Touting AI as our superhero against cyber threats? Really? Newsflash: The bad guys have AI too!
Sure, AI would be a magic wand if it was only accessible by cybersecurity vendors. But this is not the case!
So, let’s get real. AI isn’t the magic wand in cybersecurity. It’s about combining it with real strategies like Zero Trust and Kernel API virtualization. Let’s stop the AI hype train and focus on what truly works!
The Reality of AI in Cybersecurity
Artificial Intelligence (AI) is often marketed as the ultimate solution to all cybersecurity challenges. Vendors frequently claim that their AI capabilities provide unparalleled detection and prevention of cyber threats. While AI can undoubtedly enhance our capabilities, the stark reality is that cyber adversaries have access to the same technology. This parity nullifies the supposed advantage, as both defenders and attackers are equipped with similar AI tools.
What is Malware/Ransomware?
Malware and ransomware are types of malicious software that perform harmful actions on your system. Interestingly, the code within these malware and ransomware programs is legitimate in the context of CPU instructions. The CPU executes this code without discerning whether the actions are good or bad for the user.
The Core Problem
The fundamental problem with malware and ransomware is that they get executed on your system. If you never allowed these malicious programs to reach the CPU, they wouldn’t be able to cause any harm. So, the real question is:
Why are you allowing these malware/ransomware to execute?
The answer lies in the cybersecurity posture you adopt. The products you buy work with the posture of allowing all and only detecting bad, but only if they can detect it. Because they miss detection—and it’s guaranteed that they will miss detections (it’s a mathematical certainty!)—you get infected and breached.
The Two Security Postures in Cybersecurity
1. Allow ALL, deny BAD: This is the most common approach today. It involves allowing all executable files to run and then trying to detect the malicious ones using AI, ML, heuristics, behavior analysis, and EDR. However, this posture is fundamentally flawed. No detection method can guarantee 100% accuracy. As a result, undetected malware can and will cause breaches. This is why you allow malware/ransomware to execute: because you allow all and miss detection.
2. Allow Good, deny REST: This approach is more secure but not user-friendly. It involves only allowing known good applications to run while denying all others. The downside is that it restricts user flexibility and can be cumbersome to manage.
The New Security Posture:
3.Allow Good, Deny Bad, Allow Unknown with ASR
We need a new cybersecurity posture that combines the best of both worlds: allowing good applications while also managing the rest in a secure environment. This is where Zero Trust with Attack Surface Reduction (ASR) comes into play.
Zero Trust: Trust No One
In our context, Zero Trust means treating every executable file as unknown and not trusted until proven otherwise. This approach ensures that only known good applications are allowed to run freely. All other executables are subjected to strict scrutiny and run in a restrained environment where they can’t cause any harm.
Attack Surface Reduction (ASR)
When it comes to securing your enterprise endpoints, it’s important to understand that there are three types of files: the good, the bad, and the unknown. Approaches such as Antivirus, EDR, XDR, and AI-based endpoint protection handle the bad files—but what about the unknown files?
Regardless of the “next-gen” nature and effectiveness of any new pre-execution, detection-based solution, there will always be a certain number of unknown files, executables, and code that by default are allowed to run on the host if not deemed malicious. The problem is that detection-based solutions will never detect 100% of what is malicious or 100% known to be good. Unknown files may be perfectly harmless and required for system functionality, or they may be dangerous zero-day threats or APTs that cause mega breaches and damage. Your cybersecurity solution must be able to detect the difference to both prevent breaches and enable protection, but it is guaranteed to fail.
Xcitium’s Solution: Kernel API Virtualization
A key component of Xcitium technology is Kernel API Virtualization, or ZeroDwell Containment. This patented virtualization feature defeats zero-day attacks with no impact on the end-user experience and does so better than any other security technology on the market today. Xcitium’s solution uses a combination of kernel API virtualization, machine learning, behavior analysis, and advanced static and dynamic threat cloud analysis (Xcitium Verdict Cloud) to accurately and quickly deliver a 100% trusted verdict for unknown files and processes.
Pre-execution, our technology authenticates every executable and process that requests runtime privileges, and if not 100% known-good or known-bad, the file or object is deemed unknown and ushered inside a secure, virtual environment that does not allow WRITE access to system resources or user data. This provides total protection against zero-day threats, proactively prevents damage, and has no impact on end-user experience or workflows because the user can continue to execute the executable file. There is no blocking of user workflow or shipping this file to some other sandbox for detonation like old legacy sandboxes do. Whether the unknown files are malicious or safe, our technology is architected so they run and perform in autocontainment just as well as they would on the actual host system. However, they cannot damage or infect the systems because they cannot access the underlying system. This allows safe applications the freedom to run as needed while denying malicious applications the system access they need to deliver their payloads.
This protection is achieved by introducing a virtualization layer between processes running an unknown executable with Kernel functions. We have introduced five main virtualization components that filter any relevant Kernel calls or callbacks:
1. File System
2. Registry
3. Kernel Object
4. Service
5. DCOM/RPC
By Virtualizating these 5 components, you take away the capability to cause damage for any new malicious code.
Zero Trust and ASR in Action
By combining Zero Trust with ASR, we can create a highly resilient security posture that effectively takes away capabilities from the attackers. Here’s how:
1. Isolating and Restricting Unknown Executables: Unknown executables are allowed to run but in a restricted mode where they can’t cause damage. This prevents ransomware and malware from executing harmful actions. Using ASR, we create a controlled environment that limits what the unknown software can do. For instance, the software may be allowed to run in a sandboxed environment where it cannot access critical system files, make network connections, or interact with other applications. This containment strategy ensures that even if the software is malicious, it cannot perform actions that could harm the system.
2. Reducing the Attack Surface: By validating API calls at the kernel level, we limit the actions that malicious software can perform. This minimizes the risk of breaches. With KLASR, every API call made by an application is intercepted and scrutinized. Only those calls that are verified and deemed safe are allowed to proceed. This significantly reduces the chances of a malicious action slipping through, as unauthorized or suspicious API calls are blocked outright.
3. Guilty Until Proven Innocent: In this new standard, all code is treated as guilty until it is proven to be good. This ensures that even if malicious software manages to infiltrate, it cannot cause harm. This approach flips the traditional model on its head. Instead of assuming software is safe until proven otherwise, we assume it is potentially harmful and subject it to rigorous checks. Only after it has passed these checks is it allowed to operate without restrictions.
A Takeaway Thought
If you were creating ransomware, would you release it knowing it would be detected immediately? Of course not! You’d make sure it’s undetectable before unleashing it. This is why relying solely on detection methods is a recipe for disaster.
Consider this analogy: It’s 10 pm, and a stranger knocks on your door. You invite them in, and they sit on your sofa for 24 hours. Can you say they’re a good person just because they haven’t done anything bad? Of course not! Absence of bad behavior does not make someone good. Yet, in today’s cybersecurity world, we often assume unknown code is good if it doesn’t exhibit bad behavior immediately. This mentality needs to change.
Conclusion
AI can enhance cybersecurity efforts, but it is not a standalone solution. Both defenders and attackers have access to AI, making it an even playing field. What is required is a ‘new posture’ versus buzzword tools that don’t change the way we operate. The true game-changers in cybersecurity are strategies like Zero Trust and ASR with Kernel API Virtualization. These approaches take away capabilities from the adversaries and significantly improve our security posture.
So, let’s stop the AI hype train and focus on what truly works: robust, proactive defense strategies that provide real, tangible protection against cyber threats. With Zero Trust and ASR, you’ll have something the adversaries don’t: real protection and disruption of their attacks. That’s the true game-changer we can bring to the table!