Dr Konstantin Berlin, Head of AI at Sophos, says the security industry’s “closed book” approach gets in the way of innovation…
The wider technology industry has a rich history of knowledge and information sharing, particularly around technologies such as AI, where NLP, voice recognition and computer vision source code are widely shared.
Developers and technology companies realise that there is a mutual benefit to this type of open collaboration which results in more robust products, faster advancements in technology and the ability to attract talent.
Within the cybersecurity industry, however, secrecy has been built into the very fabric of what we do. Firms are often incentivised not to share data and research because they know that their competitors are unlikely to do so and for some, they simply don’t want customers to see what’s behind the curtain because it doesn’t quite live up to the hype of their marketing. But, it’s something that needs to rapidly change to help us defeat increasingly sophisticated attackers.
There should be no doubt – the security industry’s closed book approach is getting in the way of innovation and helping relentless cybercrooks win. When companies publicise and share information, there are huge benefits from a social and technological standpoint.
Language modelling and machine translation are two examples of applications we’ve seen bubble with innovation over the last five years, because the companies that have invested hundreds of millions into them are opening their books. They may not share everything about their projects, like source code and data sets, but they share enough to help spark industrywide development. Cybersecurity doesn’t really do that.
Ultimately, this stagnates innovation and doesn’t just harm vendors, but also end-user organisations. Opening up about solutions, methodologies and applications has a dual benefit.
Firstly, it gives buyers a better framework to select tools and also to understand their security posture and where it may need bolstering.
It also means from a vendor perspective that we can learn from each other, create complementary solutions, stress test each other’s tools and methodologies to create more robust solutions and services.
Learning to share
To help move the industry forward, cybersecurity experts, vendors and practitioners need to be sharing and utilising each other’s data to advance knowledge.
For instance, in 2020 Sophos created a malware repository featuring 20 million malware samples that had been disarmed to help train machine learning and AI models.
Nearly two years later, its Sophos AI team developed an open-source machine learning tool that generates YARA rules for detecting specific types of threats to minimise what is time-consuming and technical work. It also gives organisations with limited resources, or teams without advanced AI skills, the ability to create solutions that serve their purposes.
Likewise, businesses are pushing back against vendor lock-in. Their IT stacks are made up of a mixture of vendor solutions.
It’s something cloud vendors and other technology sectors have acknowledged and addressed to ensure their solutions work seamlessly together.
Quite often though, the security stack isn’t looked at in the same way. Service providers aren’t harnessing the power of third-party data to improve operations, active threat hunting and detection, as well as identifying new trends.
We recently launched our MDR service, which integrates vendor agnostic telemetry from third-party security technologies into our offering to give unprecedented visibility and detection across operating environments.
The first endpoint security provider to do this, our service automatically consolidates, correlates and prioritises third-party data with insights from the Sophos Adaptive Cybersecurity Ecosystem and the Sophos X-Ops threat intelligence unit to accelerate threat detection, investigation and response.
Defend as One
As an industry, we are facing an increasingly difficult task. The threat landscape is more crowded than ever thanks to the maturation of the cybercrime industry, where nefarious crooks can purchase every part of an attack. What’s more, we are seeing more advanced and complex attacks than ever before.
The only way for us to gain an advantage over them is to act in an equally open way. For this to work, we have to be prepared to:
• Share data that can help to improve AI/ML tools
• Open-source tools that enable teams of all sizes and skill levels to build fit-for-purpose solutions
• Publish research around new tools, tactics and techniques spotted in the wild
• Use third-party data to improve our own services and solutions
If you aren’t already, think about how an open policy might help you and your customers strengthen your cybersecurity posture.