Digital Immunity
Advanced Threat Prevention
A More Effective Approach to
Endpoint Security
Copyright 2015 All Rights Reserved Digital Immunity
Endpoint Security Solutions Are Failing
According to Gartner, in 2014, $71.1B was spent on information security
including antivirus, firewalls, intrusion prevention and detection systems.
Yet
malware continues to infest systems and cause massive data breaches.
Organization
# Records
Anthem
Duration
Likely Method
> 6 weeks
Malware on server
+ compromised
80,000,000
login credentials*
Malware on cash
Home Depot
registers*
56,000,000
JPMorgan Chase
76,000,000
~Two
Malware on an
months
employee's PC*
Credentials theft
eBay
from employees
145,000,000
Target
Malware on
19 days
credit/debit card
70,000,000
terminals*
Premera
BlueCross,
>
11,000,000
Blue Shield
months
8
Malware on server
+ compromised
login credentials*
* Malware on an Endpoint contributed to the thefts of 202 million records in
five of the six cases
Clearly money is not the solution. We need an entirely different approach.
Copyright 2015 All Rights Reserved Digital Immunity
Flawed Approaches Limit Success
The “defensive perimeter” created by conventional techniques is useful but
effective only if it’s perfect - malicious software exposes executing software to
in-memory attacks during execution. Detecting such malicious “foreign” code
during execution from within the defensive perimeter remains a critical priority
that has not been sufficiently addressed.
Conventional approaches offer some level of protection but they are flawed.
Many penetrations exploit vulnerabilities to dynamically modify targeted
executables or their execution paths.i.
Equally challenging is the administrative
overhead these traditional approaches require:

False positives dull our responsiveness

Behavioral approaches take too much time to get smart

Error prone human intervention is required

Quarantines can’t identify unknown threats
Simply stated, effective protection against malicious code penetrating the
perimeter means distinguishing good code from malicious even if it becomes
malicious during execution.
Unless we change our approach malicious attacks expose our intellectual
property, hurt your brand and question operational integrity.
Copyright 2015 All Rights Reserved Digital Immunity
Technology
How It Works
Challenges
Digital
Immunity™
Endpoint
DNA™
All code is checked on executable
launch, at exit, and frequently at runtime
using patented low-impact methods—
untrusted or compromised code is not
allowed to run; no false positives
Script borne attacks such
as word macros or pdf’s
caught as they download
additional payload
Whitelisting
Compares entire applications or other
components to known good versions
Does not detect
compromise of an initially
good program during its
execution
Virtualization,
sandboxing
Applications or smaller components are
isolated during execution and given
access to only those resources required
to execute
Malware may appear to
be legitimately exporting
stolen information; the
sandbox may not be
escape-proof
Data
encryption
Data at rest (databases, in memory
data) and data in motion is encrypted
so that untrusted access is useless
Data must be
unencrypted to be used
and may be stolen then
Firewall
Controls incoming and outgoing network
traffic based on rules at the packet or
higher layer; may also include proxy and
network address translation features
Malware that is not
detected can still
execute on the Endpoint;
does not prevent zeroday attacks; false
positives
Intrusion
Detection /
Prevention
Systems (IDS
/ IPS)
Monitors (IDS) a network for suspicious
traffic by analyzing protocol activity,
typically watching for signatures,
statistics anomalies, and protocol
deviations; IPS also stops detected
anomalies
See firewall
Host-Base
Intrusion
Prevention
System
Monitors a host (server) for suspicious
activity by analyzing events and objects
within that host
See firewall
Antivirus
Detects and optionally removes
malware, usually based on frequently
updated signatures, on code
characteristics typical of malware, on
threat behaviors typical of malware
during runtime
See firewall, plus
behavioral analysis only
operates after malicious
actions are under way
Copyright 2015 All Rights Reserved Digital Immunity
Introducing Application DNA Mapping
Digital Immunity (DI) has invented an effective approach to protecting
applications and greatly enhancing your security posture. DI requires less
administrative overhead due to our unique Endpoint DNA Mapping approach.
