Back in 2013, General Keith Alexander of US Cyber Command sounded an alarm at a cybersecurity conference, alerting corporations and government agencies of an increased threat of cyberattacks. He called the billions of dollars in intellectual property flowing out of the country “the greatest transfer of wealth in history” and warned that unless we do something, the consequences would only intensify. “Mark my words,” he continued, “it’s going to get worse. The disruptive and destructive attacks on our country will get worse and if we don’t do something, the theft of intellectual property will get worse.”
Six years later, General Alexander’s warning rings truer than ever. It’s no longer “if” a breach is going to happen, it’s “when”, with thousands of companies getting hacked every year, compromising hundreds of millions of sensitive records and costing organizations millions in remediation and recovery efforts. According to Cybersecurity Ventures, cybercrime damages are expected to rise to $6 trillion annually by 2021 – a doubling from $3 trillion in 2015.
So, what’s being done about it? Ironically, as the number and severity of attacks continue to rise, so does the amount of money companies and governments spend on cybersecurity. According to new Gartner research, spending on information security will exceed $124 billion by the end of 2019. And yet, despite billions spent on detection, the greatest transfer of economic wealth in history is still going on. We can do better!
Detection-based tools alone can’t protect against polymorphic malware
It’s clear that simply throwing more money and resources at the problem is not solving the crisis. It’s time for organizations to fundamentally re-examine their approach to security, find out why their current tools still fail to protect, look beyond compliance and detection, and invest in innovative protection solutions that puts them strategically ahead of the attackers.
Most of today’s malware attacks are not sophisticated or targeted exploits created by state-sponsored hacking groups or highly organized criminal syndicates. They’re often opportunistic attempts orchestrated by petty criminals with the help of abundant hacking services and readily-available components available on the dark net. Yet these attacks continue to successfully, and rather easily, penetrate detection-based defenses by becoming polymorphic – constantly changing their signatures to keep antivirus and other malware detection tools from recognizing them as “known” threats.
Need more evidence? A May 2018 Security Week article suggests that as much as 98 percent of malware uses evasion techniques to circumvent detection – a finding corroborated by other research. Pattern-matching signature-based detection tools are frequently powerless against these polymorphic threats, unable to identify them until they have unleashed their payload. It’s also been over five years since a senior Symantec executive declared that “anti-virus is dead” and admitted that signature-based AV is only able to detect circa 45% of cyberattacks. While AI-based automated endpoint detection tools are gaining popularity, the fact is that even the most advanced, AI-based detection tools are still playing catch-up with polymorphic malware authors.
As AI-security vendors learn more about the malware, the malware learns about detection methods, adapting to the newest techniques with even smarter disguises and mutations. A number of cities, including Baltimore and Greenville, NC, have recently fallen victim to a strain of ransomware malware that slipped right past their next-gen antivirus tools because it was “new” and could not be matched to any known samples. Weeks later Baltimore is still struggling to free its computers from the clutches of ransomware, and It may take many months and millions of dollars to get essential city services and operations restored completely.
Bromium: protection before detection
One of the most frustrating problems among enterprise security teams is alert fatigue. Traditional security tools produce many false positives that trying to investigate even the most serious-looking ones is taking countless hours out of the SOC team’s day. At Bromium, we don’t rely on detection. The alerts generated by the Bromium Controller are overwhelmingly true-positive, legitimate malware attacks. The very fact that malware was able to get through detection tools and layered defenses and still find its way to the Bromium engine suggests that it’s a real threat and is worth looking into. First and foremost, however, Bromium is about protection. Our detection capabilities and threat telemetry are an excellent way to improve the organization’s overall security posture, but our main goal is to give our customers the peace of mind that no matter how new, rare, advanced, or polymorphic the malware is, their endpoints and networks are completely secure.
Bromium’s hardware-enforced containment technology isolates each task inside a disposable virtual machine. Bromium Secure Platform knows exactly what processes should be running inside each container when a user performs a specific task, such as opening a Word document, clicking on a link, or launching a web page. If malware is present, Bromium allows it to fully execute within a protected space of the virtual machine. There’s no danger of malware escaping from the confines of a self-contained and secure container, and no chance of it infecting the endpoint or spreading laterally across the network.
And since Bromium knows exactly what processes should be running inside each task-specific container, it’s easy for us to know when something has gone wrong. When a Word document is suddenly trying to establish a connection to a Command and Control center, that’s a sign for a Bromium Controller to turn on the “flight recorder”. Not only are we able to detect that malware is present, we can find out where it came from, what type of payload it was carrying, and how it intended to drop it. Indeed, we produce the full attack kill chain in real time – no manual post-event forensics required. So, even though Bromium doesn’t call itself a “detection” company, we provide some of the world’s most advanced and detailed threat telemetry to help the security community better understand the threats they are facing.
Getting ahead of attackers with Bromium Threat Sharing
While some of the hacked corporations, municipalities, and government agencies refuse to pay the ransom, and publicly announce the fact that their networks and data have been compromised, many more prefer to quietly pay off the attackers and go about their business as if nothing had happened. So, when Bromium first launched the Threat Forwarding feature, even our own engineers were skeptical.
Who would want to openly (albeit anonymously) share their malware samples? Surprisingly, more than half of our customers immediately agreed to share details of the threats caught in isolation, granting Bromium analysts a wealth of detailed information that’s not available anywhere else. Malware that’s flagged by detection-based tools is not allowed to fully detonate and reveal its secrets. But since Bromium lets malware play out in its entirety inside the secure container, we’re able to compile a complete kill-chain analysis. The threat telemetry that Bromium collects is further enriched and analyzed using a combination of AI based automated techniques, and by the Bromium Labs Threat Research team. We then share the analysis and findings back with our customers to help them improve their defenses – even on devices that are not protected by Bromium.
Isolation is a powerful tool
Bromium’s significant and growing customer base in both global commercial organizations and state and federal governments confirms that application isolation movement is gathering momentum. Detection tools, while getting smarter, will never be able to protect you from 100% of threats, and given the growing volume of “drive-by” attacks and the easy availability of cheap hacking tools, letting just a few things through can lead to disastrous consequences.
Add to it the time required to chase false positives, the need for emergency patching and upgrading once a vulnerability has been identified, and the growing fatigue of security teams, and it’s evident that current approach to security needs to change. More and more organization choose protection before detection. Bromium is the pioneer and market leader in isolation-based security, with a proven track record and a fast-growing customer base. Visit us at Bromium.com or subscribe to our technical blog series and see for yourself how Bromium can protect your organization from threats that bypass other defenses.