Privacy and security online are one of the top concerns of Americans, especially after numerous massive data breaches (Equifax, Yahoo, Uber) that happened in the past couple of years.
According to Pew Research Center, 61% of people would like to do more to protect their privacy online, and 74% would like to be more in control of who can get information about them online. 64% of Americans have personally experienced a major data breach, and 49% feel that their personal information is less secure than 5 years ago.
Network operators are in a position to provide secure and private online experience by leveraging machine learning and big data. It is crucial in the light of DNS encryption, a new trend that will offer additional privacy for home users, but less protection if combined with legacy security methods.
Today we talked about privacy trends, DNS blacklisting, and security online with Santeri Kangas, CTO at CUJO AI. Santeri has 26 years of experience in cybersecurity and cloud computing. He has delivered personal cloud and internet security for over 220 operators including AT&T, Orange, América Móvil, Telefónica, SingTel, and BT.
Let’s start with the current situation regarding the privacy on the internet. What kind of trends could you highlight?
It’s important to remember that the Internet was not designed for privacy. For example, DNS traffic was unencrypted for more than two decades. This allows anyone who gets access to the DNS traffic to see what websites the people are visiting.
Furthermore, websites were not required to be encrypted because they didn’t gather user’s private information. Currently, many websites collect various data, which was not the case two decades ago.
New methods are constantly developed to fix this and to protect user’s data. For instance, “DNS over TLS” protocol is becoming more dominant. TLS is an encryption protocol that can encrypt website data (HTTP), files (FTP) or emails (SMTP). Most websites you visit today might apply TLS protocol, encrypting all the traffic.
Even though the traffic wasn’t encrypted previously, this is going to change. Google has announced that it will start encrypting its traffic. Other vendors will not just stand by and watch this from the sidelines. New DNS encryption vendors already started to work on this – for instance, Cloudflare and their 22.214.171.124 service gathered a lot of traction in the past weeks. We will see soon that DNS will get encrypted by a majority of vendors.
Is privacy the only concern of the typical American? Should IoT devices also be added to the equation?
We already have more internet-connected devices than we have the traditional devices such as personal computers or smartphones in our homes. Hundreds of thousands of new IoT devices are being shipped out at the moment. These IoT devices have different capabilities, but all of them are connected to the internet.
Home users do not have much control over them: they do not have any idea what their devices are doing on the network, or whether the device was taken over for malicious purposes. It’s rare that consumers would patch their IoT devices. It’s crucial to give back the control of the homes to the consumers.
What other cyber threats must be considered?
For the last decade, we have seen a massive amount of malicious code. You can buy malware attack kits from the Dark web, and those tools are developing continuously. We see 200-300 thousand new malware samples a day. Malware is, of course, just one of the many attack vehicles in a typically very complicated attack pattern.
Hackers have created very advanced hacking ecosystems. Of course, you have been hearing this story from any internet security company for the last 10 years.
Legacy solutions such as signature-based detection are not sufficient anymore; they cannot protect users against all of these new threats. It’s essential to understand the volume of these attacks to detect the behavioral patterns behind them if we want to protect against them.
How do legacy security vendors protect against all these threats?
Legacy security vendors block known-bad domains based on DNS blacklisting. This is a result of a process when known-bad domains are being monitored, bad behavior is detected and known-bad URLs or IP addresses are being added to a database of known threats. This is good for those attack patterns that we know of. But it doesn’t protect against new threats.
DNS blacklisting lists are being built on the knowledge about malicious websites. Security companies track malware behavior and attack patterns, and then post the lists of malicious websites or command and control (CnC) servers on the blacklist. This is not a proactive mechanism. This happens after an attack happens.
Malicious websites and CnC servers are very short living. They appear, then disappear, then appear somewhere else later on. That’s why it’s very important to actually detect the pattern instead of the endpoints of the attack.
How does machine learning solve this?
The nature of machine learning (ML) is proactive. Instead of trying to keep up with constantly evolving attacks, this method detects the pattern and then applies it to the website that the user plans to visit. ML algorithms do not rely on knowing the malicious websites and IP addresses in advance. This is the base of what we are doing at CUJO AI.
First of all, we collect a humongous amount of data from the network, including IoT devices or endpoints. We select which behavior is known-good, defined as not malicious. We also get a large set of known malicious behavior.
We use this data to train our models based on Bayesian math and advanced machine learning algorithms. This way we detect the patterns of device, network, or website behavior.
About CUJO AI
CUJO AI is the leading artificial intelligence company providing network operators AI-driven solutions, including AI security, advanced device identification, advanced parental controls, and network analytics. CUJO AI Platform creates intuitive end-user facing applications for LAN and wireless (mobile and public wifi), powered by machine learning and real-time data.
About Santeri Kangas, Chief Technology Officer at CUJO AI
Santeri has 26 years of experience in cybersecurity and cloud computing, and a commendable track record in building award-winning security software products for network operators.
Kangas was CTO at F-Secure, CTO of vulnerability research and management company Secunia, Chief Architect at Flexera, and as a CTO of Identity & Access Management Company Omada. Santeri has delivered personal cloud and internet security for over 220 operators including AT&T, Orange, América Móvil, Telefónica, SingTel, and BT.