Skip Navigation
BlackBerry Blog

The Great Security Research of Tomorrow is Already Dead

FEATURE / 10.23.17 / Pete Herzog

Recently nobody asked me what I thought of the future of network security. So I’m writing you about it.

Also, nobody asked me how I’m doing, if they can sit with me, or if I want fries with that but I’ll save those for future articles.

This is the future of network security. This. Right now. What you see now is the future. Exciting, isn’t it?!

Let’s recap why it’s so. The first RFC on the Internet Protocol as well as TCP and ICMP came out in September 1981. That was the magical time of your parent’s youth when shirts showed belly, kids climbed over the seats while driving, and movie stars could be President. Anything and everything seemed possible then.

Fast forward to today. The world has become a completely different place where shorts show cheek, kids climb over the seats while flying, and television stars can be President. Meanwhile TCP/IP has not changed. Most RFCs regarding TCP or IPv4 focus on updates to how the protocols are being used today rather than documenting how they should be used. It’s like instead of policing society to be in compliance to the laws they’re updating the laws to match society! Which, actually, kind of makes more sense…. Never mind.

So that’s why we’re here now in the future of network security, because the network hasn’t really changed while the world has.  Actually, that’s not completely true. There’s many more protocols and many more types of networks both wired and wireless and in between. Most run over IP. So never mind that. But it’s the basic transport protocol that’s in main use has not changed enough to require--

You know what. That’s crap. So much has changed in networking even if TCP/IP really hasn’t. I’m not going to try anymore to convince you that we’re in the future of security because the past hasn’t changed. We’re in the future now because security research sucks like it always had and it’s not going to get better. It’s stalled.

But I’m researching security you say. Are you? Or are you researching how people are currently abusing security? Or are you looking at how to apply technology XYZ to security to make it smarter, faster, smaller, cuter, or more satisfying? Yes that’s security research but no it’s not SECURITY research.

Without research into why we haven’t figured out a way to have security rather than mostly security then we aren’t there yet. We don’t have to have flying cars to be the future but we should have a pretty good idea of how to secure computers. Go ahead and shake your head and say we do and be proud in your wrongness. We don’t. And that’s not an opinion, it’s a fact backed by every single breach, product dev team, and security vendor sales deck in existence.

Of course we can admit we don’t understand the human mind yet or even some of the human body. I, myself, don’t understand most people, especially the ones who live near raccoons. But computer networks? Why haven’t we figured out yet how to secure those? We made them! We didn’t make humans so there’s a learning curve still on figuring them out but we made the computer networks! We made the Internet. We didn’t just find it, unearthed from a past civilization. So why can’t we secure it if we built it?

Well, the reason is people and how they think. We can’t figure that out so well. Since networks are about human communications that’s part of the problem. The other part is that we assume we know what security is, individually, and don’t really agree with each other over what that is. Which brings me back to SECURITY research. We are not doing it. Well, you’re not.

It’s a particular interest to me because I work at a security research institute that actually does this. We’ve been consistently about 10 years ahead of the security industry for a while but now it’s more like 15 years. Not because I own a time machine (if only, because then I’m stocking up on Gatorade Gum!) but because the industry has stalled, representing things from years past, dyed a new color and wearing a new name tag. If you’ve been in security more than four years then you know this too.

Now, before you decide to point out that many things in security have steadily improved such as secure software development, risk awareness, and network monitoring, let me be clear that none of these are because our understanding of security have improved. Just like how medical imaging advances haven’t improved raccoon bite prevention. The damage is still being done but now we know about it and can heal it more efficiently AFTER it happens. After. Damn sneaky raccoons.

You can see this in how the security vendors went from promoting Indicators of Compromise to Indicators of Attack. While the IoC one helps us understand that an attack happened, the IoA lets us know an attack is happening. That’s good, right, because it lets us react quicker and minimize damage? And we think that’s good for cybersecurity. So consider this, would it be good for tornadoes? Of course not. That wouldn’t save lives or minimize damage. It took active, structural engineering improvements and research into what makes homes safer in high winds and pressure to address this. It’s still not there yet but at least they recognize that telling people there’s a tornado outside right now or that a tornado must have been here in the last month is really not good enough for the tornado safety industry.

And if you think that going from IoC to IoA is due to security research, it’s not. The Indicators of Attack is a throwback to the 90s when firewall admins made rules to block port scans, funky fragmentation, and other reconnaissance techniques which were indicators of an attack. Those things were based on hacking research, which is always moving forward, and inverted for prevention. And any improvements in IoA over the years comes from inverting newer hacking research. I wouldn’t call that SECURITY research, and you shouldn’t settle for that either.

I can tell now you’re trying to come up with exceptions. And you’ll find some. Maybe one. As I said, I do security research work so I know of others that do so as well. That’s how I know it’s far too little and far too underfunded. And it’s not because it’s too futuristic to add to today’s products but because companies won’t easily find buyers for those new features. Because in security, as in safety, the majority of people don’t like to be new adopters. The masses literally play it safe.

Which is why the security product focus today and always has been on borrowing from the past to make new offerings. It’s also cheaper. Make no mistake, security research is expensive. Add to that the cost of development to fit any tech to a product as a new feature and there goes your profit margin. So you can be sure that if a company does any type of security research at all they’re going to hoard their failures and milk the successes as long as they can.

The problem with this is that there’s a real need for advanced security research that addresses the fundamental problems of security, like how to replace identification which has always been broken and affects the functionality of authentication, attribution, privacy, and so many other aspects of security. Instead, anyone who might have the answer is sitting on it somewhere ignored because it’s not easy to integrate into a firewall. Sitting on it until it’s dead. So...

What if the great security research of tomorrow is already dead?

Pete Herzog

About Pete Herzog

Guest Research Contributor at BlackBerry

Pete Herzog knows how to solve very complex security problems. He's the co-founder of the non-profit research organization, the Institute for Security and Open Methodologies (ISECOM). He co-created the OSSTMM, the international standard in security testing and analysis, and Hacker High School, a free cybersecurity curriculum for teens. He's an active security researcher, investigator, and threat analyst, specializing in artificial intelligence (AI), threat analysis, security awareness, and electronic investigation.