Cisco Systems : Malware Defense is a Team Sport, Best Played by Collaborative Fog Nodes

Cisco Blog >Innovation

In my previous blog, I shared an overview of fog-based security services. At the center of these services-and critical for moving the needle on the Internet of Things-is a requirement for ubiquitous malware defense for a large number of devices with vastly diverse capabilities.

Through fog, this is possible. Malware-defense tasks, which require heavy resources, large storage space, timely processing, and global intelligence, can be moved to fog nodes near the protected devices and systems. We can distribute malware defense capabilities across a cluster of fog nodes. As a result, each fog node can have the same, or complementary, threat defense capabilities. This approach makes efficient use of shared resources. It also improves overall security by making it harder for attackers to disrupt security operations.

To be successful, however, the large population of often resource-constrained devices to be protected, such as user endpoints, should only be required to implement lightweight security functions, such as detecting suspicious files rather than high-fidelity determination of whether the files actually contain malware or not. This will greatly reduce the complexity and processing load of the vast majority of the devices to be protected, and also lowering their cost.

What's really exciting is that the fog nodes can work together to collectively detect whether a file is infected by malware. This technology can even go a step further. The fog nodes can collaboratively help the protected devices and systems respond to compromises-from monitoring the real-time progress of the compromises to assessing their potential impacts to cleaning up infected files to containing suspicious traffic.

Following are a few ways to illustrate how fog-based, distributed malware defense can boost IoT security by providing services to help protect resource-constrained devices, creating a new pathway for innovation:

• Some fog nodes can support one type of malware detection mechanisms (such as signature-based malware scanning), while other fog nodes support additional malware detection techniques (such as heuristic-based malware detection mechanisms). Mission-critical files can be examined by both types of fog nodes.
• Some fog nodes can be responsible for detecting malware targeted at Windows Operating Systems (OS) and can be used to support devices that run Windows OS, while other fog nodes handle malware targeted at Linus or other OSs.
• Some fog nodes can maintain more comprehensive malware signature databases (because of their higher processing and storage capacities and abilities to communicate with the centralized cloud services more frequently and reliably), while other fog nodes may maintain only subsets of the signature database pertaining, for example, to the threats most critical to them. The resource-constrained fog nodes, which maintain only partial malware information, can collaborate with the more capable fog nodes and the cloud to achieve a satisfactory levels of protections.
• Multiple fog nodes can offer the same protection capability for load balancing or backup.

In the scenarios above, each protected device detects suspicious files only.

For example, let's say an endpoint starts with a known set of authorized files or a 'golden image.' Then, any file that deviates from the authorized files can be considered suspicious. This could be anything from files that have changed in size to new files that haven't been digitally signed by authorized parties.

To detect these suspicious files, a thin software client is all that's needed. It will reside within the client device itself. And if the client detects something amiss, it will send either the metadata or copies of the files to a fog node cluster for further analysis and assessment for malware.

As a result, we can securely interconnect a significantly larger number and broader range of 'things' than possible in today's Internet. These things range from simple sensors to wearable devices on humans and animals to complex endpoints such as cars, trains, drones, appliances, and robots. Other possibilities are industrial control systems, connected transportation systems, smart buildings and cities, oil and gas systems, and smart energy grids.

In the new world of fog computing, the possibilities will only be limited by our imagination.

In my next blog, I'll introduce 'crowd attestation'-a new way for systems to attest their trustworthiness. I'll also share methods of assessing trustworthiness of monitored devices.