VIRSEC SECURITY PLATFORM (VSP)

 

Virsec Security Platform (VSP) is a cybersecurity solution that continuously protects applications and host workloads against advanced cyber threats and neutralizes zero-day exploits with zero dwell time (milliseconds). VSP aligns with zero trust architectural approaches and presents a portfolio of mitigating security controls that automate the runtime execution of authorized processes, libraries and dependencies for Windows or Linux Host OS workloads.

 

VSP takes a positive security posture to deliver a deterministic zero trust approach to runtime execution. VSP is architected to deny malicious code executions or fileless attacks from exploiting open server vulnerabilities with patented Virsec Map and Virsec Enforce technology. Virsec Map defines the executable allow list of what is authorized (system integrity) and Virsec Enforce dynamically enforces the execution of the application as expected (runtime protection).

 

Virsec proactively protects cloud, data center, managed or hosted enterprise applications and workloads against ransomware and malware exploits, and increasingly sophisticated cyber-attacks. Virsec Enforce automatically delineates between authorized dependencies such as files, scripts and libraries to instantly stops any deviations to protect against memory corruption, code injection, supply chain poisoning, web attacks and others.

 

With a protection-first approach to Zero Trust, Virsec’s positive security posture of allowing only ‘known good’ dependencies effectively stops all other malicious behaviors. VSP changes the ‘detect and respond’ way of reacting to vulnerabilities to ‘proactive protection’ through automated allowlisting and granular application control policies.

 

ZERO TRUST EXECUTION – PROVENANCE, INTEGRITY AND AUTHORITY

 

Zero Dwell Time: Virsec stops execution of malicious processes and library injection/ hijacking in real-time before they can execute and do any damage.

 

Process, File and Library Monitoring: Virsec supports advanced allow-listing techniques to ensure that the integrity of each workload is not compromised. This is achieved by creating a checksum-based allow-list from either baselining individual hosts or scanning a reference host, thus creating a chain of trust that can be traced to the code provider. Executables are automatically added to the allow-list based on the publisher trust factors, including Operating System validations, publisher certificates and file reputation (via integrations with partners such as Reversing Labs and VirusTotal).

 

Script and Dynamic Application Control: Virsec stops file-less and living-off-the-land attacks that target trusted applications like shell/script interpreters (PowerShell, wscript, mshta, bash) and system processes like svchost, rundll32 and more. It leverages application control policies that apply granular controls over the dynamic behavior of these processes. It can restrict the usage to certain trusted command line arguments, users, parent-child process lineage and stop known attack tactics/techniques.

 

VSP INTEGRITY AND RUNTIME PROTECTION CAPABILITIES

 

SYSTEM INTEGRITY

 

Virsec System Integrity provides both provenance and integrity of the authorized files, scripts and libraries associated with software bill of materials (SBOM). This delivers zero trust execution and extends existing security controls for proactive server workload protection to ensure that it cannot be compromised.

 

VSP consists of the Central Management System (CMS) and a software probe with different capabilities to extend existing security controls to enable server workload self-protection.

 

The following sections highlight the key capabilities of the VSP Probe.

Picture 13

EXECUTABLE ALLOW LISTING

 

Virsec’s Executable Allow Listing defines all the processes and associated libraries allowed to execute.

  • Trustworthiness is established by verifying the pristineness based on trusted publishers and reputation based on our reputation database

  • Establish and enforce system-wide allow-listing for processes, libraries and scripts based on trustworthiness

  • Monitor deviations during run-time and mitigate any instances of executables that have been added or modified

 

FILE INTEGRITY ASSURANCE

 

Virsec’s File Integrity Assurance monitors application and system-critical folders for malicious changes and aids in detecting and stopping ransomware attacks.

  • Monitors critical application folders for the creation, modification, permission change and deletion of files in the monitored regions of the file systeme

  • Reports any changes in access privileges and file ownership in the monitored folders

  • Supports explicit inclusion and exclusion of specified file extensions (like .tmp, .log) and folders within the monitored folders of the file system

  • Tracks unauthorized file upload/downloads within the monitored folders of the file system

 

RUNTIME MONITORING AND PROTECTION

 

Virsec Runtime Monitoring and Protection enforces the provenance and integrity of Virsec Map and software bill of materials (SBOM) of the authorized files, scripts and libraries to ensure that they cannot be compromised and perform their intended functions in an unimpaired manner, free from unauthorized manipulation of the system, its applications and code, whether intentional or accidental.

 

APPLICATION CONTROL POLICY

 

Executable Allow Listing and File Integrity Assurance capabilities of VSP ensure that only the processes and libraries that are pristine, trusted and safe can run on the server workloads. Application Control Policies (ACP) ensure that malicious actors cannot leverage advanced defense evasion techniques to compromise a workload.

