What if we become a bit more positive in the war on malware?

Today’s endpoint positive security goes far beyond the whitelisting of yesteryear.  Sometimes called OS-Centric Positive Security, current positive security models focus on the damage stage of the attack.  While attack strategies are ever changing and are nearly unlimited, the intentions of the attacker in the damage stage remains fairly static and is more or less limited to the following activities: data access and exfiltration (i.e. intellectual property, espionage), immediate monetary gain (i.e. ransomware) and data/system damage (i.e. wiper malware, hacktivism).  

To gain a better understanding of why you should consider a positive security strategy to complement your existing endpoint protection, Brilliance Security Magazine sat down with Nir Gaist (Founder and CTO) and Rene Kolga (Senior Director of Product Management) of Nyotron.  

Nir explained, “All the security players are trying to prevent an attacker from getting into a system.  They do this by trying to cover the different vectors of an attack or by trying to perform analysis based on AI.  The problem is that we all know that the attacker will eventually find a way to get in. So the question becomes, what’s happening next.”

The ways to attack an endpoint are practically infinite.  They include OS and application vulnerabilities, exploits, social engineering attacks, Rubber Ducky and, most importantly, human ingenuity.  Most security professionals agree that given enough time and resources, an attacker can breach any organization.

He continued, “Essentially they [other endpoint protection solutions] are enumerating all the badness in the world, we do the opposite.  We realize that while “bad” is an infinite problem – in that there are an infinite number of threats and an infinite number of ways to hack a computer – eventually, at the end of the day, the ways to do things on a computer legitimately are actually finite.  The goals of a hacker, regardless of how they get into a system, remain the same. They want to delete data or exfiltrate data or change your data to take over your machine. The ways to do any of those things legitimately is finite.”

Nyotron claims to be “the first company in the world to map all the ways things can be done legitimately on a computer.  Regardless of the user, the application, or the environment.”

When we asked about what seems to be the arduous task of keeping a list of legitimate operating system steps current, Nir explained, “The way the operating system works does not change, unless you change the operating system, but changes in an OS are infrequent,” indicating that very few updates and changes need to take place once a positive security solution is in place.  

He elaborated, “Think of it like a GPS.  When using a GPS, if you want to get to a certain location, there are only a finite set of possible ways to get there.  We have mapped all of these reasonable possibilities. If you wanted to get from Santa Clara to the Moscone Center in San Francisco, your GPS will provide a set of reasonable options, none of which will include going via San Diego.  That is exactly what we do, in real time. Every time you use your computer we ask, in real time, is this a reasonable way to accomplish this request. We map the possibilities and once we get to a dangerous place, like deletion or creation, we will already know the way in which you arrived at that point.  If that set of steps does not make sense, we will block that request.”

We asked about performance reduction and Rene explained that “It happens without any significant performance reduction on your system because we don’t scan any files.  We analyze the sequence in real time. It takes place at the kernel level, the lowest logic level. We analyze each system call before it actually occurs. We get it before the kernel gets it.”

An Israeli company, Nyotron has been in operation in the U.S. about two years.  From their website, “Nyotron’s PARANOID is the industry’s first OS-Centric Positive Security solution to strengthen your AV or NGAV protection. By mapping legitimate operating system behavior, PARANOID understands all the normative ways that may lead to damage and is completely agnostic to threats and attack vectors. When an attacker attempts to delete, exfiltrate or encrypt files (among other things), PARANOID blocks them in real-time.”

The benefits of OC-Centric Positive Security include:

  • No patient zero required
  • No signatures or Indicators of Compromise (IOCs) needed
  • No learning/baselining or AI/ML algorithms
  • Persistent security
  • Support for air-gapped environments and disconnected endpoints
  • Protection of already infected endpoints
  • Fewer false positives
  • More lightweight

As malware authors continuously build up their arsenal of weapons, successful security strategies will need to embrace multi-layered defenses that include both Negative and Positive Security.  An OS-Centric Positive Security model represents a substantial improvement to help you win the war on malware.

An OS-Centric Positive Security isn’t a silver bullet, but it can be a tremendously valuable and complementary defense mechanism—your second or last line of defense. The majority of endpoint security solutions deployed today are based on the Negative Security model; so, it may be time to add a Positive Security solution to strengthen your endpoint protection.

Steven Bowcut, CPP, PSP is the Editor-in-Chief for Brilliance Security Magazine