Every day, enterprises are bombarded by rapidly multiplying and morphing advanced threats—and current network and endpoint security solutions aren’t capable of defeating these targeted attacks. This year a major IT analyst wrote: “Advanced targeted attacks are easily bypassing traditional firewalls and signature-based prevention mechanisms. All organizations should now assume that they are in a state of continuous compromise.”
The fundamental problem with security today is the legacy operating systems and applications we use today were developed with little concern about the potential for introduction of hostile or “untrustworthy” applications or data. Unfortunately these systems have not kept pace with the growth in connectivity, and our computer systems still have no way to decide whether a document or an application is trustworthy or hostile. Malware continues to exploit the interaction between and within the software installed on a system to achieve its goals with little protection provided by the system itself.
To compensate, the entire IT security industry responded by developing new technologies to mitigate the threat of the day, whether its sandboxing, whitelisting, host web filtering or the latest trend in network sandboxing to identify threats already in the network (see chart below). The growth in security spend is up 294% since 2006 to $21B (source Gartner), while the reported data breaches have exploded, where there were 614 reported breaches in North America, disclosing over 91M records.
2013 614 reported breaches, 91,982,172 records
IT has had no choice but to assert control over users – and the networks, applications, media, websites, and documents they use. Every day companies deploy a unique mix of endpoint and network technologies that are without fail complex, expensive and many times require adding staff just to run them. This approach is imperfect and will surely fail: productive employees must collaborate and communicate and they often create their own “shadow” infrastructure. When this happens, a single click can lead to the next major cybersecurity breach. It is provably impossible to protect the enterprise against the unknown, undetectable zero-day attack with traditional, legacy cybersecurity tools.
The fact is that users are still getting infected with APTs and other malware, in spite of all of this spending. Looking at the following Virus Bulletin report, you can see how today’s antimalware products get an “F” grade for protection:
…and these are not advanced threats! I talk to many customers who say their overall protection rate is under 50%….meaning over 50% of threats get past their current defenses!
How is this happening? Malware is now designed to evade detection. By leveraging zero day exploits, polymorphism and the rapid evolution of web technology, malware evades “detection” based security solutions and infiltrates the organization by exploiting the inherent trust between operating system components. It may be weeks or months before a successful attack is discovered. Meanwhile valuable information can be stolen or critical infrastructure can be disrupted by the attackers.
Here is a brief overview of key protection technologies and their limitations in dealing with modern attacks.
Intrusion prevention system (IPS)
(IBM, McAfee Network Security Platform, Cisco, et al) Defends networks against known attacks that have signatures by detecting and blocking in the network datastream. Includes some behavioral detection for certain threats. Limitations:
• Can’t block without a signature.
• Needs to be implemented at every ingress/egress access point.
• Costly, complex, and noisy, especially for geographically distributed networks.
• Absolutely no protection for mobile users outside of the network.
• They are mostly signature based, but rely on some behavioral tools.
• Encryption of network traffic stream can essentially blind network IPS.
• Network admins HATE to have more bumps in the line and IPS adds a bump.
(Dhamballa, FireEye, McAfee, et al) Detects infiltrations from targeted attacks, after the attack is in the network. Limitations:
• Does not stop or remediate threats to endpoints.
• Costly and noisy.
• Requires expert-level security personnel constantly monitoring events. (See the Target breach for a prime example)
Web content filtering
(Websense, McAfee, BlueCoat, et al) Blocks access to known malicious websites to protect against web exploits and Trojan attacks. Limitations:
• Only blocks known malicious IP addresses.
• Needs to be implemented at every ingress/egress access point.
• Protection is diminished for mobile users and partners accessing retail network.
(Forescout, Bradford Networks, Cisco, et all) Ensure only ‘clean’ systems access the network. Quarantine vulnerable systems and enforce network segmentation. Limitations:
• Complex to deploy and manage.
• False quarantines are common and cause major headaches and IT calls.
• Does not deal with remote users.
