Securing Linux Infrastructure

Linux is the most critical component underlying systems in public clouds, private datacenters, and embedded/ IoT devices—yet there has been a lack of availability of effective tools to secure them. Most offerings are derived from products designed for Microsoft Windows. This means CPU and memory-intensive agents, low portability, and layers of complexity more suited for the desktop environment than production servers. The result is increased operating costs. More servers are needed to handle a given load due to the protection software consuming too many resources.

Vali Cyber has developed Linux-specific security suite, ZeroLock®, to address this issue. Our patent-pending technology monitors essential server resources and host processes with very low resource consumption. Our behavioral threat detection algorithms leveraging AI techniques and our automated near real-time data file recovery mechanisms provide Maximum Security with Minimum Impact.


Cyber Attacks are Growing in Frequency & Impact

Coordinated, organized, and well-funded threat actors have successfully targeted companies across the globe. Whether the attack was targeted or through a supply chain compromise, successful ransomware attacks have grown at unprecedented rates in the last two years, with over 304 million attacks in 2020 alone (washingtonpost.com). More sophisticated attacks bring a higher cost and longer durations for business disruption. With compromised companies being extorted for amounts ranging from $4 million to $70 million and the work to restore business operations taking from days to weeks, the actual cost of a successful attack is more than just the ransom. Reputational damage and the cost to restore trust in the brand add significantly to the cost and can take months or even years to repair.

 

Traditional Solutions Fall Short

Traditional malware vendors started by focusing on the problems related to Microsoft Windows environments and use that architecture to handle every threat. These vendors are not focused on understanding the specific threat of ransomware, cryptojacking, and data theft on Linux systems. Thus, they cannot quickly and effectively stop or remediate these threats across a broad range of Linux operating systems.

Traditional malware vendors attempt to protect targeted systems by using high overhead, resource-intensive, version-specific methods. The use of complex kernel modules as the primary method of detecting malicious code leads to challenges in customer environments.

Organizations do not have a single monolithic OS across their entire infrastructure. This reality makes supporting kernel modules across different versions and flavors of Linux limiting in scale and effectiveness. Compatibility and testing of a solution across all versions of the Linux kernel, all flavors of Linux, and individual applications that exist within a customer environment is resource-intensive and leads to slow and inconsistent adoption of solutions. Thus, systems are left unprotected and vulnerable to compromise.

Traditional security vendors start with protecting Windows systems that rely on high overhead kernel modules requiring a choice between performance and protection. System stability is an issue when using kernel modules. Kernel modules modify the base operating system by adding to the kernel, and they run a higher risk of inadvertently interfering with legitimate applications. If a traditional vendor’s kernel module suffers a failure, it presents a substantial threat to the entire system’s stability. This situation can also lead to slow and inconsistent solution adoption as customers balance reliability with security.

Linux has more than 300 system calls, and that number keeps growing every year. Utilizing kernel modules requires significant overhead, resulting in solutions requiring 20%-60% of the protected system’s CPU to run correctly. Compensating for the overhead requires substantial additional investment to offset the performance degradation on each system.

Replacing ineffective solutions becomes more complex as removing one solution may or may not fully replace kernel components. This situation can leave critical systems in an unstable state and potentially compromise the effectiveness of the new solution being deployed.

Traditional security solutions heavily rely on file inspection to detect threats. This method involves downloading sizable signature databases to a local system that needs to be constantly updated. Additionally, malware long could evolve in the wild to avoid this method of detection. Scanning files at start time and on disk introduces extensive CPU and memory overhead and requires significant time to read and write to the storage. Repeated scanning of potentially tens of thousands of benign static files creates considerable overhead and delays in system performance. This high load, high overhead model also proves prohibitive for protecting purpose-built systems like medical devices and ATMs.

 

ZeroLock Overview

Built for zero trust environments, ZeroLock provides very low-overhead protection that stops zero-day, file-based, and fileless attacks. Our advanced technology provides low-impact monitoring. Advanced, proof-based AI/MLdriven detection stops attacks in machine-speed and provides automatic remediation and restoration for Linux infrastructure. ZeroLock supports both containerization (e.g., Docker) and virtualization (e.g., VMWare) of any Linux version and any variant (e.g., Red Hat, Ubuntu) running on kernel version 3.5 or later.

