I recently spoke with Rene Kolga of Nyotron about ways that organizations can improve their information security policy. Rene, who’s been working in enterprise software for over 20 years, offered a number of insights into the value of taking a threat-agnostic approach to protecting information assets.
Rene Kolga: Nyotron has an endpoint security product that, as we say, does completely the opposite from what everyone else is doing in the security space—at least from the endpoint perspective. Think of it in terms of positive security vs. negative security models. The negative security model looks for what’s bad, and lets everything else in. That’s how the majority of security products work. They try to maintain the list of everything that’s bad, to detect it and block it. However, we believe that’s an infinite battle you cannot win.
Human ingenuity is boundless. The amount of malware is so incredible and so easy to generate that you can’t win against such infinite odds. The attackers will always be a step ahead of you. Instead, you can mount a more effective and efficient defense if you start by trying to understand the intention behind the attack. What are the attackers trying to get out of you and your system by attacking it? Well, that’s pretty finite, actually. They either want to steal your data or monetize it directly by encrypting (i.e. ransomware). Or, they want to cause direct damage to you by deleting or corrupting your data (i.e. wiper malware).
These three outcomes probably cover 90% of the intentions behind cyberattacks. There are other scenarios, like an attacker using your resources to spread spam or mine cryptocurrency, but espionage, data theft and data destruction are the basis of the majority of attacks. That’s very finite compared to the number of ways of getting in to your system through applications, vulnerabilities and the OS. There will always be new attack vectors.
What we did was to map every single legitimate way of getting to that potentially damaging activity, every single legitimate way you can delete a file in an OS, every single legitimate way you can open up a communication channel between your endpoints and an external system, every single legitimate way to overwrite a file, create a file, launch a processor—and we blocked everything else. Basically, we apply a positive security model.
It’s analogous to whitelisting. However, if you’ve ever worked with whitelisting, you know how difficult it is to make it work. If your system is a single-purpose device like an ATM or point of sale, maybe you can use whitelisting. Those types of systems shouldn’t change frequently. Applying whitelisting to your everyday laptop, that’s a nightmare. As the number of attacks is infinite, so are the applications. Every day new applications are created and new versions of existing ones are released.
Our approach is to go a step deeper in the operating system. We don’t look at applications. We don’t look at user behavior. We look at OS system calls, because no matter which application it is, they all use OS system calls. Regardless of what users are trying to do, in the end they use OS system calls to perform those actions. So, we call this approach OS-Centric Positive Security model.
Hugh Taylor: So, if the code makes an OS request that we don’t like, we’ll block it.
Rene Kolga: Most security products look for that vulnerability, that exploit or signature of malicious code or scan for some type of behavior or anomalies, right? We don’t care about any of that. We know how to get to those potentially damaging activities in the operating system. The ones we care about are limited to a small subset of activities—file deletion, communication, process creation, registry modification and a few others. Whether malicious actor is using a legitimate application or a 0-day exploit or an off-the-shelf malware, its actions will be outside of the normative paths to file deletion, for example, and will be blocked.
There’s no prediction, no learning, no AI, deep learning, whatever. Think of it as a safe, to open a safe you need to enter five numbers in a particular sequence. If you enter the last number correctly without entering the previous four, the safe is not going to open. That’s exactly the we work. If a system call asks to delete file XYZ, but it has not arrived to this point through a legitimate path, we will not allow you to delete this file.
Hugh Taylor: Ok, that’s very thought-provoking. I’m sure a lot of people will find this interesting. Let’s change channels and discuss threats that are based in firmware. How serious do you think those threats are?
Rene Kolga: Well, overall hardware-based threats as well as threats in the BIOS or firmware are obviously concerning. I’m sure you’ve heard about severe vulnerabilities found in embedded medical devices like insulin pumps and pacemakers. It’s a significant concern, though the risk is less about attacks by nation states and more about sloppy manufacturing and security being an afterthought. Of course, there are nation states doing this too. We do it, as Snowden revealed, by intercepting server hardware shipments, injecting BIOS or firmware level malware, etc. There’s no reason to think that other countries aren’t doing this to us.
