Blog
09.08.2017

Equifax Breach Fighting Back in the War Against Web Server Attacks

Legacy security products are out-gunned and no match for fileless attacks

Today’s news on the breach of personal data for 143 million consumers is alarming on many levels – the numbers are enormous (20% more than the total number of US households), and it strikes at the core information that many of us try hard to protect – social security numbers, birth dates, addresses, credit card numbers, driver’s license numbers and more. According to Gartner, “On a scale of 1 to 10, this is a 10. It affects the credit reporting system of the whole United States because… everyone uses the same data.”

But beyond the hand-wringing about the scale of the breach (which is HUGE), we need to ask the same questions that follow every breach – why does this keep happening and when will we get serious about security, especially for public-facing web servers?

We know that web servers are vulnerable and have been for some time. The typical solutions – patching vulnerabilities when available and convenient, improving software development testing, and relying on outdated anti-malware tools – continue to fail, over and over again. Today’s attackers are innovative and relentless and can easily find security gaps in the millions of web servers and applications used to power our economy.

The wave of recent cyberattacks, aided by leaks of NSA-developed hacking tools, have demonstrated a marked increase in the sophistication and elusiveness of hacking techniques. Yet, at the same time, businesses have been on their heels, depending on security layers that are increasingly irrelevant.

Frankly, most of today’s defenses are like bringing a butter knife to a gun fight.

Outdated Security Models

While the threats have changed dramatically, the approach of the most security products remains stuck in the ‘90s. Most security technology has been built around a few very outdated principles:

1. Defend the perimeter

The concept of a firewall gateway for defense goes back to the early days of the Internet. Rather than connecting directly to the wide-open web, businesses realized they should proxy traffic and monitor traffic. That worked fine until most of the traffic turned into port 80 web traffic, which firewalls could only allow or deny. Successive “next generations” of security devices have moved the perimeter closer to the business, but it’s still a gateway model.

The basic problem with a perimeter model is that you’re essentially just relying on a security guard. A guard stands at the door, and stops the obviously suspicious traffic, but has no real understanding or context over whether the traffic is legitimate or nefarious. While Paul Blart showed remarkable intuition in Mall Cop, most security guards have little detailed knowledge about what goes on inside the perimeter.

2.Cataloging known malware to identify repeating patterns

The second outdated model is equally pervasive and ineffective. From the early days of computer viruses, multiple AV companies have compiled signature databases of known malware. Once something gets identified, it’s easy to spot and prevent further attacks. While this is generally a good idea, it’s also inherently limited because it’s reactive. First the malware must be identified, catalogued, and signature must be updated, and/or application vulnerabilities must be patched. But this process can take days, weeks, or months. In fact, the average time for an application vulnerability to be patched is 257 days. And many applications and servers simply never get patched. The first mover advantage for a new piece of malware is enormous and the dwell time before most endpoints are protected can be enormous.

3.Looking for dangerous payloads

The other fundamental problem is that most security solutions look for malicious network traffic or files that are delivering identifiable malware. However, today’s advanced hackers are much cleverer, and attack without using files or identifiable payloads. These fileless attacks manipulate legitimate, seemingly benign processes within applications to bypass conventional security tools, hijack control over servers, and extract or ransom data. Imagine a security guard with a metal detector – that may work fine until the bad guys all shift to carrying plastic weapons.

Know Your Applications

Because current security models are being so easily bypassed by advanced hackers, Virsec takes a fundamentally different approach to security. Rather than looking at past threats and trying to guess what’s coming next, Virsec looks at the present – the actual functioning of critical applications, across the full stack from web servers down to processes and memory usage.

To do this, you need security that is close to the applications and processes – not standing outside at the perimeter. Rather than trying to analyze an infinite variety of external bad stuff, Virsec is closely instrumented with applications and maps all expected good behavior, through a patented process called Trusted Execution. Applications should be predictable. While they are complex, they are programmed to do specific things and follow predictable paths. If they don’t – something is wrong.

Here’s a useful analogy: if you are driving from San Francisco to Seattle, Google maps can tell you exactly the best route. While there may be a few options, if you want to go through specific points (Sacramento, Reading, Eugene, Tacoma, Portland) from point to point, there is only one correct path. If your car suddenly veers right and heads to Reno, something is seriously wrong, and you should take immediate action. (See Resources page for Chalk Talk videos about this process.)

This deterministic process has the advantage of limiting the unnecessarily broad scope of security, and focusing on what matters – the application and associated data. It also delivers dramatically better results, precisely identifying anomalies, with negligible false positives. The system reacts in milliseconds to stop anomalies and has APIs that can alert other network devices to take immediate action. It also accepts and works with the fact that many applications won’t be patched with the latest security updates, and need to be protected as is.

For more information, white papers, case studies, videos and blogs please visit www.virsec.com/resources