Security Guy TV Episode 1486, RSA 2020 Pre-Show Interview with Willy Leichter
Security Guy TV Host Chuck Harold interviews Willy Leichter with Virsec
Chuck Harold: “Hi Everybody. Welcome back to a special edition of Security Guy TV with your host, Chuck Harold and this is Episode 1,486! With my friend Mr. Willy with Virsec.com. He’s going to be at RSA Booth #1653 in the South Expo. Mr. Willy, welcome to the show, my friend.
Willy Leichter: Thanks as always, Chuck. That’s an impressive number of interviews you’ve done. Glad to be part of it again.
Chuck: We’re going to talk about protecting apps from the inside. You know, this is a no-brainer to me. The bad guys are already in our network. And we’re not going to keep them out. I’m just wondering why this hasn’t been a model. What we’re doing now is a reverse of what we should be. So tell us how Virsec is handling this because I think this is the way to go.
Willy: Yes, I think it is in a way a no-brainer when you think about it. But it’s very hard to break security paradigms and the way we’ve always done security. Essentially if you think about it, almost all security today has been at some sort of perimeter boundary – trying to make judgments about what’s coming in based on incomplete information. So we’re always looking for more information, more attribution, more sophisticated signature data bases, AI - you name it. But it’s almost an impossible job to tell everything bad coming in. I think of it like a security guard, a Mall Cop. So, standing outside in the perimeter, you can see some things but you don’t have context, you don’t know really know what is supposed to happen. But it’s hard to break a mindset we’ve had for 30 years in this industry.
What we’re doing is really shifting it. Instead of trying to stop all the bad stuff that might ever come in – as you mentioned, the next attack is already in your network, the precursors to it. Few people will deny that or what you don’t know is already in there and the next vulnerabilities you haven’t discovered. So this unknown kind of stuff, instead of trying to block all of that stuff trying to come in, we map what an application is allowed to do at multiple levels - the files, the processes, the memory control flow, the rev inputs – we map all of this in an automated way and essentially guardrail the app so we make sure it only does the right thing. And that’s really flipping security inside out I think. We find it’s much more effective.
Now partly the technology is new so partially it’s been hard to do this kind of runtime protection in the past. We’ve pioneered a lot of technology to be able to do that. Runtime really is the new battleground and that’s where the attackers are going. They’ve figured out lots of ways to bypass the conventional security tools and always playing this cat and mouse game. Maybe they only get in 1% of the time. But you know, that’s plenty because they can do it thousands or tens of thousands of times. So they’re getting in there, they’re finding ways to bypass. And then it’s really incumbent on us to stop the damage before anything actually executes something bad.
Chuck: Now as you know, my brain is much much smaller than yours so let me see if I can get my head around this. You guys are looking at an app and saying ‘Here an app that’s running properly. We’re going to map its DNA. We’re gonna say that’s what a good app is doing. It’s not infected, it’s not sick. And then when the app starts acting whacky and it’s behavior’s bad, you know something’s maybe wrong, maybe somebody’s taken that app over or doing something wrong.” Is that a good way to look at it?
Willy: That’s correct. If we take one thing we do, which is memory control flow, we have some patented techniques to map all of the acceptable memory jumps within an application. And actually we don’t need source code to do this, these are all assigned when an app is loaded into memory – a little known fact. So we can map that, very automatically, very quickly. Then within literally microseconds if something goes to a wrong location, that’s not a gray area, that’s bad, definitively bad. We call it a deterministic process. So the fact that we’re embedded in the application, we can spot bad activity, as opposed to suspicious activity, actual bad activity, we can stop it within milliseconds. And the faster you react, the faster you can prevent any kind of damage. We can do this way before any type of exfiltration or lateral movement or anything happens. We do this at the very first step on the kill chain.
Chuck: So as opposed to a fortification model protecting the server from the outside, what I’m hearing is those attacks are suspicious or not definitive – somebody has to sit down and analyze and look at them. What you’re saying is, ‘Oh no, we’re not going suspicious, we’re going bad right away.’ You can in real time right away say we have to do something right now about that app behaving that way.
Willy: Yes. And the term fortification is kind of apt. It’s common sense that you put up fortifications. But it’s also contrary to how we do business. You can’t lock the doors to your retail store. You have to let people in. And you can’t profile everybody coming inaccurately to determine who’s going to steal something. It’s impossible. But to actually have real time monitoring that the app is not being derailed, that is what’s critical and that’s what gives us this advantage. And to be in this battle during runtime, which like I said, is where the action is now for so many of these advanced attacks. Almost all of these big name attacks you’ve heard about – NotPetya, Industroyer – the list goes on and on - they all have some component of an in-memory exploit where they’re using very advanced techniques to derail an application. Essentially, at the end of the day, the attackers want to run their code instead of yours. So through various ways, they’re injecting malicious code, they’re using web inputs that turn into malicious code, they’re changing libraries on the fly. All these things that weren’t thought of when conventional tools were built. But we can spot these, we can detect with really extremely good accuracy because we’re right there and we know what’s supposed to happen.
We focus on enterprise apps, typically web applications or backend applications, critical infrastructure or data systems. Kind of the crown jewels of an enterprise. And increasingly these may be running in the cloud as well. They’ll be running on Amazon or they’re running in containers. So we focus everything we do on the heart of the matter there. Now there are of course apps running on your end point. But end point antivirus tools, conventional things, they don’t work well on enterprise servers, they just don’t. They don’t scale, they require updates. Many industrial systems are isolated so they can’t get signature updates. So yeah, I think you mentioned it – apps and data go hand and hand with each other.
There’s backend SQL databases behind most web apps and we’re looking at the complete life cycle of anything that comes in, from HTTP to a SQL request to a response – the full life cycle. We see the context of what’s happening and that’s what we can do because we’re inside the app. In the last year we’re growing dramatically. We have some very large enterprises, we’ve partnered with people like Raytheon who are working with government and defense and foreign countries. We’ve partnered with Schneider Electric and Aveva in the industrial control space. We have some announcements coming very soon with some major tech companies that view this as a new core technology that they need to get their hands on. It’s cliché to say this is a game changer but we think it does change the way people view what’s possible. And that’s what we’re excited about.
Chuck: Well I hear you. I think it is a game changer, I’ll say it, I’m not proud J. I think we’ve got to get the word out. So I’ve got about 30 seconds. Real quickly, why is this a hard sell? Because we’re changing the paradigm and people don’t want to change or what?
Willy: Well I’ll mention where we’re seeing a lot of opportunities. Let me flip that question. There’s all this terminology of shift left – trying to get security more upstream. And actually what we’re doing is very applicable also to the DevOps process where they’re trying to improve code, do real world testing and then monitor it continuously when they’re running. And our same tools fit very well into this DevOps/SecOps model. So we can be testing. We have a huge library of payloads that are very advanced and many haven’t been seen before. We are then fuzzing them and putting millions of possible combinations of threats against apps and then we’re watching what happens with our runtime monitoring.
So there’s a lot of interest there and I think that may be one way the security model is going to change. Because everybody’s talking about shift left and DevOps and moving things more upstream and writing better code. But you have to have a continuous process from code development to production in order to make that work. But we’re seeing – not sure it’s resistance – but more lack of awareness of what’s possible. So that’s why we work with people like yourself and others to really get the word out that there are new ways to do this and more advanced ways to approach these problems that are simply more effective.
Chuck: Virsec.com. Check them out at Booth #1653 RSA South Expo. Willy, thanks for coming on the show and we’ll see you maybe at Black Hat!
Willy: Thanks Chuck, enjoyed it as always!