A multitude of computer security defenses simply don't work. And the one we need doesn't exist.
The security defense we need is one that basically puts a security expert on each computer. Most of the computer security experts I know have never been infected. For example, I've been practicing computer security since 1987, and I've had my personal computers compromised only three times: once by the Cascade virus in the late 1980s, once by a GDI-related zero-day exploit, and once two or three years ago by unpatched Java. In each case, I knew I was compromised in seconds and was able to avoid any real damage.
We know how to spot malware and new hack attempts. The trick is to turn a computer security expert's experience into a product or service anyone can use.
Why not? We're doing it with other complex thought processes. Supposedly we're just a decade away from highways full of self-driving cars. Human expertise can be mimicked.
The mechanical expert
In my humble opinion, the perfect computer security defense would have two main components: First, it would be a centralized cloud service that would know all the latest hacker techniques, behaviors, and symptoms. It would also know where hackers are operating from, by individual IP addresses, and readily share that information.
Second, a client-side piece of software would connect to the cloud component and use its information and recommendations. The client would report back newly found maliciousness to the centralized service. Every participating computer in the world — client, server, and mobile device — would run the client service. Oh, and all of this would be free, of course.
A staple of the centralized service would be a blacklist of all known IP addresses currently involved in originating badness. It would include all known compromised websites, spammers, and networks hosting professional criminal gangs like APT groups. The blacklist would be updated as the hackers and their malware creations moved.
Today, most of the antimalware companies already have a list like this. It just isn't shared with us.
Blocking the bad guys
For instance, suppose a computer in your company gets compromised and begins spewing spam. The centralized service would note the spam attack by correlating all the newly arriving spam originating from a single IP address and hitting monitored clients. It would then add that IP address as a spam originator to the blacklist and either notify the appropriate admins to investigate, or, optimally, if previously allowed, shut down the compromised computer's network access at the same time as contacting the admins.
Here's another example. If someone starts to launch a DDoS attack, once the originating IP addresses have been validated (if possible), the involved IP addresses would be reported to the centralized service, which would then blacklist them and notify all participating clients. In either case, when the involved computers get cleaned up, the centralized service would get notified and communicate the clean status to everyone else.
Sign up for CIO Asia eNewsletters.