By comparing application DNA from a trusted source to the code being
executed at run time, Endpoint DNA mapping is a foolproof mechanism to
identify and terminate bad code without the complexity of signature based,
behavioral, container based or the time-consuming and resource intensive
approaches all prone to false positives or even worse, do not detect zero day
or APT’s.
Application DNA Mapping is brilliant in its simplicity, but when executed properly
it is a powerful replacement for todays failing approaches to Endpoint security.
Based
on
techniques
from
three
related
disciplines;
bioinformatics,
steganography and formal language theory Endpoint DNA, is used to detect an
attempted execution of foreign software, verify the integrity of executing code
and capture malicious instruction sequences as forensic information.
CALL OUT:
“Working in one of the most demanding security environments in the
world, JP Morgan has access to the latest security offerings available.
Having put Digital Immunity (DI) to the test, I can tell you it works as
advertised. When malware was inserted into the system, the DI software
prevented the code from executing, and reported that activity to us. We
are very focused on data collection and DI’s high-performance gives the
ability to very quickly see what is running on any Endpoint, at the lowest
level of code, with a very low-overhead footprint (200KB) as well as CPU
utilization.”
Matthew Wong, JP Morgan
Copyright 2015 All Rights Reserved Digital Immunity
Digital Immunity’s unique and patented approach enables perfectly secure run
time
termination
of
bad
code
without
the
performance
impact
of
cryptographic signatures that need to be repeatedly re-computed during run
time. Endpoint DNA Maps are only generated once on a separate OS-specific
Generator and provisioned to Endpoints where a lightweight agent, the
DI
Sensor, continuously verifies the in-memory integrity of applications throughout
the execution cycle.
CALLOUT:
“… Digital Immunity has huge potential with its revolutionary approach
that addresses security at the foundational code execution level, in an
industry where Band-Aid approaches are more common.”
William C. Mabon – Director, Cybersecurity Products Portfolio
BAE Systems, Inc. | Intelligence & Security
Digital Immunity Endpoint DNA Architecture
Endpoint memory is the last accessible point before
execution and the most effective point for “foreign
code” detection and mediation. Since run-time
exploitation can occur at any point during execution,
this requires continuous run-time detection of malicious
code and verification of the integrity of the trusted
code target.
Copyright 2015 All Rights Reserved Digital Immunity
CALLOUT:
“Cyber security would do well to copy the biologic world when and
where it can.
For Digital Immunity, as for Nature, the core control
algorithm is a string of symbols, unique per individual, encoded in the
living cell or the running process so as to make the "self" versus "not self"
decision at no load and no latency. Within the body, an answer to the
question "Is this my cell, or is it an impostor?" is what allows or disallows that
cell to do something to the body. Within a running computer, an answer
to the question "Is this my code, or is it an impostor?" is what allows or
disallows that code to do something to the execution space.
For the
body and for the execution space, this only works if (1) what differentiates
self from not-self cannot be reverse engineered by a hostile actor and (2)
it is unique to "self.“
name.”
Digital Immunity achieves this and thus earns its
Dan Geer – Chief Information Security Officer, In-Q-Tel
Digital Immunity has developed application DNA Mapping as a solution to the
fundamental problem of run time detection of foreign code and dynamic
tampering. Using a novel combination of bioinformatics, steganography and
formal language theory, this perfectly secure (Cachin, 2005) patented (Probert
T. H., 2004) (Probert T. H., 2009) (Probert T. , 2012) method offers significant
performance over cryptographic signatures to continuous integrity verification
of executing code.
Copyright 2015 All Rights Reserved Digital Immunity
F IGURE 2. D IGITAL I MMUNITY V IRTUAL A PPLIANCE A RCHITECTURE
SIDEBAR:
BENEFITS:
In-Memory Protection, Efficient Mediation, Robust Forensics
• Hardens Endpoints against run-time threats even if already contaminated
• No modifications to protected software
• High performance - continuously verifies all executing code
• Small Endpoint footprint
• Identify APT indicators in real time
• Capture malware code in context for high-resolution forensics
• No false positives or negatives
• Fully scalable
The Digital Immunity Security solution Is comprised of the
following components:
Design note: insert icons for DNA Map Generators, Map Manager & Sensor
DI DNA Map Generators. Application DNA Maps are generated by installing an
application binary on a DI Generator from a trusted source. DI DNA Maps™ are
automatically created for all application, library and kernel binaries with no
administrative overhead.