Hugh Taylor: Do you feel that there is a comparable OS risk, like for an Internet of Things device that’s coming in from a foreign country? Could there be OS level or application level threats that are embedded at the manufacturing stage?
Rene Kolga: I see no reason to think otherwise. Whether it’s at OS level, application level, hardware, firmware or BIOS level. Of course, it’s more expensive and harder to do at the firmware level (vs. at the application level), but it has its benefits. Antivirus doesn’t check your firmware. Antivirus only checks your OS and your applications. So, it stays under the covers in most cases and survives OS re-installs and hard disk re-formatting. It is pretty common for Dell or HP or Lenovo or whoever to pre-install some image and some applications on their servers. But, I would venture to say probably 80% of organizations will wipe it and install their own image instead, so if you are trying to infect as many companies and systems out there as possible, you want something more persistent than malware within the OS or within an application.
Hugh Taylor: Let’s say the phone rang and it’s the president of the United States calling. He says, “Rene I want to give you unlimited resources to solve the cyber vulnerabilities of the Unites States.” What would you recommend?
Rene Kolga: Frankly, I feel we are less safe today than we were two years ago, despite so many brilliant people trying to solve the problem and billions of dollars spent. The security industry has not really kept up pace with the attackers because incentives are structured in such a way that they are ahead of us. The attackers are very well organized and have plenty of resources.
It used to be that it was only the US, UK, Russia and China who could wage a cyber war. Now Iran, Saudi Arabia, and even countries like Vietnam have capabilities to cause significant disruption. It’s a true democratization of cyber warfare. This is an asymmetric battle where the bad guys have the asymmetric advantage, due to misaligned incentives and cybercrimes being so profitable. We haven’t innovated fast enough nor have adopted truly new security solutions. So, what to do about it? I am not a believer in protectionism or isolation where we can’t buy any hardware or software made in China, for example.
Rene Kolga: I am a believer in better testing, better validation, and stronger laws, but I don’t think we can isolate ourselves, frankly. Look around, in many of the Silicon Valley’s security companies over 50% of employees aren’t even US citizens.
Rene Kolga: And they are developing security software, servers, firewalls and other software that you have installed. I don’t think it’s realistic to say we can live in our own world. But yes, can there be better laws? Absolutely. Look at EU’s GDPR, for example.
Hugh Taylor: It seems like your company’s approach might be a good idea here, too. I was recently speaking with a network expert about creating a secure network and he said well, look at whose already kind of done it. Look at PCI and the credit cards. It’s pretty strong security. Maybe we need to be like them and say if you want to be on a certain network you can only use certain kind of devices, certain kinds of applications—sort of white list your way into being secure. If everybody can do everything on any device, then you’re too wide open
Rene Kolga: That’s an interesting concept. Of course if you can limit your attack surface by whitelisting or only allowing certain types or sets of devices and/or people or applications or organizations access something, that might make sense in some cases. Basically, creating an internal isolated network. Nuclear power plants and other high security facilities use air-gapped networks. There is a reason for that. It’s reducing the attack vectors and your exposure overall, so I think there is something to be said about this. In general, with information security policy, I think strategic use of threat agnostic defenses will outperform the endless race against well-funded malicious actors.
About Rene Kolga: Rene Kolga, CISSP, heads Product Management and Business Development for North America at Nyotron. Prior to working at Nyotron, Rene was Head of Product at ThinAir. Rene also spent eight years at Symantec where he led multiple enterprise security product lines in the areas of encryption and endpoint security. Additionally, Rene led dozens of endpoint management, backup and business intelligence product teams at SolarCity, Citrix and Altiris. Earlier in his career, Rene run Customer Support and QA teams. Rene earned his Computer Science degree from Tallinn University of Technology. He also received an MBA from University of Utah.