Last week at Structure Security 2016, I heard a lot of speakers, including keynoter Art Coviello, bemoan the worsening state of cyber security and exhort continued innovation from vendors, especially out-of-the-box thinking that can spawn companies that don’t necessarily conform to today’s existing categories. We consider ourselves to be exactly that type of company, a company that spans several categories of existing products to better answer a contemporary security problem holistically much better than anything available today.
One of the basic pitfalls in how risk is assessed and security solutions implemented is that the various sources where attacks can come from are viewed in silos and solutions are only developed for that particular attack vector, as splintered as it may be for the comprehensive problem. There are usually separate approaches and teams assessing and remediating the network, OS, web server, database, middleware and application, essentially identifying and taking action to protect their tiny slice of the cyber attack problem space.
Taking the application vector into account for example. We know from post-mortem studies of data breaches that Gartner has conducted that Application Security and Instances (meaning virtualized OS images) are the key threat areas to breaches. How do enterprises protect business-critical applications today? Is it sufficient? In development, you’re likely to see vulnerability scanning and testing tools feeding an SDLC process. That covers finding only the known attack types for interpreted code attacks (also known as OWASP Top Ten). Then you may have a WAF in front of an N-Tier Web Application looking at packets destined to one or many servers running the application’s key processes. That re-enforces what the SDLC process may not have caught and adds other areas of probable protection, such as DDoS security. Lastly, you have many organizations deploying data center endpoint technologies on these servers, such as Trend Micro’s Deep Security product or Symantec’s Data Center Security. These focus on file-based attacks on disk or being opened for execution of the type seen on end user endpoints.
Even with all of this patchwork of technology, what’s surprising is none of it catches the types of attacks Microsoft says are the most predominant malware growth area for Windows, ROP chain attacks. These happen in memory and bypass any file-based approaches of enforcement since they are executed on legitimate applications that are allowed. Even app control/ whitelisting solutions can’t stop these attacks. These are the types of attacks we see sophisticated cyber crime and nation-state actors use, and these are the ones that are growing most exponentially and hard to track.
So back to the application vulnerability and security problem. In today’s world of over 50 security products deployed in an average enterprise, we knew that the bar had to be very high to become an accepted solution today. We could have solved just the ROP chain/buffer overflow detection problem and continued the patchwork of solutions that are necessary but not sufficient for a true solution. But instead we’ve really looked at virtually every vector of attack on an application and have taken a “full-stack” protection approach to apps. We approached the problem with that outside-the-box thinking that Art Coviello mentioned in his talk.
We analyzed a comprehensive set of attack vectors on applications, boiled them down to 3 basic types that cover everything (interestingly enough, at Structure Security Stuart McClure, CEO of Cylance alsotalked about his view that all malware exploits boil down to 3 types of problems) and brought some solutions thinking used in embedded system problems to come up with an answer. The result was a new approach we call Trusted Execution, a method of focusing on the “known good” system execution rather than known bad signs of malicious activity. A positive security model enabled at the process execution level as opposed to at the file level (app control) or in-line packet filtering level.
Continuously chasing and patching all the open holes in apps has turned out to be a game of cat and mouse. A million malware signatures would have to be developed for a long list of applications running in a complex network or cloud environment, but there are only a few good paths an application is designed to take and that reduces the problem space considerably. This provides an enormous opportunity for a leap in precision and efficacy. Efficacy in security ultimately comes down to the level of context, granularity and precision one can have. We’re proud to have a near 100% accurate solution today that generates no false positives on 3 of the biggest attack categories an application can see: buffer errors, SQLi and XSS.
Taking it back to the patchwork of technologies that exist today, but miss the main source of application attacks today. With our intention to cover nearly all of the security enforceable areas of interpreted code (browser-based) attacks on Web Apps, and the ability to protect at binary levels with Trusted Execution, we intend to obviate the need for several classes of products in multiple categories when it comes to Application and Server Endpoint Protection. These include, low detection and efficacy rate vulnerability scanning products (which provide a poor foundation for SDLC and security), slow learning WAF solutions that cannot adapt to agile environments, and endpoint security solutions that have less relevance on data center server endpoints than end user machines.
That’s our big challenge and already we’re racking up the successes to prove that we can do it. There are many reasons to look at Virsec Platform, but if saving money and getting better security are a main motivation point for you, we invite you to contact us and start your journey with us today.
