Cybersecurity

Isolate and conquer: Getting past a reliance on layered security

threat

It is no exaggeration to say that every aspect of our online society and critical infrastructure is being actively probed for vulnerabilities. Last year delivered more compelling evidence of the crippling economic consequences of cyberattacks by nation states and wealthy crime syndicates. The Internet is already a key battleground in international conflicts, and agencies are under relentless attack. Yet while we typically hear about the costly consequences of data breaches, we seldom hear how an attack started.

The recent Verizon Data Breach Investigations Report confirms the ugly truth: 71 percent of attacks start at endpoint devices because humans are easy to deceive. A single click can give an attacker a gateway to an agency's network. Federal employees and contractors must assume their endpoints will remain under targeted assault.

Organizations across government and industry reflexively respond to those attacks by layering a dizzying array of security measures on devices: data loss prevention, sandboxing, host-based intrusion prevention, whitelisting, return-oriented programming mitigation, and rootkit and bootkit detection, among others.

As reasonable as layered security sounds, though, it is ultimately a game of diminishing returns. Each newly layered defense adds cost, negatively affects the user experience and remains susceptible to the same Achilles' heel: Stacks of layered security can be uniformly defeated by attacks that exploit vulnerabilities deep within device operating systems, such as the Windows kernel. Unfortunately, such critical vulnerabilities are being discovered at an alarming rate: More than 80 Windows kernel vulnerabilities were disclosed in 2013, up from 26 in 2012.

In view of layered security's shortcomings, we need to radically overhaul the security of our endpoints. They must be inherently secure -- by design. If we could achieve that, devices would shrug off persistent attacks even when targeted employees are enticed into clicking links and attachments.

Fortunately, thanks to the relentless progress of Moore's law and a new technique called micro-virtualization, that goal is within reach.

Micro-virtualization takes advantage of unused virtualization features on PCs' CPUs to invisibly hardware-isolate each task -- such as each tab in a browser, each file being edited or each email and attachment. Once isolated in this manner -- in solitary confinement -- a task cannot be hijacked for attacking the operating system, stealing data or accessing agencies' networks if malware arrives and "detonates" in the course of employees' work.

This isolation-based defense turns the security problem on its head. It eliminates false positives and the debate over detecting "new" versus common malware because micro-virtualization isolates any malicious activity, period. Clicking on a poisoned attachment is not a risk -- a compromised task will simply be discarded when the user closes the application. Users can safely click on anything; even when they make a mistake, the system will defend itself.

Agencies that adopt isolation can stop mandating new endpoint controls that hamper users and instead rely on PC hardware they have already bought and deployed. Additionally, data on what is triggering micro-virtualized tasks to close and kill malicious processes can be reported to security teams for tuning perimeter and other defenses against attack activity they would have otherwise missed.

Mobility and consumerization of IT are here to stay, which makes micro-virtualization a timely, compelling strategy. With micro-virtualization on their devices, agencies can confidently say yes to telecommuting, Web applications and other demands while still protecting users from threats that target things such as legacy Java or unpatched devices. Endpoints automatically isolate and shrug off malware, users stay productive with Federal Information Security Management Act-compliant settings intact, and collaboration with interagency and industry partners can continue apace.

By using hardware to automatically isolate every potentially threatening task, we can make our devices secure by design -- and securely maximize agencies' potential in the digital domain.

About the Author

Simon Crosby is co-founder and chief technology officer at Bromium.

FCW in Print

In the latest issue: Looking back on three decades of big stories in federal IT.

Featured

  • FCW @ 30 GPS

    FCW @ 30

    Since 1986, FCW has covered it all -- the major contracts, the disruptive technologies, the picayune scandals and the many, many people who make federal IT function. Here's a look back at six of the most significant stories.

  • Shutterstock image.

    A 'minibus' appropriations package could be in the cards

    A short-term funding bill is expected by Sept. 30 to keep the federal government operating through early December, but after that the options get more complicated.

  • Defense Secretary Ash Carter speaks at the TechCrunch Disrupt conference in San Francisco

    DOD launches new tech hub in Austin

    The DOD is opening a new Defense Innovation Unit Experimental office in Austin, Texas, while Congress debates legislation that could defund DIUx.

  • Shutterstock image.

    Merged IT modernization bill punts on funding

    A House panel approved a new IT modernization bill that appears poised to pass, but key funding questions are left for appropriators.

  • General Frost

    Army wants cyber capability everywhere

    The Army's cyber director said cyber, electronic warfare and information operations must be integrated into warfighters' doctrine and training.

  • Rising Star 2013

    Meet the 2016 Rising Stars

    FCW honors 30 early-career leaders in federal IT.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group