Cybersecurity: Defending the Defenseless OS
In what could be a significant data security advance, Bracket Computing has launched a new capability designed to defend against the most insidious of “persistent” attackers, those that gain privileged access to a server and then burrow into the operating system for months on end, wreaking havoc.
The Mountain View company, with a blue chip customer list that includes Goldman Sachs, Wells Fargo, General Electric and DirecTV, said its new Server Guard offering fends off the vulnerability in, for example, the Apache Struts software that appears to have been at the heart of the recent Equifax breach, which was similar to major attacks at Sony, Target and HBO.
According to Bracket, Server Guard safeguards the critical parts of the operating system while on disk and also while running in memory because it is not actually running inside the OS. Instead, it resides in Bracket’s “Metavisor” technology, which uses virtualization to isolate Server Guard from the guest OS. This means that even if an attacker gets privileged or “root” access to a server, it can’t get past Server Guard. The result, Bracket said, is “immutable security,” security that can’t be turned off or bypassed.
“To maximize damage, modern cyber attacks use sophisticated techniques to remain undetected for as long as possible,” said John Pescatore, Director at SANS Institute , a data security research organization. “Security controls that can efficiently and effectively reduce both time to detect and time to mitigate advanced targeted attacks are critical for protecting business applications and sensitive data.”
Servers have a stratified access system in which most applications are classified as a “user,” and fully privileged access as “root,” which is intended for administrators who reconfigure how a server runs. Attackers inside a network typically seek root access, which allows them to patch themselves into the OS and avoid detection from a user-based security agent, resulting in long-term persistence.
Bracket’s Metavisor is a virtualization technology that doesn’t reside in the OS; instead, according to the company, the OS talks to the Metavisor as it would any cloud hypervisor. Server Guard analyzes critical parts of a running OS. “With no prior knowledge of the attack, Server Guard causes Linux privilege escalation and rootkit attacks to simply bounce off, even if the server is not patched and running a known vulnerability,” reports Bracket.
“We like to say that root can’t stop root,” said Jason Lango, co-founder and CTO of Bracket Computing. “What that means is when an attacker has the highest privilege in a server, the server cannot defend itself from the attack. Our new Server Guard, running in the Bracket Metavisor, can defend the server even when the server can’t defend itself.”
Another feature of Server Guard is that it can’t be turned off or bypassed by a rogue insider or an outside attacker, even if the attacker has root access. Bracket said this has two benefits: it is transparent to development and operations teams, which, if they use native Amazon controls, on-prem VM controls or third-party orchestration tools, they will not see changes or impediments to the dev/ops workflow. In addition, Bracket said, a rogue administrator cannot avoid the protections that Server Guard offers, because Server Guard resides in the Metavisor, not in the OS itself.