Bracket Forensics and Threat Defense white paper

BRKT

WHITE PAPER : : BRACKET FORENSICS AND THREAT DEFENSE

Bracket Forensics and Threat Defense

INTRODUCTION Today’s enterprises demand the power of the hybrid cloud. Dynamic and flexible, it transforms computing into a utility and fundamentally improves a business’s’ ability to innovate. As the data center becomes increasingly dispersed, however, perimeter defenses prove to be inadequate for protecting it against threats. Network micro-segmentation offers additional protection, but the network is only one part of an enterprise workload. Business requires a complete solution—one that protects not only the network, but also the storage and compute resources that compose a typical workload. Further, solutions should be built for the cloud, not retrofitted to it, and should address the security and control challenges unique to the modern hybrid data center. Critical among these solutions is implementing a single set of security policies across heterogeneous infrastructure, which avoids operational complexity and the resulting increased costs and—worse—security challenges resulting from human error. Equally important is preserving the separation of duties between enterprise IT and development and operations, which allows IT to retain control, even in a self-service world. Bracket Computing’s Full Workload Isolation solution completely reimagines the way enterprises create, implement, and ensure workload security. At the heart of the Bracket solution sits the Metavisor™, an advanced virtualization layer running between the guest operating system and the hypervisor of the underlying cloud. Isolated and immutable, it provides an unprecedented level of security.

BRACKET THREAT DEFENSE FORENSICS As enterprises move from strictly on-premise infrastructure to the hybrid cloud, IT security must rethink how it protects workloads and responds to unfolding events. Unlike installations in a private data center, the use of network-based solutions such as IDS, DLP, or VMware hypervisor-based security solutions on hybrid clouds proves problematic as there is no access to the underlying infrastructure. This problem has forced enterprises to move from solutions running outside the host to agent-based solutions operating within the host. Though this solution provides benefits such as highly scalable security, it has a significant downside—once a host is compromised, agents cannot be trusted to provide accurate information. In addition, moving to the public cloud disrupts incident response workflows. Because cloud providers do not allow hypervisor access, memory dumps must be done from inside the OS, leading to potentially tainted memory and slowing detection of data breaches. These complexities compound existing issues around discovery and remediation of attacks. With malware becoming more sophisticated and detections and remediation times increasing (205 days and 32 days respectively in 2016), the ability to incur a data breach is determined by the hacker’s ability to hide while moving laterally through an enterprise’s systems.

01 : : BRACKET COMPUTING, INC.

WHITE PAPER : : BRACKET FORENSICS AND THREAT DEFENSE

ANATOMY OF AN ATTACK When attackers first access a Linux guest, they will typically attempt to gain escalated privileges. This enables malware not only to take control of an OS, but more important, to cover its tracks. The first things malware will attempt after a privilege escalation are to:

• Shut down any security agent that can block it from execution • Hide itself by patching the syscall table (normally a read-only part of the kernel memory) • Establish command and control of the running instances • Use this position as a jumping-off point to search for other vulnerable hosts or start the exfiltration of data

A COMPLETE SECURITY SOLUTION The Bracket solution helps organizations prevent these kinds of attacks, as well as clean up after an attack, through ac