If you could stop malware from spreading, why wouldn't you?


As an IT professional, during the past few years you’ve probably managed projects in at least one of these areas – which made your work life more complex:

  • Virtualisation – implementing software to reduce the amount, cost, and maintenance of hardware and provision applications more rapidly.
  • Migration to the cloud – improving data access, communication, collaboration, software development, disaster recovery, and expanding storage options.
  • BYOD (bring your own device) – allowing employees, partners, and company visitors to connect their smartphones, tablets, lap tops and flash drives to the corporate network.

Each of these productivity enhancements was accompanied by a raft of cybersecurity concerns. The reality is that keeping sensitive data and intellectual property safe and secure, while maintaining uptime for customer and internal applications, is an ongoing challenge.

And, if you’re anything like the 1,600 IT decision makers and influencers surveyed by Trustwave in May 2018, you’d say preventing malware, including ransomware, is your biggest security threat and obligation. More than half of U.S. companies experienced a cyberattack last year, causing business disruption, reputational damage, injury, and an average of $1.3 million in financial loss per incident.

Software's soft underbelly

In today’s network infrastructure, defence in depth (multiple layers of security controls) is not often present. Apps, devices, and systems are therefore directly vulnerable to malware, viruses, spyware, and zero-days. Attacks can come from the outside (nation-state actors/hackers), insider threats, and increasingly from a compromised supply chain. Software is targeted by new types of file-less attacks that sidestep traditional network and endpoint detection. These include memory corruption attacks (buffer, stack, or heap), and return oriented programming and jump oriented (ROP/JOP) attacks. Buffer overflow attacks are also a well-known driver of software vulnerabilities. This technique can trick a program into running attacker-provided code, instead of programmer-written code. For this to work, the attacker has to find vulnerabilities in the software binary code that allows the redirection of execution.

The typical environment of intertwined software, hardware, firmware, Operating Systems (OS), libraries, apps, smart devices, PC’s, servers, and the cloud present some unique challenges, when considering how to best protect against cyberattacks:

  • Adding new software, services, and/or hardware agents may lead to performance issues, retooling and retesting, especially in real-time environments where jitter could be an issue with non-deterministic execution.
  • Even simple apps leverage libraries, and OS calls can add up to hundreds of thousands or even millions of lines of source code.
  • All vulnerabilities cannot simply be discovered using conventional static or dynamic analysis (SAST or DAST) tools, inspections, or profiling.
  • Re-engineering with secure libraries and best practices may be cost prohibitive, source for code and libraries may not be available, and changing compilers or OS impractical.
  • When deploying to tightly bundled environments including components from many suppliers, the supply chain itself may not be trusted, with potentially compromised hardware, firmware, OS, containers, or hypervisors.

While each network environment is unique, the cyber risks are fairly universal. Many of the vulnerabilities extend to mobile devices, communications, and cloud environments, where software deployment and updates occur via orchestration and automation tools. These vulnerabilities can also be found in virtualised environments and third-party hardware.

A pound of detection...

In spite of the growing threats, many of your colleagues continue to focus their cybersecurity efforts solely on detecting symptoms of attacks. They use external network and perimeter technologies such as gateways, firewalls, intrusion prevention and anti-virus agents. In addition, internal approaches such as static and dynamic analysis are often used to try to detect vulnerabilities in code.

The problem with these traditional cybersecurity solutions is that they focus more on detecting symptoms rather than on addressing the underlying causes. While established tools have worked for decades on known attack types, their effectiveness is diminishing as motivated adversaries with time and financial resources become increasingly skilled in designing attacks to avoid detection.

No need to dispense with the baby along with the bathwater, though. Detection will always be a critical component of the cybersecurity arsenal, because identifying and remediating threats before they spread can alleviate some risk and damage incurred by a cyberattack.

But detection alone isn’t enough in our current environment of escalating threat sophistication and frequency. Detection tools offer no protection when the supply chain itself is compromised, with file-less attacks like memory corruption exploits, stack and heap attacks, Return-Oriented Programming (ROP) chain attacks or with zero-day attacks.

Host-based detection agents may also create performance issues that can require retooling and retesting to implement. Further, detection monitoring and alerting also requires, time, investment, and expertise.

Finally, re-engineering code adds a requirement for a level of resources, as well as compliance challenges and risks, that most companies are unable or unwilling to meet – especially in instances where the software stack might be hundreds of thousands or millions of lines of code.

... is not as effective as an ounce of prevention

One of the latest and most effective means to reduce risk is to cyberharden systems using Runtime Application Self-Protection (RASP) technology, which prevents exploits from spreading across multiple devices and networks. RASP hardens software with techniques such as binary stirring (also called randomisation), control flow integrity and a priori optimisation - so that attackers can’t calculate in advance how to successfully execute their code.

RASP uses runtime instrumentation to detect and block attacks via information from inside the running software. It differs from perimeter-based protection like firewalls, which can only detect and block attacks by using network information without context. When a threat is detected, RASP prevents exploitation and execution. In other words, it denies malware the uniformity required to propagate.

RASP is easy to implement and requires no new investment, software, services or hardware, and only a one-time transformation with limited overhead. It doesn’t require access to source code and isn’t dependent on complier or operating systems. There are no alerts to monitor, and RASP is remotely deployable as binary code can be cyberhardened via API. It’s far superior to “rip and replace.”

Add muscle to your cyberdefense arsenal

Because of all the benefits, RASP adoption is gaining traction. According to a report by MarketsandMarkets, the RASP market is expected to grow at a compound annual growth rate of 33 per cent to $1.24 billion by 2022.

And, if you need further motivation, note that SonicWall Capture Labs recorded a total of 5.99 billion malware attacks during the first half of 2018, a more than 100 per cent increase over the same period in 2017. Moving from traditional detection security defences to cyberhardening binaries with RASP can reduce risk by stopping attacks before they can execute and spread, thereby making your work life, and those of your colleagues who rely on your wisdom and support, much easier.

Lisa Silverman, VP of Marketing, RunSafe Security
Photo Credit: andriano.cz/Shutterstock