Each binary instruction is a sequence of bit patterns in memory representing
various components.
Copyright 2015 All Rights Reserved Digital Immunity
F IGURE 3: DNA MAP GENERATION RESULTS
During execution any deviation from “expected” execution sequence
differentiates good code from dynamically tampered code. If an
“unexpected” invariant is encountered in the execution sequence the
executable or its execution path must have been modified. At this point the
administrative set policy is invoked to either notify & terminate the execution or
notify only. Detection at this level also provides forensic information such as the
specific instruction entry point of the attack.
Copyright 2015 All Rights Reserved Digital Immunity
The DI Map Manager
DI DNAMaps are forwarded to the DI Map Manager where they are both
logged and stored in the Database.
The DI map manager responds to requests for Maps when received from the
Software Management System or directly from the Endpoints. These requests
are “demand driven” to avoid polling and reduce network traffic.
The DI Sensor uses Maps to determine if the protected code has been modified.
A lightweight Endpoint Sensor (150 KILO BYTES) is automatically installed on the
Endpoint. The Sensor uses a patented stack frame analysis technique to
compare the sequence of invariants in the binary function associated with the
stack frame to its associated application DNA Map.
Figure 3: Endpoint DNA Map Recognition Process
The application stack frame contains stack frames with address and parameter
information for each function in the current execution sequence. When invoked
by an appropriate system call (e.g., access to the registry, file system, etc.) the
Copyright 2015 All Rights Reserved Digital Immunity
Sensor intercepts the call and uses the stack frame information to locate code
for the executing function in memory. It then locates the appropriate Map,
typically cached, and does a table lookup checking each invariant against the
Map to derive the symbols in the code word. If this step-by-step sequence of
invariants and symbols in the code word is correct the Sensor performs the
same process for every stack frame on the application stack. The sensor then
allows completion of the invoking systems call.
CALLOUT BOX:
Protected at launch, execution & termination
At application startup (when it initially gets loaded into memory) the
sensor will perform a full scan of all functions, this is called the Start Trigger,
then during execution, the sensor will get entered during any image
loading (dll’s), registry access, filesystem access, network access and
thread creation. A stack walk will occur for each of these cases. Finally,
when an application exits, another full scan of all functions occurs.
This has two important effects;
The Sensor continually checks every function in the current execution stack for
every executing program BUT only the executing portion of the program. This
provides sufficient performance that is both indiscernible by the user, and able
to be useful in real- time systems.
It also verifies code in functions in which there is no system call. This provides the
required coverage.
Moreover it also captures the instruction sequence modified:
Copyright 2015 All Rights Reserved Digital Immunity
Notify Only
In cases where it is important to detect the potential attack across
multiple Endpoints and facilitate remediation but also to not disrupt users
and business processes this option detects and reports but does not
terminate the application processes.
Notify and Terminate
In cases where it’s important to terminate a detected integrity fault, the
Sensor captures forensic information and terminates the application
process. However, since library code is shared among multiple
applications it will not terminate the execution of the library but will
capture all application processes using that library together with other
forensic information and report that to the Map Manager.
Figure 5: Instruction Sequence Captured for a Code Injection
Digital Immunity is a disruptive breakthrough in information assurance. It
eliminates the performance limitations of traditional approaches to enable run
time verification of code integrity. While compatible with traditional
Copyright 2015 All Rights Reserved Digital Immunity
approaches it also serves as the most effective point in which to detect and
interdict malicious code passing through the defensive perimeter. The
technique is instruction set agnostic and thus is applicable to modern
computing platforms including cloud-based environments, virtualization and
mobile platforms.
i
So-called “hot patches” permitted in Microsoft Windows™ is one example
Copyright 2015 All Rights Reserved Digital Immunity