One year ago, we published the first Arm Security Manifesto. It was our attempt to outline the most severe security challenges our sector faced, and to suggest how, by collaborating, we could succeed in protecting consumers against new threats. A key part of that was adherence to the digital social contract the first manifesto sets out.
It wasn’t long before the social contract I had envisaged was severely tested. We were challenged as an industry by the potential new cyberattack methods Spectre and Meltdown. But, as an industry, we rose to meet the threat in a way that underpinned what I had put forward. There is no doubt that Spectre and Meltdown presented a major threat, but I think it was obvious just how well our industry responded. Do we take security seriously? Yes, we absolutely do!
Today, we’re publishing our second Security Manifesto. It rekindles the cyberthreat conversation and shines a light on the strategies and tactics our industry is pursuing to minimize security risks for consumers. We’re picking up where the inaugural edition left off, with Yossi Naar, the chief visionary officer of cyberthreat specialists Cybereason, providing a thought-provoking introduction to set the scene.
Yossi dives into the increasingly serious and sophisticated attacks hackers are launching and how we can now respond by using tactics such as behavioral analytics to gain more insight into how cybercriminals are conducting their campaigns. Attackers’ behaviors are much more difficult to change than traditional indicators of compromise, such as malware signatures and IP addresses, and that can be used against them. Often cybercriminals have a behavioral signal that, if it can be spotted, can be used to unlock an entire attack operation. In poker terms, it’s finding the “tell.”
Arm’s chief architect, Richard Grisenthwaite, was at the center of the analysis and industry-wide coordination of the Spectre and Meltdown response and has unique insight into these threats. In this latest edition, Richard burrows deeply into Spectre and Meltdown to describe new ways of blunting such exploits in the future. Paul Williamson, Arm’s vice president and general manager for IoT Device IP, expands on Richard’s thinking by describing how robust security must extend beyond hardware through to software and services. Paul talks about this as a “triple A” IoT platform approach based on a principle of “any device, any data, any cloud.”
It’s always good to see progress, and the new manifesto demonstrates that in a chapter written by Arm principal data scientist Damon Civin. Damon takes a concept we introduced last year – a health system for IoT deployments – and shows how it is being made real through a combination of the Arm Pelion IoT Platform and Cybereason’s AI-powered threat hunting machine.
Across all five chapters there is one thread that can be drawn: Security is never ‘solved’, the threat landscape is ever-changing, and we must remain vigilant. Indeed, the only constant in a connected world is that cybercriminals will never stop. So, we must be the immovable object to their irresistible force.
You can download a digital copy of second Arm Security Manifesto now, and we’d love to get your feedback.
You can also read the inaugural Arm Security Manifesto.