For decades information security has been plagued by innovative attacks against unimaginative countermeasures. Where can we find the innovative security solutions needed to protect our increasingly intellectual assets from the growing wave of data breaches?

The track record is not good. Over the last three decades there have been no more than half a dozen real innovations in security countermeasures. The 80s gave us anti-virus technology. The 90s gave us BS7799, firewalls, SSL and intrusion detection. Most advances since then have been variants or new combinations of existing technologies.

And there’s been little or no discernible advance in risk management techniques or security governance principles over the past two decades. Indeed, Shell’s security management frameworks, certification processes, educational material and performance measurement techniques designed back in the mid 90s have yet to be bettered. 

So is there anything new out there? The answer is yes there is, but it’s not immediately obvious, generally tucked away in small enterprises or in the corners of research labs, rather than in mainstream products. We rarely get to catch a glimpse of these innovations, except in competitions such as the excellent Global Security Challenge (GSC), the annual finals of which took place earlier this month at London Business School.

The range of ideas and technical excellence shown by the GSC finalists were outstanding. Many were breakthrough, game-changing developments. They included both physical and cyber security technologies. Several caught my eye and impressed me. I’d even be tempted to buy them out, while they’re small, if I had enough money to burn.

The cyber security challenge was won by Ksplice, a new technology from MIT that enables Linux applications (and others where the source code is available) to be patched without re-booting. Clearly this is most useful for 24x7 servers, but it would be nice to see this capability in clients, routers and other platforms.

One of the cyber security challenge runners-up was a self-cleansing intrusion tolerance (SCIT) technology developed at George Mason University that reduces the exposure of platforms by rapidly rotating and cleansing a set of virtual servers. I’ve long argued that security should exploit ideas from nature, such as sex and death. This technology nicely illustrates the power of death in promoting longer term survivability.

The physical security finalists were even more imaginative. Auxetix demonstrated a counter-intuitive material that actually thickens when stretched, enabling it to be used for lightweight body armour that can withstand point-blank grenade attacks. Kromek, out of Durham University, won the SME category with a breakthrough scanning technology that can detect liquid explosives inside a suitcase. From Seattle came a breakthrough ‘brain fingerprinting’ technology that can detect whether a suspect recognises a known image, such as a photograph of a terrorist.

There were many other great ideas which demonstrate that security innovation is alive and well within universities and research labs. So why does it not always make it into products? The answer is very simple. It’s much easier, cheaper and faster to enhance and re-badge an old product rather than develop a new one.

The Global Security Challenge does an excellent job at highlighting breakthrough concepts in security. We could do with a lot more investment and support to help develop these ideas into everyday products.   

Delicious

Digg

Reddit

Facebook

StumbleUpon