 

Typical use cases for Application Control Policies are:

  • Script-based attack prevention

  • Living-off-the-land attack prevention

  • Protection against defense evasion techniques

  • Critical data collection

  • Lateral movement prevention

  • Protection against persistence

  • Remote-code execution

Application Control Policies allow the user to:

  • Block malicious activities from the otherwise trusted operating system-related processes

  • Enforce parent-child process controls to stop RCE and lateral movement

  • Add additional runtime controls to allow/disallow binary applications to spawn child processes within the scope of the binary application

  • Enforce additional access controls on binaries via allow or deny list for processes so that either a specific set of users are allowed to run a defined set of applications or a specific set of users are always denied running a defined set of applications

  • During the execution of a defined set of binaries:

    • Enforce specific command-line arguments and flags are allowed

    • Some risky command-line arguments and flags are denied

  • Block binary applications from running under all circumstances, even if they are generally trusted

 

MEMORY EXPLOIT PROTECTION

 

Virsec Memory Exploit Protection stops attempts to inject and run malicious code from memory by targeting trusted processes

  • Stops process injection techniques including, but not limited to, Code Injection, Process Hollowing and Process Doppelgänging

  • Stop dumping OS credentials from the memory of key processes like LSASS (Local Security Authority Subsystem Service)

  • Stops privilege escalation attacks and in-memory attacks

  • Exploit techniques are detected and stopped in real time without the need for any signature, learning or customization

Memory Exploit Protection provides protection against the below exploits or vulnerabilities:

 

For Windows:

  • Reflective DLL (Dynamic Link Library) Injection (Reported as Process Injection Incident)

  • Process Hollowing

  • PE (Portable Executable) Injection (Reported as Process Injection Incident)

  • Process Doppelgänging

  • PowerShell Exploit (Reported as Process Injection Incident)

  • Atom Bombing

  • Thread Local Storage (Reported as Process Hollowing Incident)

  • Thread Execution Hijack

  • Credential API (Application Program Interface) Hooking

  • OS Credentials Dumping on Windows using LSASS

For Linux:

  • Dirty CoW (Copy on Write)

  • tmp-fs exploit

  • DirtyPipe

  • ptrace Sudo Token Privilege Escalation

 

BUFFER OVERFLOW PROTECTION

 

Virsec Buffer Overflow Protection ensures application control flow integrity by uniquely distinguishing trusted execution flow, control data and user data from malicious events during runtime without dependencies on access to source code.

  • Detect memory-based attacks such as buffer overflows, return-oriented programming and other blind attack schemes on program flow, memory stack and return addresses

  • Protects runtime execution of pre-compiled applications by automatically extracting the control flow for every executable and enforce any deviation during runtime

 

WEB PROTECTION

 

Virsec Web Protection monitors user provided inputs, the execution of inputs and the application response with complex HTTP filtering, interpreter syntax mapping and strict runtime controls to detect and prevent attacker-provided inputs to a web application.

  • Web Application and API Protection for attacks coming via http/https channel

  • Detects OWASP Top 10 Attacks on protected web applications using deep instrumentation of applications frameworks and/or web servers

  • Blocks Web-based attacks by examining the HTTP payloads and resulting transactions

Web Protection Image

 

ARCHITECTURE

 

VSP CMS is built with microservices architecture. Each microservice is capable of running in a separate docker container. While majority of these services are proprietary and developed from scratch, VSP uses common platforms like MongoDB, Redis, Kafka and Nginx for data persistence, caching, streaming and web server respectively.

 

VSP CMS can be currently deployed in two ways:

  1. Virtual appliance: All CMS services running as docker containers on a hardened RHEL 7.9 VM. This VM is delivered is various formats so that it can be deployed on common Hypervisors and Public Cloud IaaS platforms. Check the latest compatibility matrix, as Virsec continues add supports for more platforms.

  2. Kubernetes POD: Various CMS services running as Kubernetes Pods in a single Kubernetes cluster. The number of Pods varies depending on the choice of deployment. Virsec provides scripts that can deploy the entire CMS using kubectl (For Native Kubernetes, AWS EKS, HPE Ezmeral) and Helmcharts. Check the latest compatibility matrix, as Virsec continues add supports for more orchestration platforms.

Virsec highly recommends Option2, as Kubernetes orchestrator natively provides high availability and scaling abilities. Option 1 should only be used for smaller environments where availability can be managed through native virtualization platforms and scalability is not critical.

 

In both the options, MongoDB can be deployed separately or an existing MongoDB cluster can be used.

 

VSP Probe also comprises of multiple services, with distinct functions:

 

VSP Probe can be deployed on:

 

 

VM

Container

 

Deployed on Workload

Deployed on Workload

Sidecar

VSP Agent

Yes

Yes

No

VSP Controller

Yes

Yes

Yes

 

VSP vRuleEngine can be deployed on:

 

 

VM

Container

 

Deployed on Workload

Remote

Deployed on Workload

Remote

Sidecar

VSP vRuleEngine

Yes

Yes

Yes

Yes

Yes