Bracket Forensics and Threat Defense - Bracket Computing

9 downloads 437 Views 375KB Size Report
Today's enterprises demand the power of the hybrid cloud. ... storage and compute resources that compose a typical workl
Bracket Forensics and Threat Defense white paper



Bracket Forensics and Threat Defense

INTRODUCTION Today’s enterprises demand the power of the hybrid cloud. Dynamic and flexible, it transforms computing into a utility and fundamentally improves a business’s’ ability to innovate. As the data center becomes increasingly dispersed, however, perimeter defenses prove to be inadequate for protecting it against threats. Network micro-segmentation offers additional protection, but the network is only one part of an enterprise workload. Business requires a complete solution—one that protects not only the network, but also the storage and compute resources that compose a typical workload. Further, solutions should be built for the cloud, not retrofitted to it, and should address the security and control challenges unique to the modern hybrid data center. Critical among these solutions is implementing a single set of security policies across heterogeneous infrastructure, which avoids operational complexity and the resulting increased costs and—worse—security challenges resulting from human error. Equally important is preserving the separation of duties between enterprise IT and development and operations, which allows IT to retain control, even in a self-service world. Bracket Computing’s Full Workload Isolation solution completely reimagines the way enterprises create, implement, and ensure workload security. At the heart of the Bracket solution sits the Metavisor™, an advanced virtualization layer running between the guest operating system and the hypervisor of the underlying cloud. Isolated and immutable, it provides an unprecedented level of security.

BRACKET THREAT DEFENSE FORENSICS As enterprises move from strictly on-premise infrastructure to the hybrid cloud, IT security must rethink how it protects workloads and responds to unfolding events. Unlike installations in a private data center, the use of network-based solutions such as IDS, DLP, or VMware hypervisor-based security solutions on hybrid clouds proves problematic as there is no access to the underlying infrastructure. This problem has forced enterprises to move from solutions running outside the host to agent-based solutions operating within the host. Though this solution provides benefits such as highly scalable security, it has a significant downside—once a host is compromised, agents cannot be trusted to provide accurate information. In addition, moving to the public cloud disrupts incident response workflows. Because cloud providers do not allow hypervisor access, memory dumps must be done from inside the OS, leading to potentially tainted memory and slowing detection of data breaches. These complexities compound existing issues around discovery and remediation of attacks. With malware becoming more sophisticated and detections and remediation times increasing (205 days and 32 days respectively in 2016), the ability to incur a data breach is determined by the hacker’s ability to hide while moving laterally through an enterprise’s systems.



ANATOMY OF AN ATTACK When attackers first access a Linux guest, they will typically attempt to gain escalated privileges. This enables malware not only to take control of an OS, but more important, to cover its tracks. The first things malware will attempt after a privilege escalation are to:

• Shut down any security agent that can block it from execution • Hide itself by patching the syscall table (normally a read-only part of the kernel memory) • Establish command and control of the running instances • Use this position as a jumping-off point to search for other vulnerable hosts or start the exfiltration of data

A COMPLETE SECURITY SOLUTION The Bracket solution helps organizations prevent these kinds of attacks, as well as clean up after an attack, through access to the running memory of the instance. It remains immutable from the OS and any malware contained within. Via the Metavisor, Bracket software closes the gaps introduced by a move to OS-based agents and memory dumps in the cloud by:

• Tracking third-party agents to determine when they have been terminated • Watching for rootkits trying to hide themselves • Providing memory captures in the cloud manually or programmatically • Reducing the time lag between attack, detection, block, and cleanup from days to milliseconds

FIG 01 : : The New Stack with the Bracket Metavisor



Organizations currently rely on a variety of security agents to protect running instances in the cloud, including open source solutions such as ClamAV and commercial software such as Carbon Black. Bracket augments existing malware prevention tools by ensuring that security agents haven’t been terminated. It also inspects running guest memory, ensuring that the processes for required agents remain running. Once certain events are triggered, Bracket can respond automatically through a pre-set, customizable policy: logging, pausing, terminating, or memory dumping the virtual machine to a protected archive. This policy helps close the gaps that agent-based, anti-malware solutions leave open, making it much harder for attackers to compromise applications.

STAYING AHEAD OF THE GAME One of the most nefarious tools that hackers use to attack the guest operating system is the rootkit. Most rootkits operate by establishing root access through privilege escalation, then hiding by patching the syscall table, and finally establishing command and control. Today most security solutions attempt to stop rootkits by looking for privilege escalation or for anomalies created by command and control. Bracket differs from these solutions in its unique ability to evaluate the syscall table from underneath the running OS. If syscall table patching does occur, automated actions contain the attack. Compared with other detection mechanisms, syscall table monitoring is not susceptible to false positives/negatives, enabling a security team to respond more rapidly and with confidence. Memory dumps are one of the most powerful tools employed by incident response teams to examine what malware is doing on a host; however, public cloud providers do not support hypervisor-based memory dumps. The result is that organizations are limited to in-OS tools that are less reliable and less accurate. Bracket solves this issue by allowing IR teams to programmatically pause instances and dump memory in industry-standard format into an encrypted S3 bucket, then terminate or resume the instance out of the paused state. This memory dump uses Bracket’s object encryption capabilities to both encrypt the bucket and isolate it from the infected host or hosts. With the Bracket solution, IT can restore IR workflow while shortening resolution time. With event-based triggers, memory dumps can be made at the time of compromise, enabling responders to find the source of the attack as it happens.

CONCLUSION In a world where the perimeter no longer offers sufficient protection against threats, Bracket Full Workload Isolation not only augments existing security solutions, it also operates separately from the OS, rendering it unsusceptible to malicious attacks. With the solution’s single, consistent set of security controls across hybrid clouds, IT no longer needs to contend with the complexity of myriad controls or policy stances. Further, Bracket’s transparency and immutability mean that it can never be turned off.

For more information, visit [email protected].