What's the most important thing an antivirus tool can do for your security? Some would say it's simple – the antivirus should eliminate malicious programs and report what it did.
For Jerry Jean, Chief of IT Security at McGill University Health Centre, that's decidedly not the answer. In a keynote presentation at the Malware 2012 conference he challenged security vendors and researchers to take a different view.
Jean manages security for a Canadian hospital system with seven physical sites, 7,000 computers, and 13,000 users including employees, consultants, and students. The system also includes a varying number of "Bring Your Own Device" (BYOD) users (including smartphones, laptops, and other unmanaged devices).
"If I tell my bosses there's a security issue," said Jean, "I have to relate it to patient care. How many will suffer? If there's nobody dying, I don't have too many concerns."
Listening to earlier conference presentations that talked about antivirus signatures, process monitoring, whitelists, data loss prevention, and such, Jean's reaction was... "Really?! You're still thinking about that stuff?" He exhorted security researchers to take another view. "Our threat landscape involves users, devices, and the data centre," said Jean. "Whatever security you want to apply should take the device out of the equation. Do I care about the device, or about my data? Make sure you protect what's really important to me, the data."
Jean prefers to talk about BYOT – Bring Your Own Technology – rather than BYOD. Users bring in USB drives, smartphones, laptops, all because they make work easier. "When you see users doing something that isn't normal, it means your existing technology has failed the user," said Jean. "Smartphones haven't failed the user. They meet a real need. And you don't want to get in the way, telling them they have to reboot into a secure environment before they can connect with your network."
In Jean's hospital environment, the CIO insists first on functionality, then on integrity, and finally on confidentiality. "Having no outages is mission critical," said Jean. "An antivirus update that requires a reboot has a huge impact on our over 10,000 computers. Security suppliers, if you'll take into consideration avoiding reboots we'll appreciate it."
Again and again in various ways, Jean demonstrated that his job is about risk management, not about totally eliminating risk. For example, in one location nurses use their own smartphones to immediately report patients' vitals, which has had a measurably beneficial effect. Conceivably someone could hack an employee's smartphone and modify patient data, but how likely is that? "The risk may be low enough to be acceptable," said Jean, "since there are so many risk cases that are more significant."
The 75 per cent
To the antivirus industry, Jean says, "Thanks for catching 75 per cent of the threats. My business is with the other 25 per cent. Where should I focus my effort? How do I mitigate their effect? Are we a preferred target?" A question like "how many viruses were detected?" just isn't relevant.
Existing antivirus tools can tell that a machine was infected, and that it was cleaned. "But what was the impact?" asks Jean. "How long was it there? What did it try to do? Did it succeed in stealing data?" In Jean's perfect world, antivirus vendors would actually learn about the hospital business and become partners in defining just what an antivirus product should supply.
Turn the tables on cyber crooks
To the researchers, Jean said, "Rethink the model! Don't reinvent the wheel, and don't just make the wheel run better." He went on to observe, "The criminals are being very creative and very innovative. They will rethink their model, and you'll have to catch up. Instead, how about you find new techniques and make them catch up."
Jean concluded, "We're moving away from protecting devices to protecting data. First protect my data, then protect the device. Finally, understand the business you're working with."
If vendors and malware researchers take Jean's advice and craft innovative solutions that go beyond what malware writers have yet managed – if the bad guys become the ones having to play catch-up – we'll all benefit. This is precisely the kind of thinking that the International Conference on Malicious and Unwanted Software (Malware 2012’s full title) encourages.