Proactive Research Maximizes Security
Research is an integral part of any worthwhile security program. As methods of attack are rapidly advancing and constantly-changing, we must stay ahead of the curve and proactively address security threats before they become security problems. Our research is proactive, not reactive: we actively reduce the probability of future security breaches rather than passively waiting for one to happen. Finding security threats first, before malicious hackers can exploit them, allows us to respond ahead of time with agility instead of too late with desperation.
Prepare
"You can be sure of succeeding in your attacks if you only attack places which are undefended."
-Sun Tzu, The Art of War, Lionel Giles trans.
The most significant threats to future security are not the most significant threats to today's security. The most dangerous threats are those not currently guarded against. Our forward-looking research focuses on problems in emerging technologies so that the world will not be caught unprepared.
Disrupt and Defy
Leaving current paradigms untouched, it would be very difficult to identify threats of the future. We focus on capability and possibility rather than specification and convention: the laws of physics and nature dictate the limits of our research, not the status quo. Our approach to security research employs a state of purposeful naïveté, leaving no stone unturned, examining functionality not normally considered. Most systems are engineered to work. We apply engineering principles to make them fail, and, in doing so, make them stronger.
People Matter
Security involves people as much as it does technology: the user is an integral part of any system. Vulnerabilities may not always come from errors in implementation or code; they often involve attacks on the human component. We must be cognizant of security's overall goal of enhancing the user's experience. Too often, security is placed at odds with the user's default behavior and necessitates extensive training and specialized knowledge. Our research enables systems to use default behaviors of both the user and the technology to create an automatic, user-transparent state of security.