In 2016, cybercrime cost the global economy more than $450 billion, but most businesses are unprepared to deal with an attack, according to the Hiscox Cyber Readiness Report 2017. Firms that are looking to beef up their detection efforts may want to consider two unconventional approaches showcased at the Collision 2017 tech conference in New Orleans this week.
Imagine inviting a hacker into your system to see if they can spot vulnerabilities and then rewarding him. That’s the premise of HackerOne, which has registered 100,000 “white-hat hackers” from around the world. HackerOne CEO Marten Mickos says his army of independent ethical hackers is democratizing cybersecurity. Most businesses have pride of ownership over their software and systems and can’t spot vulnerabilities the way an outsider can, according to Mickos.
HackerOne works by putting a bounty on bugs. Once an invited hacker finds a vulnerability, he informs the business and gets a reward. The minimum bounty is $100 but companies have paid as much as $30,000. Considering that IBM reported the average cost of a data breach in 2016 was $4 million dollars, these bounties are highly cost-effective. And companies get results quickly. Seventy-seven percent of customers are told about a bug within the first 24 hours.
Marten said one of his hackers found a vulnerability at Slack, the office communications application, on a Friday evening. Slack responded in half an hour and fixed the bug in five hours.
“That’s absolutely amazing, most companies need weeks, “says Mickos. “It’s an example of a company that really gets it. If everyone did that we wouldn’t have any issues.”
Mickos calls his hackers “geek boy superheroes.” Most are young men, many in their teens, who like to buy cars with their rewards. HackerOne uses comics to explain its bug bounties and celebrate successful hackers.
While the idea of inviting hackers inside a company’s firewalls may be a difficult concept for many IT leaders, Mickos says their worst fears are already happening.
“You are being attacked by criminals right now,” he says. “Our hackers are eternal optimists who believe they can find your vulnerabilities before the criminals do.”
Darktrace founder Nicole Eagan isn’t as confident about human efforts to combat cybercrime. Her company uses artificial intelligence (AI) to spot attacks that she says humans would miss. When Darktrace is dropped into a corporate network, it typically finds twenty to thirty percent of devices are unknown to the IT team. Darktrace has seen attacks through smart light bulbs, stabilization systems on trains, and fingerprint biometic systems.
“Attackers have come to realize IOT (Internet of Things) devices are the least protected and the easiest way to get into a company’s network,” says Eagan.
Darktrace uses machine learning to mimic the human immune system by searching for unusual patterns on a corporate network. It even uses “digital antibodies” that respond automatically.
Eagan says Darktrace found the audio portion of a corporation’s video conferencing equipment had been left on in one conference room for two weeks, which was different than usage for any other room. It turns out attackers were spying on merger discussions in that room.
Criminals are also starting to use AI for their attacks. Eagan said Darktrace recently foiled its first AI cyber attack on a corporate network in India by using an algorithm that worked faster than the attacker’s and outsmarted it.
“We could be looking at an arms race where the item that’s up for grabs is inside all our corporations,” says Eagan.
The scenarios for cybercrime are limitless, so there’s no way to solve it by writing rules based on what’s happened in the past, according to Eagan.
“The sooner we put an enterprise immune system inside our companies, the stronger that immune system will get over time,” says Eagan. “It will learn self, just like our human body.”
While their approaches are completely different, HackerOne and Darktrace both represent a fresh way to solve this growing problem. Corporate IT leaders may even want to consider both solutions—a teenage hacker could work alongside a self-learning machine to help turn the tide against cyber criminals.