(McAfee, HP, IBM, et al)
Real-time SOC alerting, integrated endpoint intelligence. Limitations:
• Creates copious amounts of data that must be interpreted in to actionable intelligence.
Endpoint Antivirus and other detection-based solutions
(Symantec, McAfee, Kaspersky, Trend Micro, Sophos, et al) Detect known threats on endpoints. Limitations:
• Cannot keep up with the rapid influx of new threats and variants.
• Can’t block without a file signature or behavioral rule.
• Only known threats or behaviors
• Many false positives
• Remediation usually required even if threat is detected
• Limited attack intelligence
Host intrusion prevention systems (HIPS)
(Symantec, McAfee HIPs, et al) Intercepts many zero day attacks in real time by detecting common behaviors. Limitations:
• Has a chance to catch a zero day attack, but can still miss many advanced threats
• High operations overhead to configure and maintain.
Hardware enhanced detection (McAfee Deep Defender) Loads as a boot driver and looks for rootkit behaviors before the OS loads. Limitations:
• Only detects/blocks some kernel mode rootkits. Does not block user mode rootkits.
• Consumes ~10% of CPU cycles while providing limited protection.
(Bit9, McAfee Application Control) Controls which applications are allowed to install and run on an endpoint by matching authorized programs (the whitelist) to a database of “good” applications. Can be an effective way to block execution of malicious executables. Limitations:
• Blocks users from downloading and using new tools and programs without IT involvement.
• Not integrated with other security tools, is hard to manage and requires business process changes. Also requires a large database of known good applications.
• Successful on servers, which don’t change often, but is largely unusable on end-user systems.
(Invincea (Dell Protected Workspace), Sandboxie, Trustware)
Creates a “sandbox” environment within the Windows OS to analyze execution of untrusted applications. Restricts the memory and file system resources of the untrusted application by intercepting system calls that could lead to access to sensitive areas of the system being protected. Limitations:
• Advanced malware can bypass any sandbox to take advantage of kernel mode vulnerabilities.
• User-mode malware can escape from any sandbox, permitting it to elevate its privileges and disable or bypass other forms of endpoint protection and compromise endpoints, including data theft.
• Changes the user experience, causing support calls and training requirements.
Hardware enabled isolation via micro VM
(Bromium) Isolates every user task in a hardware-based micro-virtual machine (micro-VM). Limitations:
• No known limitations in defeating zero day kernel exploits
I should also mention: End-users have emerged as the weak link in enterprise security. With the proliferation of web, email and social communication, users are one click away from compromising their desktop. Mobile laptop users are further exposed as they have limited protection from the corporate network based security mechanisms. Current defenses can be cumbersome to use and manage. All too frequently employees are given admin rights to enable their free use of any software. ..unfortunately this also gives attackers a leg up when going after critical information like credit card numbers and intellectual property.
There is a better way forward
Patching can never keep up. Nor can detection. Or humans for that matter. The Bromium architecture offers the first ever approach that turns the received wisdom of the security industry on its head: Bromium vSentry® uses proprietary micro-virtualization technology to isolate content delivered via Internet browsers, documents, email, and more. Malware that may enter the Bromium Micro-VM® through vulnerable applications or malicious websites is unable to steal data or access either the protected system or the corporate network and is automatically discarded when the web session or document is closed by the user.
Task-level isolation means you can ignore browser vulnerabilities
Bromium vSentry automatically and instantly isolates vulnerable user-initiated tasks, such as opening an unknown web page in a new browser tab or an email attachment from an unknown sender. It can create hundreds of micro-VMs dynamically, in real time, on an endpoint. Users are not prompted to “allow” or “deny” actions and can focus on getting the most from their system without worrying about threats. The end point will self-remediate, discarding all changes made by the task, automatically. No need to rush out untested patched, impractical browser usage policies or new technologies that are known to be vulnerable. In short, you can relax knowing that any threats are isolated.
Its time to stop the merry-go-round and head scratching and gain control of your infrastructure.
To learn more about Bromium’s game-changing security architecture, please visit www.bromium.com.