Cyber-crime used to be reserved for top-secret, state-sponsored operations; today it regularly targets everyday businesses and has become a major drain on corporate resources. In a recent survey, one-third of enterprises were aware of targeted cyber-attacks against their companies. While network-based defenses have seen a lot of progress in recent years, laptops and phones continue to be exposed to security threats and are easily compromised. A new wave of startup companies is addressing this gap. With apologies to Jason Bourne, here is my spy-thriller take on the latest trend in cyber-security: innovative “endpoint” technology solutions battling previously unknown, “zero-day” attacks.
In December the storefronts of Lexington were even more dazzling than usual. Nevertheless, the Syrian official, call him Hamid (1), was in a bad mood. He was leading complicated negotiations with the North Koreans, under strict orders: The construction of the top-secret nuclear reactor in Deir-es-Zor, in northern Syria, must continue on schedule. Hamid was fed up with dealing with the Koreans and their obstinate negotiating. Fortunately, he had the afternoon off. He dumped his laptop in his hotel room and went shopping.
He was not aware that while wandering the Lexington streets, he was followed by an Israeli Mossad team; at the same time, a related team entered his hotel room, hacked into the laptop, copied its files and installed a Trojan horse, which let the Israeli spies keep track of his future actions. Data from Hamid’s laptop provided the “smoking gun” evidence ultimately leading to an air raid on the Syrian nuclear reactor, destroying it in September 2007.
Somewhere in the United States, 2011
In the bowels of the corporate behemoth DuPont, there sits a non-descript business unit dealing with industrial chemicals. The business unit’s CEO, call him Mr. Burns, is having a particularly stressful day. He is engaged in tense negotiations trying to acquire a U.K.-based competitor. Burns knows that there is another bidder, probably Chinese. Burns’ annual bonus, and with it his son’s college tuition, depend on a successful bid.
Burns leaves his office to get some fresh air, and stops in a Starbucks to go over his best and final bid to be submitted the following day. Browsing his email, he spots a message from a team member in the U.K. As he clicks on the attached PDF file, his laptop churns a bit more than usual before the screen displays a dry-cleaning bill. He scowls. The team member must have mistaken Burns for the department’s bookkeeper.
What Burns does not realize is that the email was spoofed; the real sender attached a PDF containing an unknown (“zero-day”) exploit, malicious original code which, two years later, will be identified in the National Vulnerability Database as CVE-2013-3341. This malware has just infected his machine. Overnight, copies of the files from Burns’ laptop got compressed and sent to a server that was set up specifically for the purpose of this attack. Unsurprisingly, the Chinese bid for Burns’ target company comes in just high enough to win the deal.
The importance of the “endpoint”
These two events, occurring just five years apart on two continents, illustrate the rapidly changing cyber-crime landscape. No longer targeted only at national assets, cyber-attacks have gone corporate and become, in many respects, more mundane. Recent reports by Symantec and Mandiant reveal a sprawling industry in attacks targeted against the enterprise: They involve stealing intellectual property, accessing sensitive commercial information and even launching distributed denial-of-service attacks from hostage desktops. We’ve all read the stories this year about Twitter hacks, attacks on Korean banks and spying on news organizations like The New York Times.
Part of the reason for the proliferation of such attacks is that most security solutions still focus on “perimeter” network security. (Think of this like a fence around your house.) This type of security is still valuable, and improving. An added arsenal of new identification and analysis technologies is helping companies as well, sounding the alarm when malware is found inside the networks. The wide adoption of Splunk and NetWitness, which use irregular traffic patterns to find suspicious malware inside the network, points to a simple but shocking fact: most CIOs today assume that their network is regularly compromised. In other words: burglars regularly jump the fence and enter the house; you also might have security cameras installed. But knowing that’s the case, wouldn’t you store your jewelry in a safe?
Hence the need for “endpoint security”— specifically securing devices like desktops and servers, usually through anti-virus software. Unfortunately, endpoint security is still stuck in the 1990s and is completely inadequate against the targeted attacks we described above. Any reactive system, i.e. one that depends upon first identifying malware in the wild by its special “signature,” and then adapting against it, is by definition useless against an attacker determined to penetrate a given set of targets using brand-new, “zero-day” vulnerabilities. Using anti-virus software to defend against targeted attacks is like bringing a sword to a gun fight. A number of relatively recent changes in enterprise computing exacerbate the problem. In the past, enterprises assumed that users would access servers physically located on premise, from company-issued devices, mostly from thecompany’s offices. This paradigm created the notion of a perimeter, of a safe zone in which IT is pretty much controlled. This paradigm is becoming irrelevant because:
- Servers can now reside anywhere. With so much critical software delivered from outside the company (SaaS) and IT infrastructure extending through ad-hoc “cloud” resources, one can assume next to nothing of the whereabouts of corporate servers. This makes securing them more complicated.
- Bring Your Own Device, or bowing to workers’ strong preference for using devices of their own choosing and combining work and private use cases, puts a huge strain on the security of endpoints.
- The mobile workforce can be anywhere at any given time, and usually cannot be bothered with cumbersome access protocols. Usability dictates non-stop access to enterprise resources, with as few limitations as possible. This unlimited access practically renders the enterprise network wide open.
So servers, laptops and phones now roam freely in and out of the secure corporate perimeter. Unless they carry their security measures with them, they are totally exposed to targeted attacks.
The next generation of endpoint security
Lately, we have seen a few modern approaches that take totally different routes to endpoint security:
- Obstruction. This technique works by hardening the operating system in a way that renders whole families of attacks unusable. Instead of focusing on a specific malware signature, or fixing vulnerabilities one at a time, this type of technology disarms the entire technique used by the hackers. As the number of techniques is small, and they don’t evolve all that often, obstruction offers superb protection. Companies like Israel’s Cyvera (2) use obstruction by developing operating-system extensions that block attacks regardless of the specific vulnerability.
- Sandboxing, promoted by companies like Invincia and Bromium, use virtualization-based techniques to contain a breach to a particular application, thus limiting its ability to spread throughout the organization.
We believe that there is no way for a modern, mobile, cloud-enabled organization to defend itself against targeted attacks without employing this new breed of endpoint security measures. And we believe we’ll see more innovative startups in this area as more companies realize the extent of the threat.
(1) The events and the people mentioned are based on relevant press and industry reports. Their names are fictional.
(2) Battery is a recent investor in Cyvera
This post was originally published in August 2013.