Cybersecurity

Isolate and conquer: Getting past a reliance on layered security

threat

It is no exaggeration to say that every aspect of our online society and critical infrastructure is being actively probed for vulnerabilities. Last year delivered more compelling evidence of the crippling economic consequences of cyberattacks by nation states and wealthy crime syndicates. The Internet is already a key battleground in international conflicts, and agencies are under relentless attack. Yet while we typically hear about the costly consequences of data breaches, we seldom hear how an attack started.

The recent Verizon Data Breach Investigations Report confirms the ugly truth: 71 percent of attacks start at endpoint devices because humans are easy to deceive. A single click can give an attacker a gateway to an agency's network. Federal employees and contractors must assume their endpoints will remain under targeted assault.

Organizations across government and industry reflexively respond to those attacks by layering a dizzying array of security measures on devices: data loss prevention, sandboxing, host-based intrusion prevention, whitelisting, return-oriented programming mitigation, and rootkit and bootkit detection, among others.

As reasonable as layered security sounds, though, it is ultimately a game of diminishing returns. Each newly layered defense adds cost, negatively affects the user experience and remains susceptible to the same Achilles' heel: Stacks of layered security can be uniformly defeated by attacks that exploit vulnerabilities deep within device operating systems, such as the Windows kernel. Unfortunately, such critical vulnerabilities are being discovered at an alarming rate: More than 80 Windows kernel vulnerabilities were disclosed in 2013, up from 26 in 2012.

In view of layered security's shortcomings, we need to radically overhaul the security of our endpoints. They must be inherently secure -- by design. If we could achieve that, devices would shrug off persistent attacks even when targeted employees are enticed into clicking links and attachments.

Fortunately, thanks to the relentless progress of Moore's law and a new technique called micro-virtualization, that goal is within reach.

Micro-virtualization takes advantage of unused virtualization features on PCs' CPUs to invisibly hardware-isolate each task -- such as each tab in a browser, each file being edited or each email and attachment. Once isolated in this manner -- in solitary confinement -- a task cannot be hijacked for attacking the operating system, stealing data or accessing agencies' networks if malware arrives and "detonates" in the course of employees' work.

This isolation-based defense turns the security problem on its head. It eliminates false positives and the debate over detecting "new" versus common malware because micro-virtualization isolates any malicious activity, period. Clicking on a poisoned attachment is not a risk -- a compromised task will simply be discarded when the user closes the application. Users can safely click on anything; even when they make a mistake, the system will defend itself.

Agencies that adopt isolation can stop mandating new endpoint controls that hamper users and instead rely on PC hardware they have already bought and deployed. Additionally, data on what is triggering micro-virtualized tasks to close and kill malicious processes can be reported to security teams for tuning perimeter and other defenses against attack activity they would have otherwise missed.

Mobility and consumerization of IT are here to stay, which makes micro-virtualization a timely, compelling strategy. With micro-virtualization on their devices, agencies can confidently say yes to telecommuting, Web applications and other demands while still protecting users from threats that target things such as legacy Java or unpatched devices. Endpoints automatically isolate and shrug off malware, users stay productive with Federal Information Security Management Act-compliant settings intact, and collaboration with interagency and industry partners can continue apace.

By using hardware to automatically isolate every potentially threatening task, we can make our devices secure by design -- and securely maximize agencies' potential in the digital domain.

About the Author

Simon Crosby is co-founder and chief technology officer at Bromium.

Featured

  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

  • Census
    shutterstock image

    2020 Census to include citizenship question

    The Department of Commerce is breaking with recent practice and restoring a question about respondent citizenship last used in 1950, despite being urged not to by former Census directors and outside experts.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.