Cybersecurity

Isolate and conquer: Getting past a reliance on layered security

threat

It is no exaggeration to say that every aspect of our online society and critical infrastructure is being actively probed for vulnerabilities. Last year delivered more compelling evidence of the crippling economic consequences of cyberattacks by nation states and wealthy crime syndicates. The Internet is already a key battleground in international conflicts, and agencies are under relentless attack. Yet while we typically hear about the costly consequences of data breaches, we seldom hear how an attack started.

The recent Verizon Data Breach Investigations Report confirms the ugly truth: 71 percent of attacks start at endpoint devices because humans are easy to deceive. A single click can give an attacker a gateway to an agency's network. Federal employees and contractors must assume their endpoints will remain under targeted assault.

Organizations across government and industry reflexively respond to those attacks by layering a dizzying array of security measures on devices: data loss prevention, sandboxing, host-based intrusion prevention, whitelisting, return-oriented programming mitigation, and rootkit and bootkit detection, among others.

As reasonable as layered security sounds, though, it is ultimately a game of diminishing returns. Each newly layered defense adds cost, negatively affects the user experience and remains susceptible to the same Achilles' heel: Stacks of layered security can be uniformly defeated by attacks that exploit vulnerabilities deep within device operating systems, such as the Windows kernel. Unfortunately, such critical vulnerabilities are being discovered at an alarming rate: More than 80 Windows kernel vulnerabilities were disclosed in 2013, up from 26 in 2012.

In view of layered security's shortcomings, we need to radically overhaul the security of our endpoints. They must be inherently secure -- by design. If we could achieve that, devices would shrug off persistent attacks even when targeted employees are enticed into clicking links and attachments.

Fortunately, thanks to the relentless progress of Moore's law and a new technique called micro-virtualization, that goal is within reach.

Micro-virtualization takes advantage of unused virtualization features on PCs' CPUs to invisibly hardware-isolate each task -- such as each tab in a browser, each file being edited or each email and attachment. Once isolated in this manner -- in solitary confinement -- a task cannot be hijacked for attacking the operating system, stealing data or accessing agencies' networks if malware arrives and "detonates" in the course of employees' work.

This isolation-based defense turns the security problem on its head. It eliminates false positives and the debate over detecting "new" versus common malware because micro-virtualization isolates any malicious activity, period. Clicking on a poisoned attachment is not a risk -- a compromised task will simply be discarded when the user closes the application. Users can safely click on anything; even when they make a mistake, the system will defend itself.

Agencies that adopt isolation can stop mandating new endpoint controls that hamper users and instead rely on PC hardware they have already bought and deployed. Additionally, data on what is triggering micro-virtualized tasks to close and kill malicious processes can be reported to security teams for tuning perimeter and other defenses against attack activity they would have otherwise missed.

Mobility and consumerization of IT are here to stay, which makes micro-virtualization a timely, compelling strategy. With micro-virtualization on their devices, agencies can confidently say yes to telecommuting, Web applications and other demands while still protecting users from threats that target things such as legacy Java or unpatched devices. Endpoints automatically isolate and shrug off malware, users stay productive with Federal Information Security Management Act-compliant settings intact, and collaboration with interagency and industry partners can continue apace.

By using hardware to automatically isolate every potentially threatening task, we can make our devices secure by design -- and securely maximize agencies' potential in the digital domain.

About the Author

Simon Crosby is co-founder and chief technology officer at Bromium.

The Fed 100

Save the date for 28th annual Federal 100 Awards Gala.

Featured

  • Social network, census

    5 predictions for federal IT in 2017

    As the Trump team takes control, here's what the tech community can expect.

  • Rep. Gerald Connolly

    Connolly warns on workforce changes

    The ranking member of the House Oversight Committee's Government Operations panel warns that Congress will look to legislate changes to the federal workforce.

  • President Donald J. Trump delivers his inaugural address

    How will Trump lead on tech?

    The businessman turned reality star turned U.S. president clearly has mastered Twitter, but what will his administration mean for broader technology issues?

  • Login.gov moving ahead

    The bid to establish a single login for accessing government services is moving again on the last full day of the Obama presidency.

  • Shutterstock image (by Jirsak): customer care, relationship management, and leadership concept.

    Obama wraps up security clearance reforms

    In a last-minute executive order, President Obama institutes structural reforms to the security clearance process designed to create a more unified system across government agencies.

  • Shutterstock image: breached lock.

    What cyber can learn from counterterrorism

    The U.S. has to look at its experience in developing post-9/11 counterterrorism policies to inform efforts to formalize cybersecurity policies, says a senior official.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group