Security for the Next Generation DatacenterWhitepaper

2Security for the Next Generation Datacenter

IntroductionMega breaches at ETrade and JP Morgan Chase resulted in the theft of detailed contact information from millions of customers. These large-scale attacks were carried out using well-known techniques such as brute force attacks, social engineering, and exploitation of unpatched vulnerabilities. Last year, a group of teenagers broke into the personal email account of CIA director, John Brennan, by posing as Verizon service technicians. As an industry, information security professionals are operating under the assumption that someone, somewhere has already stolen a set of credentials belonging to their organization. Given the pervasiveness of attacks, traditional signature-based endpoint and server protection no longer meets an organizations' protection needs.

The threat landscape contains countless exploits of known vulnerabilities in commonly-used enterprise software, with an extra eight thousand vulnerabilities found per year, according to the National Vulnerability Database. According to the Verizon Data Breach Investigations Report, most exploited vulnerabilities that have caused a data breach existed in their targets' systems for nearly a year. IT professionals could avoid breaches by patching their systems up to date, yet they face a problem—a proliferation of systems that need maintenance, and a chronic understaffing of both IT and information

security fields. Most companies simply don’t have the IT resources to keep their systems up-to-date. Therefore, hackers have their pick of vulnerabilities to exploit.

Assuming that the corporate perimeter—which is, from SentinelOne’s perspective, the endpoint—can be breached using well-known techniques, enterprises must invest in defense-in-depth. Protecting the perimeter is not the same as protecting the core, and attacks against data centers differ from attacks against endpoints and end-users.

Many organizations have decided to invest in security that, on the face of it, does little except bog down system resources. Traditional endpoint protection will take up several extra megabytes of memory per server during normal operations in the data center, and will bog down business-critical applications while it scans or updates. Additionally, this security relies on signatures in order to detect malware, which this document will show is entirely outclassed in the face of today’s threat environment.

Solutions designed to protect the data center should follow two axioms: First, a solution needs to recognize and quarantine malware, and detect the behavior of an insider threat that uses compromised credentials. Second, a solution must function without disrupting the ordinary operations of the data center or bogging down critical resources.

3Security for the Next Generation Datacenter

Taking Over a Server is Easier Than You Think

The data center presents a massive attack surface for malicious actors. All types of servers may be exposed to vulnerabilities and malware. Aside from attacking a data center directly, administrators are also a tempting target because attackers may benefit from stealing their credentials or by taking over their terminals to gain access to data centers.

The following scenarios are examples where servers and their data are vulnerable to capture and theft:

In the first scenario, an engineer is tasked with migrating an enterprise’s website

from Drupal to WordPress. They perform the WordPress installation on one of their web servers, rebuild the site, and hook the inputs up to the enterprise’s database. When the site goes live, an attacker notices an unsanitized input. They use this vulnerability to inject code into the web server, which then infects clients who visit the site via drive-by download. If an attacker can’t get by a Web Application Firewall (WAF) that’s protecting a particular input, they might buy time from a DDoS-for-hire such as Lizard Stresser and hit the targeted application with a DDoS attack until the WAF fails. Once the firewall is overloaded, the attacker can accomplish an attack at their leisure.

4Security for the Next Generation Datacenter

Even security savvy data center administrators are susceptible to attackers. Attackers will often go after a low-privilege user from another business unit rather than the data center administrator. The attacker obtains the user’s credentials via social engineering, and then uses a flaw in their desktop’s operating system to escalate their privileges. Once the attacker has root on the user’s machine, they’re able to open a connection to the data center and begin harvesting confidential information. According to a 2015 System Administration, Networking, and Security (SANS) Institute survey, almost 60% of enterprises have no way to understand east-west traffic in their data centers, making this an extremely viable attack path.

