SC Media, Teri Robinson, interviews Willy Leichter with Virsec about memory attacks
TR: Today people seem to be becoming more aware of memory attacks. Is that right?
WL: I think they are. I saw a recent stat from Microsoft. Someone in a conference admitted that something like 75% of their vulnerabilities were around memory usage. So it’s been this, people have known about it but it’s hard to deal with. And most security products aren’t instrumented to look at memory. But the attackers are taking advantage of that.
TR: Why is it so hard to deal with?
WL: The biggest challenge I think is technical and a mindset. Most security products focus on pre-execution – what’s happening before. Lots of good technology. And some products focus on post-execution. What happened, forensics, bread crumbs, etc. But it’s always been viewed as the actual execution being too fast to do anything. But that’s where we live. We actually are instrumented with applications to look at what the application is actually doing. As opposed to what bad stuff is coming at you. Kind of a different mind set. People say we’re ensuring good instead of chasing bad.
TR: Ensuring good instead of chasing bad – that’s good! Can you give the people watching today a couple pieces of advice?
WL: Sure. First of all, you have to take these fileless threats seriously and demand of your security vendors that they are not just using the same techiques to catch fileless threats. Fileless threats are so insidious because they are not delivering known malware. They’re taking advantage of processes scripts, PowerShell, memory like I was talking about. They’re manipulating very subtle things around the perimeter or around the environment of the application to make it do bad things and make it go off the rails. You have to start with your application focus. Now, particularly when you’re going to the cloud like everyone is, then a lot of the perimeter security you’re not going to manage anymore. But you still have to own the application. And that’s really your crown jewel. So, application-centric security.
TR: Before I let you go, is there anyone or any kind of organization that is more vulnerable?
WL: We work a lot with regulated businesses – enterprises, financial services, healthcare. But the industrial control space is very worried. And industrial control vendors. We’re working with Schneider Electric and a number of others. Because there you have this collision of aging technology, 30-year old machines, logic controllers - they call it the iron tail. And 10-30 year old software protecting it. And they still have the mindset that they’re isolated. But there’s all this digital convergence and connectedness. You can’t be connected and isolated. There’s a big hole there.
TR: We were talking last night that there’s no such thing as air-gapped.
WL: There really isn’t. Air-gap is a myth. And yet there are lots of people that still have that mentality that that’s going to be their security.
TR: Great. Thank you for joining us here today and thank you all for tuning in.