Interview for SafetyDetectives.com about the future of the cybersecurity industry and artificial intelligence

24 September 2024

I have been asked to present AVLab’s position on a number of cyber security issues in the area of testing protection products and artificial intelligence used for threat analysis, among other things. SafetyDetectives.com is best known for publishing valuable information about database leaks. It has its own research lab that works with CERT teams around the world. They launched in 2018 and have since been cited by the likes of The New York Times, Bloomberg, The Verge, LifeHacker and others.

The original interview is published on safetydetectives.com.

Can you share a bit about your background and tell us about AVLab Cybersecurity Foundation?

More than a decade is a long time in the modern age – we have been involved in cybersecurity in the broadest sense since 2012. Cyberspace and everything related to it makes it impossible to be bored. For 14 years we have been providing the community with interesting information on countering online threats through security tests, articles, training reports, conferences and educational material. I can say that we have been doing this locally in Poland for about 10 years, although we had already been working with producers in Europe and the USA to prepare detailed reviews of their products and services, reports on privacy, encryption, endpoint protection. Since 2023 we have been a tester at AMTSO and we are also a member of the Cyber Transparency Forum, where we act as an auditor, analysing and evaluating telemetry data and systems of producers of cybersecurity solutions. I believe we have worked hard over the years to earn the trust of our readers. And now, as one of the most trusted testing labs, we are offering our services to security vendors for personal devices and business solutions who want to prove themselves in our different types of tests.

How does AVLab company differentiate itself in the crowded cybersecurity market?

The cybersecurity market is indeed crowded, but we as testers have found our niche. The security market still lacks standards and transparency. Let me be clear: end users have too little information to help them choose an effective solution against today’s threats. I will be frank and say that public testing by a lab like ours cannot determine the global effectiveness of a given security solution due to the diverse and complex operating environments of customers around the world. My point is that vendors could start publishing anonymized endpoint protection data, rather than just historical data on the threats and attacks they have been able to detect. Interesting reports are always useful because they show current trends and allow you to predict what might happen next quarter in the cyber threat market, but it’s not enough if you want to go off the charts and trust the vendor of a security solution with data that is sadly lacking in the public domain. Without such information, companies cannot realistically determine whether a security product will perform well in the long term and, if so, how that protection has actually performed for other customers in the region or on another continent over a given period of time.

Back to the question – what makes us different? I think we are the most transparent laboratory when it comes to making test data available to the public. Perhaps because we collect so much of this data. We want to provide reliable evidence to vendors when they have concerns about malware samples or attacks. With this data, our test tools can meet high unwritten standards – vendors expect us to do our job to the best of our ability. We try to do this because it helps improve their products, which is also the result of AVLab’s collaboration with vendors who have chosen to trust us.

To give you an example, the data we publish from our tests goes beyond marketing results. We also publish the threat landscape, highlights of malware activity, tidbits about so-called LOLBINs, threat checksums, screenshots and other logs. The vendors are blessed with even more technical data after the tests are complete, and we will soon be adding more features to our tools to make them even more transparent. In other words, our readers will have even more data to analyze, including additional proof of results. I would like to stress that we want to lead the way in transparency, as none of the big testing labs do.

We also run a transparency site (https://avlab.pl/en/changelog/). We get regular feedback from the producers we work with. Furthermore, we get technical feedback from them – whether what we are doing is right for them. They tell us what they would like us to change, what we should implement to improve our work. Where financially possible, we combine their ideas with ours. Our collaboration results in publications and used AVLab materials on vendors’ websites, and community-commented tests.

How do you see AI transforming the cybersecurity landscape, particularly in threat detection?

I think in the same way that AI is influencing the creation of new attacks and threats. AI in cyber-security is not something new, because already before, vendors have used self-learning algorithms on a large scale, AI streamlines and accelerates certain processes in big-data analysis, but it still cannot replace a human who is responsible for possibly automating and keeping an eye on the effects of AI.

In general, AI helps to identify new, unknown threat patterns. It already provides a pretty good help for administrators and IT teams if the security product supports generative queries: it is possible to better manually manage incidents that are detected on the network, better identify attacks with integration with various databases such as MITRE to provide more information about the behaviour of files and processes from employees’ devices. In fact, under the name of AI, there are still great ideas from software engineers who can better exploit the potential of big databases, collective information from endpoints. At the moment, AI is not yet the standard, the core in security products.

How does your global network of honeypots contribute to gathering a diverse set of malware samples?

From a technical point of view, our honeypots account for 10% of in-the-wild malware because we collect them with the need to test for the Windows environment. This is also due to the fact that they are systems that simulate various Windows services and protocols, and attacks on these systems are implemented in the same way all over the world, so the threats we manage to collect are often duplicated many times over. Meanwhile, the best source of links and samples of potential malware is X, Telegram, Discord and others. We acquire thousands of URL links, but first we have to filter them so that only viable threats are submitted for testing. And here is one of the many advanced processes that each sample has to go through in the pre-selection stage to get into our security product tests.

How important is automation in today’s cybersecurity environment, and where do you see it evolving?

I think this is a question best answered by the manufacturers of security products, as they are the ones who set the direction of development. From our point of view, as testers of these solutions, the most important thing is the speed of response based on the analysis of large amounts of data that security products are able to collect more and more, thanks to updated technologies, from different operating systems. Operating environments can be better secured through automated testing to identify weaknesses and vulnerabilities, incorrect configurations and resource permissions.

What trends or changes do you anticipate in the cybersecurity testing landscape over the next few years?

It is not out of the question that the security product testing industry will change a lot, but I do not rule out that it will change a little. There is a lot of talk now about AI, about automation, but just as much depends on the direction in which operating systems go. Take, for example, Microsoft’s recent announcements that it is considering removing security product modules from the system kernel. System developers will be followed by security software vendors. As an independent party, we will be somewhere in the middle, continuing to show end users the strengths and weaknesses of security. One thing is for sure, we will want to work with solution providers to improve their software and build a safer cyberspace.

Newsletter

SIGN UP

Newsletter

SIGN UP FOR EMAIL NOTIFICATIONS FOR ENGLISH CONTENT ONLY!
SIGN UP