Virsec has come a long way in the past few years. As recently as 2017, its technology only focused on memory protection. 5 years, $137 million in funding and the addition of host and feedback protection later, the company is looking to revolutionise cybersecurity, quite literally, from the inside out.
Greg Kelton, Regional Director of Europe at Virsec, is on the frontlines of that revolution. The enemy? Dwell time.
“We’re seeing a monumental shift in the industry – from detection to protection response. So what does that mean? Detection response is the traditional approach to cybersecurity, stemming from traditional tools such as EDRs, WAFs, and so on. The problem with these tools is their dwell time – that’s the key phrase here. Traditional tools will detect an attack but expect a human to respond, dwell time is the interval between detection and response. A typical dwell time is 6-7 days, but ransomware takes milliseconds to kick in – an obvious flaw, right? What we’re trying to do is eradicate dwell time entirely by moving from a reactive to a proactive approach, protection response, or as we like to call it, a probabilistic to deterministic approach,” Kelton said.
It isn’t just dwell time that Kelton takes issue with. He argues that in the current system, a company must suffer a breach before they, or anyone else, can respond.
“So right now, the game looks like this: A company suffers a zero-day attack, they put their hand up and admit to it, then every other company scrambles to patch their own zero-days before they suffer an attack. What we’re trying to say is: if we reduce dwell time, no-one needs to get attacked. Of course, this is very difficult to do, and isn’t actually in everyone’s best interest. See, a lot of big names make a lot of money reading log files spit out from the runtime – but by this point it’s too late. Once the data has been analysed, correlated, and placed in front of a human, the attack has already been carried out. This is why it’s called a probabilistic approach. Your traditional tools tell you that you have ‘probably’ been attacked, but it’s up to a human to sift through the false positives and determine whether you were actually being attacked. By the time you know, it’s all over,” Kelton said.
This is where the deterministic approach comes in. Virsec’s technology doesn’t tell you that you might have been attacked, it determines that you have been hacked, and stops it before the damage is done.
“Attacks are only exposed at the time of execution. This is the problem with tools such as EDRs, they have no insight into execution, and thus have no idea whether code is malicious or not. We only look at the execution. We’re constantly staring at the runtime, be that memory level, web level, or host level, at execution. Then as soon as we see it’s malicious, we stop it. This is the key difference between a deterministic and probabilistic approach – a probabilistic approach employing tools such as EDRs lets you know when there’s something that might be malicious in your network, but by that point it’s too late, it’s on its way to be executed. A deterministic approach cuts down the perimeter solely to the execution stage, determines if the code is trying to do something it shouldn’t, and shuts it down if it needs to,” Kelton said.
When asked about the performance impacts that come with a deterministic approach, Kelton argued that it isn’t so much a technology problem, but rather to do with how it is perceived.
“Staring at the runtime is obviously going to be a performance inhibitor, but our tests have found that it’s only around 1-2%. We like to think of our technology as like wearing a bulletproof vest – yes, it will slow you down a bit, but you’re far more protected than you would be without one. The simple question is, do you want to be the guinea pig, the sacrificial lamb that puts their hand up and admits they’ve been hacked so that your competitors can patch their vulnerabilities, or do you want to know you’re protected?” He concluded.
