Adversaries & ultrasound scanners: A Q&A with Lookout’s new VP of Security Research on his first day
We’re thrilled to announce Michael Murray, a security industry research veteran, has joined Lookout to head up our Security Research and Response looking to focus on novel research and making the most out of our machine intelligence to knock out commodity and advanced/targeted malware.
Mike brings a huge wealth of security knowledge after serving as the director of product-development security at GE. Many of you already know Mike, but we wanted to give him a chance to talk about his plans in his own words:
Why join the mobile security industry and why now?
I talked with Amit Gupta (Lookout’s VP of Engineering) and he said something that’s stuck with me, “In the future, there’s no such thing as mobile security because everything is mobile.” We’re starting to see people move towards using mobile as their dominant platform, especially with products like the iPad Pro and Windows 10. We’re going to see the traditional desktop usurped by a “mobile device” in the very near future. I predict within 24-36 months, the idea of a dedicated desktop will seem very much like the old days when you had Sun workstations. The only people who are going to have actual Macs/PCs will be developers/IT folk. The majority of us will be “mobile-only.”
“It’s not about phones, it’s about anywhere mobile platforms are used.”
Beyond that, you’re starting to see the mobile OS move into the Internet of Things realm. I know that major medical device manufacturers (e.g. Phillips https://www.lumify.philips.com/) are creating ultrasound scanners on the Android platform. Think about medical devices, interfaces to transportation, oil rigs; they’re all starting to incorporate Android. It’s not about phones, it’s about anywhere mobile platforms are used.
What do you think about the adversarial landscape for mobile?
The attack landscape is just about to get really interesting. Today, the main and best way to get onto the mobile device is to get someone to install a malicious application. To me, that’s exactly what PC hackers were doing in 1997-1999. For those that aren’t as old as me, the main attack vector back then was malicious shareware applications. You’d go to a popular downloads website and download something that looked legitimate, but then it’d turn out to be a virus of some sort. It’s very similar to what we have now in the mobile space — we have a malicious app economy for the attacker.
However, if we look at history, we can see that antivirus companies started to catch that type of attack fairly quickly. That’s when the big antivirus players started growing. Soon after, the malicious shareware app trend went away and was replaced by a real “vulnerability economy” — major vulnerabilities in applications created opportunities for threats like Slammer and Blaster, for example. They weren’t attacks against the OS directly like what we see with jailbreaking on mobile devices today. Instead they were about actually breaking the apps, the software, on the PC and using that to compromise the device. We’re starting to see that movement already on mobile, but we can expect that to accelerate over the next couple of years
What is the security industry doing wrong that you want to get right?
One thing the security industry has traditionally done really badly is applying machine learning to security. You walk around the RSA trade floor and hear everyone saying they’re doing machine learning, but the vast majority are just using it to generate traditional signature-type detection. I was talking with a friend who said that often when people say “vectors,” they’re really just saying “CSV file.” Our industry needs to learn to work with and embrace machine learning at a fundamental level, rather than as a marketing buzzword.
In the security research space, correctly applying machine learning means teaching the machine pipeline to do the work for us, using the the human engineers as an enabler to the machine, instead of the other way around.
“That’s one of the reasons I’m really excited about joining Lookout: the awesome machine learning platform and the ability to use it to build detections at speed and at scale.”
With that in mind, what are your priorities?
The world over, researchers have been focused on manual processing of patterns. “Let me reverse engineer this binary by hand and figure out all its behaviors.” Researchers love doing that, and while there’s an important place for it, the machine does a lot better than we do at this point. That’s one of the reasons I’m really excited about joining Lookout: the awesome machine learning platform and the ability to use it to build detections at speed and at scale. If you have normal attackers, many of them are reusing code to create variants at scale. The machine is going to be a lot faster at sifting through 10,000 pieces of code and connecting those variants of the same code together than a human could ever be. The human, on the other hand, is super useful when the bad guy does something brand new. I want to take as much of the rote work out of the research process as possible and focus on higher-order pattern finding.
Any other takeaways for your future as the Lookout research lead?
I’m looking forward to being the dumbest guy in every room I’m in.