Isolate and conquer: Getting past a reliance on layered security
It's time to throw cyberattackers into solitary before they strike, writes Bromium's Simon Crosby.
It is no exaggeration to say that every aspect of our online society and critical infrastructure is being actively probed for vulnerabilities. Last year delivered more compelling evidence of the crippling economic consequences of cyberattacks by nation states and wealthy crime syndicates. The Internet is already a key battleground in international conflicts, and agencies are under relentless attack. Yet while we typically hear about the costly consequences of data breaches, we seldom hear how an attack started.
The recent Verizon Data Breach Investigations Report confirms the ugly truth: 71 percent of attacks start at endpoint devices because humans are easy to deceive. A single click can give an attacker a gateway to an agency's network. Federal employees and contractors must assume their endpoints will remain under targeted assault.
Organizations across government and industry reflexively respond to those attacks by layering a dizzying array of security measures on devices: data loss prevention, sandboxing, host-based intrusion prevention, whitelisting, return-oriented programming mitigation, and rootkit and bootkit detection, among others.
As reasonable as layered security sounds, though, it is ultimately a game of diminishing returns. Each newly layered defense adds cost, negatively affects the user experience and remains susceptible to the same Achilles' heel: Stacks of layered security can be uniformly defeated by attacks that exploit vulnerabilities deep within device operating systems, such as the Windows kernel. Unfortunately, such critical vulnerabilities are being discovered at an alarming rate: More than 80 Windows kernel vulnerabilities were disclosed in 2013, up from 26 in 2012.
In view of layered security's shortcomings, we need to radically overhaul the security of our endpoints. They must be inherently secure -- by design. If we could achieve that, devices would shrug off persistent attacks even when targeted employees are enticed into clicking links and attachments.
Fortunately, thanks to the relentless progress of Moore's law and a new technique called micro-virtualization, that goal is within reach.
Micro-virtualization takes advantage of unused virtualization features on PCs' CPUs to invisibly hardware-isolate each task -- such as each tab in a browser, each file being edited or each email and attachment. Once isolated in this manner -- in solitary confinement -- a task cannot be hijacked for attacking the operating system, stealing data or accessing agencies' networks if malware arrives and "detonates" in the course of employees' work.
This isolation-based defense turns the security problem on its head. It eliminates false positives and the debate over detecting "new" versus common malware because micro-virtualization isolates any malicious activity, period. Clicking on a poisoned attachment is not a risk -- a compromised task will simply be discarded when the user closes the application. Users can safely click on anything; even when they make a mistake, the system will defend itself.
Agencies that adopt isolation can stop mandating new endpoint controls that hamper users and instead rely on PC hardware they have already bought and deployed. Additionally, data on what is triggering micro-virtualized tasks to close and kill malicious processes can be reported to security teams for tuning perimeter and other defenses against attack activity they would have otherwise missed.
Mobility and consumerization of IT are here to stay, which makes micro-virtualization a timely, compelling strategy. With micro-virtualization on their devices, agencies can confidently say yes to telecommuting, Web applications and other demands while still protecting users from threats that target things such as legacy Java or unpatched devices. Endpoints automatically isolate and shrug off malware, users stay productive with Federal Information Security Management Act-compliant settings intact, and collaboration with interagency and industry partners can continue apace.
By using hardware to automatically isolate every potentially threatening task, we can make our devices secure by design -- and securely maximize agencies' potential in the digital domain.
NEXT STORY: Cyber information-sharing bill moves forward