Mysterious firm seeks to buy majority stake in Arm China
    Chinese joint venture's ousted CEO tries to hang on - who will get control?

    The saga surrounding Arm's joint venture in China just took another intriguing turn: a mysterious firm named Lotcap Group claims it has signed a letter of intent to buy a 51 percent stake in Arm China from existing investors in the country.

    In a Chinese-language press release posted Wednesday, Lotcap said it has formed a subsidiary, Lotcap Fund, to buy a majority stake in the joint venture. However, reporting by one newspaper suggested that the investment firm still needs the approval of one significant investor to gain 51 percent control of Arm China.

    The development comes a couple of weeks after Arm China said that its former CEO, Allen Wu, was refusing once again to step down from his position, despite the company's board voting in late April to replace Wu with two co-chief executives. SoftBank Group, which owns 49 percent of the Chinese venture, has been trying to unentangle Arm China from Wu as the Japanese tech investment giant plans for an initial public offering of the British parent company.

    Continue reading
  • SmartNICs power the cloud, are enterprise datacenters next?
    High pricing, lack of software make smartNICs a tough sell, despite offload potential

    SmartNICs have the potential to accelerate enterprise workloads, but don't expect to see them bring hyperscale-class efficiency to most datacenters anytime soon, ZK Research's Zeus Kerravala told The Register.

    SmartNICs are widely deployed in cloud and hyperscale datacenters as a means to offload input/output (I/O) intensive network, security, and storage operations from the CPU, freeing it up to run revenue generating tenant workloads. Some more advanced chips even offload the hypervisor to further separate the infrastructure management layer from the rest of the server.

    Despite relative success in the cloud and a flurry of innovation from the still-limited vendor SmartNIC ecosystem, including Mellanox (Nvidia), Intel, Marvell, and Xilinx (AMD), Kerravala argues that the use cases for enterprise datacenters are unlikely to resemble those of the major hyperscalers, at least in the near term.

    Continue reading

Biting the hand that feeds IT © 1998–2022