Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Virsec Launches Application Memory Firewall

Fileless attacks are increasing and are more likely to succeed than traditional file-based malware. Most defenses seek to detect them by recognizing anomalous behavior on the network — but this is basically an after-the-event approach.

Fileless attacks are increasing and are more likely to succeed than traditional file-based malware. Most defenses seek to detect them by recognizing anomalous behavior on the network — but this is basically an after-the-event approach.

Virsec takes a different approach. It seeks to detect malicious fileless behavior while still in memory and before any bad effect can occur.

To this effect, Virsec announced what it calls the first application memory firewall. Its function is to detect deviations in application execution caused by memory-based attacks — and stop them instantly. The implications of such an approach are attractive. If an application is seen to be misbehaving internally, then a memory firewall doesn’t merely stop unknown zero-day fileless attacks, it also provides virtual patching.

Consider WannaCry and NotPetya, which only occurred because many systems could not be patched, and many others were simply left unpatched. EternalBlue and DoublePulsar are memory attacks that leave no traces until after execution. However, if they could have been detected and blocked while still in memory, the lack of patching would not have been an issue and the attack would have been halted. 

The Equifax hack is another example. An RCE vulnerability was exploited by passing malicious code in the Content-Type header. Patching the Struts2 flaw is problematic because it requires rebuilding all apps. But if the execution of the Apache web-server and app-servers was monitored by an application memory firewall, then malicious activity would have been detected and stopped immediately — without requiring the patch.

Atiq Raza, CEO at Virsec, said at the time, “Even as vulnerabilities are found and patched, hackers are developing new fileless techniques to fly under the radar of most security tools. It’s no longer adequate to base security defenses on past attacks — we need to shift to real-time monitoring and security for web applications and all the processes that support them.”

“Memory is the new battleground for cyberattacks,” explains L. Barry Lyons IV, director of risk consulting at KPMG Cyber Security Services; “yet typical security tools have little visibility into memory usage during runtime. Virsec is able to detect and stop attacks that previously seemed indefensible.”

The Virsec memory firewall achieves its purpose by mapping the legitimate execution of an application. “If there is any deviation during execution,” it announced at RSAC this week, “this is a positive sign of compromise, and the Application Memory Firewall stops the exploit within microseconds. Virsec effectively guardrails applications to keep them on track during runtime, delivering results that are far more effective and accurate than existing security tools.”

The process works with any compiled application, whether that’s proprietary, open source or legacy. As applications are loaded, into process memory, Virsec maps every assigned memory transition and compiles an ‘AppMap’. This AppMap is then compared to the actual execution flow, and any deviation is taken as evidence of memory abuse or corruption. As a result, fileless attacks from within an application can be detected and blocked within milliseconds — before any malicious effect.

“Very few security practitioners understand how process memory works, and even fewer security tools operate at the memory level,” said Satya Gupta, founder and CTO of Virsec. “Rather than endlessly chasing external threats, Virsec focuses on what applications should be doing, and how they are actually executing during runtime, down to the memory level.”

The result is a generic defense against advanced fileless techniques. This includes memory corruption attacks (buffer overflows); stack smashing, DLL injections, return-oriented programming (ROP) and ROP gadgets, side channel attacks and corruption of configuration data.

San Jose, CA-based Virsec raised $24 million in a Series B funding round led by tech investment firm BlueIO in March 2018, bringing the total raised to date $31.6 million.

Related: Fileless Malware Attacks on the Rise, Microsoft Says

Related: Watch Out for Fileless Ransomware 

Related: Fileless Attacks Ten Times More Likely to Succeed: Report 

Related: Researchers Uncover Sophisticated, Fileless Attack

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Application Security

A new report finds that barely 1% of all SBOMs being generated today meets the “minimum elements” defined by the U.S. government.

Application Security

A security vulnerability identified on AliExpress, the wholesale marketplace owned by the Chinese e-commerce giant Alibaba, could have been exploited by hackers to hijack...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...