ITSPmagazine’s John Dasher sat down at Black Hat 2018 with Willy Leichter, Vice President of Marketing at Virsec to talk about how Virsec protects enterprises from advanced memory-based attacks at near 100% accuracy with a novel approach.
Virsec takes a unique approach to security – they’re trying to secure applications from the inside out, as opposed to the traditional “outside in” security model where you’re trying to catch all the bad stuff that could potentially make its way in. They do this by looking at the execution of the application, specifically a lot of areas around fileless attacks, memory-based attacks, and other subtle, insidious attacks.
Attackers are not sending conventional payloads, they’re sending scripts or bits and pieces that get re-assembled. Imagine that you take a 3D laser printed gun, disassemble it into parts and you bring it through security via different people at different times – it’s just pieces of plastic. It’s really not a gun until it’s reassembled. This may be a bit of a stretch, but they’re seeing similar things where attackers are coming in, and not just dropping a huge payload, but gaining a foothold through a vulnerability perhaps, and then leveraging that so they don’t actually weaponize things until the application is running.
So how do they know what ‘normal’ looks like? Do they have to ‘fingerprint’ applications? They have a process in which they create an ‘app map’ – when an application is loaded into runtime memory, all the memory jumps are assigned in that moment, which are all predictable – and then they monitor all these jumps in real-time.
So it’s really not a machine learning process per se; it’s a mapping process based on the current version of the software. For any operating system that their solution can run on, they can protect all the apps on it.
They chat about all this and more — so take a listen and enjoy!
For more updates from Black Hat Conference 2018, visit: