ABOUT VIRSEC



Virsec protects the world’s most important applications and systems from the inside, stopping advanced cyberattacks on most common application workloads in an Enterprise IT environment. Visit https://www.virsec.com/about to know more about Virsec.


VIRSEC SECURITY PLATFORM (VSP)



Virsec Security Platform (VSP) leverages patented Trusted Execution™ technology to protect high-value enterprise applications deployed in the data center or on public and hybrid clouds. VSP protects these applications from highly sophisticated attacks including memory corruption, code injection, credential theft, supply chain and other sophisticated attacks. VSP effectively creates and enforces guardrails around the applications as they execute. These guardrails ensure that the applications execute only as intended. They restrain bad actors from corrupting memory, as a precursor to hijacking control of the application leading to subsequent theft or destruction of high-value enterprise data.


Conventional cybersecurity tools are designed to extract markers from incoming network traffic as well as system calls made by the application. These runtime marker sequences are compared to the known and catalogued attack techniques. When bad actors vary techniques beyond what has been previously catalogued, their attacks are highly likely to succeed. For most enterprises, it is a massive logistical challenge to keep updating heuristic and behavioural signatures of deployed security solutions constantly and to apply patches to their applications as soon as possible or risk being attacked.


VSP breaks this logistics nightmare by monitoring applications instead of attack techniques. VSP’s approach of creating application guardrails ensures that protected applications execute only what the developer intended and not the bad actor’s intentions. This approach relieves enterprises from reactive patching. Even unpatched applications protected by VSP cannot be abused.

Picture 13

VSP is a combination of multiple capabilities and features that span across the entire application stack to protect critical workloads.

  1. VSP Host: Host protection allows organizations to enforce granular application control on their servers’ workloads. This ensures that only the authorized and trusted processes and their associated libraries are executed on the servers. VSP helps make that decision by a series of checks to let the user make an informed decision whether a specific file can be trusted or not. This includes Operating System level checks, publisher/packages checks and file reputation checks utilizing trusted file reputation services. Further, using advanced application control policies, VSP can also enforce dynamic execution of processes, like PowerShell, that are typically used by attackers for fileless, living-off-the-land kind of attacks.

  2. VSP Memory: Memory protection safeguards the binary/compiled applications against exploits that target vulnerabilities in the memory space. High value network facing binary applications like web servers, remote access service are often targets of such attacks that allow for remote code execution (RCE). Virsec uses its patented technology to map and enforce controlled flow of these applications in during runtime.

  3. VSP Web: Web protection uses deep web instrumentation in interpreted languages and frameworks like Java, .NET, RoR, PHP, Nodejs that are globally used to write modern web applications that get full visibility into web requests and responses. This visibility combined with stateful inspection and detection of malicious user inputs allows VSP to detect attacks and threats that are typically categorized under OWASP Top 10 like Injection (SQL, Command), XSS, CSRF and many more.

As a result, VSP provides protection against attacks/threats like:

  • Injections – CRLF, Command, SQL, Path Traversal

  • Class Loading Logging, Software Exception Logging

  • XSS – Command, Reflected, Stored, DOM

  • File Integrity

  • Local File Inclusion

  • Remote File Inclusion

  • Buffer Error


These capabilities can be licenses, purchased individually or in bundles. Please reach out to your Virsec Sales Representative to understand the capabilities included in your procured license.


HOW DOES VSP WORK?



In order to protect the customer workloads, Virsec Security Platform (VSP) relies on the ability to reside in the same memory space where the customer applications and services are running. This essentially requires VSP Probe service to be running on the workloads to have the required level of visibility and control to secure these workloads. This visibility is gained by different techniques including (but not limited to) binary instrumentation, software hooking, byte-code instrumentation, process monitoring etc. All these techniques are configured and enforced by VSP Probe running on the workloads that Virsec is protecting.


In addition, SecOps teams would require the ability to manage and monitor these controls from a centralized management console at a granular level. This is exactly what VSP CMS (Central Management System) does. CMS is another Virsec provided system that allows the security administrators and operations teams to manage and monitor all the workloads protected by VSP in an organization. On CMS, one can:

  1. Onboard and secure the configured server and applications

  2. Control their security configuration, including (but not limited to) threats applied, protection mode etc

  3. Perform configuration changes

  4. Monitor and manage incidents reported from VSP probes deployed across the organization

  5. Integrate with 3rd party tools like SIEM, SMTP, LDAP, Ticketing System etc

vRuleEngine is a solution component that is responsible for accurate analysis and detection of Web related threats based on the data captured by VSP Probe. Note that vRuleEngine is required only for VSP Web functionality. It can be a part of the VSP Probe deployed on customer workloads itself or it can be deployed as a separate system.


ARCHITECTURE



VSP CMS is built with microservices architecture. Each microservice is capable of running in a separate docker container. While majority of these services are proprietary and developed from scratch, VSP uses common platforms like MongoDB, Redis, Kafka & Nginx for data persistence, caching, streaming & web server respectively.


VSP CMS can be currently deployed in two ways:

  1. Virtual appliance: All CMS services running as docker containers on a hardened RHEL 7.9 VM. This VM is delivered is various formats so that it can be deployed on common Hypervisors and Public Cloud IaaS platforms. Check the latest compatibility matrix, as Virsec continues add supports for more platforms.

  2. Kubernetes POD: Various CMS services running as Kubernetes Pods in a single Kubernetes cluster. The number of Pods varies depending on the choice of deployment. Virsec provides scripts that can deploy the entire CMS using kubectl (For Native Kubernetes, AWS EKS, HPE Ezmeral), oc(For Openshift) and Helmcharts. Check the latest compatibility matrix, as Virsec continues add supports for more orchestration platforms.

Virsec highly recommends Option2, as Kubernetes orchestrator natively provides high availability and scaling abilities. Option 1 should only be used for smaller environments where availability can be managed through native virtualization platforms and scalability is not critical.


In both the options, MongoDB can be deployed separately or an existing MongoDB cluster can be used.


VSP Probe also comprises of multiple services, with distinct functions:


VSP Probe can be deployed on:


VM

Container

Deployed on Workload

Deployed on Workload

Sidecar

VSP Agent

Yes

Yes

No

VSP Controller

Yes

Yes

Yes


VSP vRuleEngine can be deployed on:


VM

Container

Deployed on Workload

Remote

Deployed on Workload

Remote

Sidecar

VSP vRuleEngine

Yes

Yes

Yes

Yes

Yes