Change Your Thinking: Turn Conventional Security Inside Out

by Virsec on September 15, 2020

In medieval days, knights in shining armor could defend the drawbridge as the main point of entry to the castle. Under fierce siege, the king could raise the drawbridge and leave the crocodiles in the moat to guard the kingdom’s crown jewels.

Every organization has its own crown jewels to guard deep in their server workload. Today’s network perimeters have all but vanished, so the concept of a company protecting its network like a castle, surrounded by an alligator-filled moat, is archaic thinking.

Expanded remote work forces, virtual data centers, container and cloud infrastructures have made it even more challenging to rely on old defense mechanisms. Organizations’ networks are no longer in an encapsulated, protectable space. An entirely different way of thinking is needed.

Successful Attacks Show Current Defenses Are Inadequate

Sophisticated threats and successful cyberattacks continue to be the bane of an organization’s daily experience. Data breaches obviously pose great concern, and malware is 30 times more damaging than a data breach. According to IBM, the average cost of a serious malware event last year was $239M – almost 30 times the cost of a data breach.

For example, EasyJet, the UK’s largest airline, suffered a major breach in 2020 but didn’t notify customers for months. EasyJet reported hackers were able to access travel info for over 9 million customers. Over 2,000 customers had their credit and debit card details accessed.

Sponsorships Available

Representing over a quarter (27%) of malware incidents, ransomware is particularly devastating. It strikes companies without warning and with far reaching and devastating impact. Included in ransomware attacks reported in the last week is Cygilant, a threat detection company in Boston. They’ve confirmed it was hit by NetWalker ransomware. The ransomware-as-a-service (RaaS) group rents its ransomware to threat groups for their own attack purposes.

NetWalker both encrypts its victim’s files and like some other ransomware operators, publishes some of the stolen data. Screenshots of Cygilant’s internal network files and directories were posted on a site on the dark web. Cygilant hasn’t confirmed whether it paid the ransom, but before long its data was gone from the dark web.

Garmin recently experienced a similar nightmare and also is believed to have paid the ransom. As undesireable and discouraged as it is, it’s often the fastest option to restoring normalcy. These and other cybersecurity breach scenarios play out daily in our current threat-filled environment.

As Defendable Perimeters Vanish, the Battle Has Moved Inside

Businesses continue to invest in never-ending layers of security point solutions, but our fundamental security stance is outdated. Even as our data centers and physical networks disappear, we cling to an outdated perimeter mindset: “keep the good stuff in – keep the bad guys out.”

Security admins can’t simply block traffic. So they are left with the increasingly tough challenge of trying to guess what looks suspicious versus “normal.” Existing network security tools have limited ability to decipher what traffic is good or bad. Signatures can only identify known bad traffic.

Other techniques like heuristics or machine learning (ML) involve considerable amounts of guesswork. Such techniques can be hijacked by attackers and used to their own advantage. At the very least, ML can inevitably cause false alerts and business disruption. Like the boy who cried “wolf,” noisy systems with false alerts quickly get ignored. Stringent security policies are reduced, ignored, or turned off entirely.

Meanwhile, the real cyber threats dwell inside. Most experts agree that businesses should assume that the precursors to the next attack are already inside their network. This effectively moves the battleground to the application itself. The goal of modern hackers is to enter innocuously and corrupt applications as they execute during runtime.

Attacks increasingly occur during runtime, in process memory, where they act undetected. They derail applications, expose sensitive data and leave few clues behind. By the time these attacks are discovered, the damage is often detrimental.

Since cyber threats have moved inside, threat detection tools must do the same.

Adopt a New Mindset To Focus on Protecting Server Workloads

Because advanced cyber attackers know how to bypass perimeter tools, security defenses need to be where attacks actually occur. As noted above, attackers have discovered that runtime is a weak point because it’s a black box to organizations. Therefore, they target applications and server workloads when they are vulnerable.

Many cyber exploits occur due to deficiencies in the application stack. These can be from COTS or components purchased or acquired through open source, like NGenX or Apache Web server. Deficiencies can also exist at the operating system level or the host, which can be attacked using misconfiguration. The solution is to protect the entire server workload instead of just the end points.

Ransomware is one such attack that enters business environments through server workloads. As such, the ability to have huge impact in seconds is tremendous. All of these points of vulnerability exist on the inside of an organization’s network. As such, modern security needs to start from the inside – and with application-aware server workload protection.

An application-centric approach to security focuses on understanding what apps are supposed to do. A security stance that includes mapping and monitoring applications as they execute to ensures they only do what’s expected will be able to immediately intervene if they deviate or derail – regardless of external threats, vulnerabilities, or zero-day attacks.

Conclusion

Today’s security battleground has shifted to the server workloads, and organizations need full runtime visibility – down to memory and the CPU. Virsec starts from the inside and protects the entire server workload and defends all applications, on any platform, and in any environment.

Whether they’re custom, off-the-shelf, legacy or industrial controls, Virsec secures all the applications that run your business. Protect all layers – web, memory, process, hosts, from development through operations.

Keeping traditional cybersecurity tools, such as end point security, to guard the perimeter and network layers is still recommended, but much more is needed. Virsec provides comprehensive application-aware server workload protection and delivers full visibility during runtime. Virsec’s defense deploys in seconds across the full stack, with no signatures, tuning or noise.