 

Architecture: Fast System Call Intercept vs. Kernel Module

ZeroLock uses a patent-pending method to capture system calls. This method creates a “micro-perimeter” that allows us to monitor the system calls—network access, file access, privileged process access—used by all applications, including those with malicious intent. Our approach is only to monitor the processes and system calls that matter. As a result, CPU overhead is typically less than 5%, but may temporarily increase as much as 10-20% during an attack.

ZeroLock does not modify the kernel, and won’t impact overall stability of systems we are defending. Our approach focuses on monitoring vulnerable processes and processes that can create malicious processes on a protected system. These are what we call “attack surface” processes. We also monitor processes spawned by the attack surface to catch elusive malware that abuses process creation methods. Our unique methodology allows us to monitor and protect the original process we discover, and all child processes created because of either regular process forking or processes created with malicious intent. This methodology allows us to minimize the footprint and overhead required to protect a system and reduce the potential for malicious code interfering or obfuscating our detection algorithms.

ZeroLock focuses on protecting against specific threats—ransomware, cryptojacking, and unauthorized data exfiltration. This threat-specific approach gives us an advantage in better understanding the adversarial techniques employed and reducing the monitoring overhead to protect systems against these expensive and potentially catastrophic threats entirely.

 

Distributed AI & Machine Learning Architecture

ZeroLock’s detection & protection methodologies have been architected to be highly efficient with real-time effectiveness, yet able to continually learn and adapt from our ever-expanding malware analysis ecosystem. With a team of programmers and advisors specializing in machine learning and AI, we’ve built a system that has analyzed millions of attacks and is continually training new tactics, techniques, and procedures used in file-based and fileless attacks. We have consolidated that into a constantly learning algorithm that operates in real-time on host. It receives updates as new training sets are completed and compiled into ZeroLock update modules. We look at advanced behavioral markers of processes on a protected system to determine if an attack is active. Benefits of using an algorithm as opposed to a traditional vendor’s data file include (i) faster detection, (ii) lower overhead on the protected system, (iii) fewer false positive/false negative determinations; and (iv) it is
more difficult to circumvent using obfuscation techniques. As deployments grow, opt-in partners will expand the ability to profile behaviors that add to the AI-based training.

By determining the behavior and actions a piece of ransomware exhibits during an attack, such as searching for files, reading files, creating encrypted copies, and deleting files, Vali’s proprietary algorithm provides highly effective and efficient protection against ransomware. By understanding the behavior of ransomware through extensive research, iterative development, and extensive testing, we can determine if a process is operating within the system as it is supposed to be and not a compromised process executing an attack.

 

Remediation

Threats are constantly evolving, and threat actors are continuously improving and refining their attacks. Because of this, no solution is complete without the ability to remediate when a threat is missed and not stopped immediately. To protect against the unknowns, ZeroLock copies all deleted or written files (encryption is considered a write operation) to a protected cache area while the actions and process(es) involved are evaluated. This approach allows us to automatically restore files that have been compromised, deleted, or encrypted by malicious code.

To ensure that the file copies are protected and not altered, any process we are monitoring cannot access the folders where the copies are stored.

 

Self-Protection

The ZeroLock agent has self-protection functionality that prevents malicious code from disabling/removing the agent from the system. Some of the protections the agent utilizes are:

  • Loading early on the machine so we can see processes at startup.
  • Preventing monitored processes from killing critical security processes.

Additionally, we restrict access to the cache folder so that no monitored process can access the cache area. There is a heartbeat function to the management console that gives near real-time health status of the agent on any given protected system.

Vali’s ZeroLock provides a fast, effective, scalable, fully automated solution to protect organizations from the growing array of threats to Linux systems. Utilizing a targeted solution without kernel modules, we provide the same high level of security across an organization’s entire Linux infrastructure without needing to worry about version-specific testing and certification. By utilizing behavior-based machine learning algorithms, ZeroLock is faster, less resource-intensive, more effective, and produces fewer false positives. We are the only solution on Linux that provides seamless, automated recovery of any compromised files during an attack, minimizing the chances of an extended outage.

For more information, contact [email protected].