HP’s Bristol Labs: Rethinking Security From the Bottom Up

Last week I was at HP’s Bristol Labs in England, and it got thinking that we need to rethink how we secure our businesses. HP’s security efforts are arguably the best in the industry on their business PCs and Printers, though sadly not on their consumer products yet, and this provides a level of defense in depth that is currently market-leading. They are the only vendor I’m aware of that can fully recover a rooted laptop remotely, and they have the strongest protection for malware due to a licensed solution from Deep Instinct which represents the only Deep Learning (used to be called Neural Network) solution in market. However, they also identified several changes in the attacks, both the method and the devices attacked, that suggest we once again must update our security practices to better deal with this threat.

Let’s talk about some of the frightening changes to the threat landscape.

350K New Viruses A Day

HP is tracking 350K new viruses a day and a huge shift from Zero-Day attacks to targeting aging hardware. It is interesting to note that one of the preferred targets are network connected FAX machines which mostly have no security, go around firewalls with their telephone link, and are vulnerable to buffer overrun attacks which then can escalate to a compromised network.

But they aren’t just going after Fax machines they have tools to identify other aging hardware that isn’t properly updated and protected. They apparently really like Windows 7 machines which are dropping off Microsoft support and are often not adequately patched and they are becoming increasingly competent concerning going after IoT devices and printers that lack much of any security defense.

This has become so bad that there has, according to HP, been a sharp drop in Zero-Day attacks because going after this old stuff is just so much easier. The related attacks generally start to execute when a user is tricked into executing a piece of code, and the result can be devastating.

This is not only because the attacks are often going on unnoticed to provide access to the firms’ and users’ secrets but because these viruses are so good, once in the network, at spreading and evolving resulting in far more damage and far more difficult recovery.

HP has mastered how to automate the recovery of a compromised machine and has a far stronger set of preventative tools on their current business line but given attackers are going after older hardware these new PCs aren’t even the focus of attacks and will be less likely to be compromised regardless of which vendor you buy them from. I mean, why would anyone waste time on new well-patched machines when there are thousands of out of date machines which are far easier to hack and will provide a far greater return with far less effort.

A New Class Of Security Company Emerges

One fascinating piece of data was there is a new class of security firm coming to the market which ensures that you either can recover your files if you are hit with Ransomware or prevent you from paying the ransom when there is no chance of getting your files back. It is interesting to note that many the more recent seeming ransomware attacks used programs that destroyed the files so, even if you paid the money, you aren’t getting your files back.

Can you imagine going to your upline after convincing them to pay some exorbitant Bitcoin fee and saying, sorry, the files are toast, or the file kidnapper vanished without restoring the files after being paid?

Wrapping Up: Higher Focus On User Behavior

Most attacks are still triggered by users going to a compromised web site, opening a compromised file, or clicking on a compromised link. Particularly for those firms with aging hardware, this means we need far more regular user training, more active security penetration testing, and more efforts to see which users aren’t learning to not do stupid things. It is certainly great that HP seems to uniquely have machines that can resist the most pervasive and damaging attacks on their hardware, and both rapidly identify and report the attack and automatically recover from it without IT getting involved. But older hardware, and products that aren’t from business lines (which we often give executives) aren’t anywhere near as well protected suggesting we may need to reevaluate the risk of some of our internal practices to ensure the next firm hit with a huge breach fine, bad publicity, and a damaged income statant isn’t ours. 

Leave a Reply

Your email address will not be published. Required fields are marked *