KELLY MCEVERS, HOST:
Now to All Tech Considered, and we start with cybersecurity. The Russian security firm Kaspersky says a computer hacking ring has stolen up to a billion dollars from banks around the world.
AUDIE CORNISH, HOST:
That just adds to an ever-growing list of massive corporate security breaches. The health care company Anthem is now offering identity theft protection to its customers after hackers gained access to their records in recent weeks. That hack exposed the Social Security numbers and other personal information for some 80 million people.
MCEVERS: We've heard about other security breaches - Sony, Target, Home Depot - so how does this happen?
CORNISH: In most cyberattacks, an employee in the company gets an email with an attachment and opens it. Malicious software in the message enters the corporate network and - bam - the hackers are in.
MCEVERS: NPR tech reporter Aarti Shahani will have several reports on cybersecurity in the coming days. She starts by telling us how cybersecurity startups are trying to solve that classic hack.
AARTI SHAHANI, BYLINE: Let's look at three startups. Each one handles the problem differently, and to dramatize those differences, let's compare each to a movie or show that you may have seen on TV. We'll start with the company Bromium.
RAHUL KASHYAP: It's become, obviously, too easy for the hackers.
SHAHANI: That's Rahul Kashyap, chief security architect.
KASHYAP: All it takes is, you know, one user in a large organization making one single mistake and they are in.
SHAHANI: Malware is like an infection. To stop it from spreading, Bromium contains it. They built something called a virtual machine around anything and everything you might open - an email, a new tab on your web browser, a Word document, a PDF.
KASHYAP: We assume that the hackers are going to attack you no matter what you do.
SHAHANI: The virtual machine is a protective layer - like putting thick latex gloves on doctors and nurses.
KASHYAP: And once you're done, we throw them away. So that in case you got infected, you don't have to worry about it. It's automatically discarded. You (unintelligible) self-remediate.
SHAHANI: The Bromium approach - it's all about digital hygiene - it reminds me of that hospital show "ER" - like the episode when a staph infection runs rampant through the ward, knocking out patients and staff. And the problem was a janitor who didn't wash his hands.
(SOUNDBITE OF TELEVISION SHOW, "ER")
ABRAHAM BENRUBI: (As Jerry Markovic) Ah, this is ridiculous. I do not need handwashing lessons.
HARRY LENNIX: (As Dr. Greg Fischer) Scrub hard, Jerry, to scrape off the bacteria.
GLORIA REUBEN: (As Jeanie Boulet) But the most important thing is to wash your hands after you go to the bathroom.
BENRUBI: (As Jerry Markovic) What, every time?
SHAHANI: But contain as you may, Doron Kolton, founder of Topspin Security, says the good hackers will always break in. So when they do, you've got to trick them.
DORON KOLTON: We are setting, embedding decoy system inside the organization. And the decoy system are luring the attackers and the malware to get into those systems.
SHAHANI: Kolton takes advantage of the fact that once hackers are in a network, they don't know where to go. It's a maze. So leave some fake keys around, some breadcrumbs. Lure them into fake rooms with fake data - and observe.
KOLTON: I'm seeing whether he wants to steal my watch, or he's looking in the drawers for money or anything else. I'm looking over his shoulder.
SHAHANI: When you do that, you not only pinpoint where the hackers are, you also learn how they behave - their strategy - and toy with it.
This sounds just like "Home Alone," that old 90s comedy where the boy hero creates havoc for the robbers who try, and fail, to break into his house.
(SOUNDBITE OF FILM, "HOME ALONE")
DANIEL STERN: (As Marv Merchants) I'm gonna kill this kid.
SHAHANI: But decoys are a response after someone has already struck. To block an attack - even predict one - you need to study who might be after you.
DMITRI ALPEROVITCH: You're going out there, looking for bears, looking for pandas, who are Chinese adversaries or Russian adversaries or whomever...
SHAHANI: Dmitri Alperovitch with CrowdStrike.
ALPEROVITCH: ...Trying to find them because you're thinking like they're thinking.
SHAHANI: CrowdStrike assumes there are a handful of organized hacker groups that can cause real damage to a Fortune 500 company, they're backed by nation-states and they're persistent.
ALPEROVITCH: They don't say, oh, we're done, we're going to pack up and go home. They say, we got kicked out, but we still have a mission to do.
SHAHANI: And he says the way they accomplish that mission will vary group to group. Take Hurricane Panda, a ring allegedly based in China. Unlike other hackers, Panda doesn't cripple a system by throwing a bunch of malware at it. They get in quick and act like insiders.
ALPEROVITCH: And after that, they're moving around, using traditional administrative tools that a true administrator within that network would also use, making them very, very difficult to detect.
SHAHANI: CrowdStrike says it's building stockpiles of intelligence, kind of like a superspy.
(SOUNDBITE OF FILM, "THE BOURNE ULTIMATUM")
MATT DAMON: (As Jason Bourne) They can't stop me.
SHAHANI: Think Jason Bourne, who really gets inside his enemy's head.
(SOUNDBITE OF FILM, "THE BOURNE ULTIMATUM")
DAVID STRATHAIRN: (As Noah Vosen) I'm sitting in my office.
DAMON: (As Jason Bourne) I doubt that.
STRATHAIRN: (As Noah Vosen) Why would you doubt that?
DAMON: (As Jason Bourne) If you were in your office right now we'd be having this conversation face to face.
SHAHANI: This year, spending on cybersecurity will hit $77 billion, according to a study by Gartner. That's bigger than Hollywood. Silicon Valley investors, much like Hollywood producers, are trying to pick the winning story line. It's not clear if it'll be about stopping an epidemic, catching robbers, high-end espionage - or something else. Aarti Shahani, NPR News, San Francisco.
NPR transcripts are created on a rush deadline by Verb8tm, Inc., an NPR contractor, and produced using a proprietary transcription process developed with NPR. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.