Moreover, signature-based antivirus has a notoriously difficult time detecting known malware if superficial changes have been made to the malware itself. These changes have been demonstrated to be as simple as changing a hash, or even just a filename. Using a targeted phishing attack, it may be easy for a bad actor to infect an admin via a pathway as simple as sending a malicious attachment. With just a simple remote administrative toolkit, the attacker can log keystrokes, access network control, view storage and shared drives, and then begin to exfiltrate PII.

Between unpatched vulnerabilities, unsanitized inputs, and attackers that are able to deceive perceptive administrators, there are many attack vectors for bad actors to choose from and little apparent need for them to innovate. Even iterations in traditional endpoint security have been overcome. For example,

enterprises have begun deploying network-based sandboxes to detect malware. The intent is for an attacker to mistake the sandbox for a vulnerable resource, and execute malware in a controlled environment where digital forensics can snapshot and track the aggressor. Attackers have easily countered these honeypots by deploying malware with sensors that can detect if they’re in a sandbox environment. This malware will then automatically delay execution until it senses that it’s on a genuine endpoint.

Disk-Based Executables File-Less Attacks

Document/Application-Based Attacks

Browser-Based Attacks

Script-Oriented Attacks

Live/Insider Attacks

Attack Vectors

5Security for the Next Generation Datacenter

As shown above, it’s been relatively easy for bad actors to execute attacks on data centers even when security administrators deploy advanced techniques. In the technological arms race between hackers and information security professionals, the adversaries have invested minimal effort in innovation—and consistently beat security professionals.

For example, social engineering is a “hacking” technique that predates the existence of the digital computer. No amount of technological innovation has been able to prevent a bad actor from simply talking a user out of their credentials. Even rigorous security awareness training programs such as quarterly drills and weekly fake phishing emails have been unable to stem the tide. All it takes is one sufficiently gullible user to open the floodgates. Once attackers have that user’s credentials, it’s game over—most enterprises won’t detect an attack involving compromised credentials until months after it’s already occurred.

People often think of malware as an extremely advanced threat, but the first malware program, “Creeper” dates back to 1971, and was swiftly followed by the first antivirus program, “Reaper.” It’s been forty-five years since Creeper and Reaper first chased each other around the ARPAnet, and malware has evolved dramatically since then. The pace of innovation is deceptive, however.

It is very easy to change malware to beat signature-based detection—so easy, in fact, that some enterprising criminals have monetized the signature-evasion process. Using a so-called “crypting” service, bad actors will run different versions of their malicious software against all well-known signature-based AV programs. They will then tweak the software in an iterative manner until it is completely undetectable. Again, these changes don’t represent innovations in the way that the malware infects software—they’re mostly cosmetic, like adding a new coat of paint.

When Protecting the Data Center, “Next Gen” Security is a Misnomer

6Security for the Next Generation Datacenter

Lastly, code injection attacks are the most recent attack technique that this document has discussed, and yet the first known instance of code injection dates back to 1998. Preventing code injection is as simple as preventing untrusted users from writing code into an application. In an ideal world, code injection vulnerabilities would be a mistake reserved for the ranks of first-year computer science undergraduates. And yet, it’s one of the most common vulnerabilities that continue to be exploited.

Worse yet, advanced threat groups rarely have to resort to advanced techniques to breach a target. According to Rob Joyce, the NSA's chief hacker, the government doesn't tend to use attack strategies that are any more advanced than, “waiting for the target to make a mistake.” If it can help it, the NSA doesn’t even use zero-days anymore. One would assume that their truly

“next-generation” attacks, such as those carried out by the Equation Group, are only deployed against the most paranoid targets. By extension, other APTs such as China, Russia, and Israel must practice similar self-discipline.

To recap, current-generation security cannot protect against threats that are decades old, and even advanced attackers barely need to exert themselves to execute a successful breach. What’s more, signature-based detection can constantly generate false positives, which can hide a real threat like a needle in a haystack. This is something data center administrators will be forced to contend with or ignore. Signature-based detection also represents a heavy drag on system resources. Based on these many downsides, data center administrators have in some cases abandoned information security tools entirely.

In order for data center professionals to embrace security, information security needs to shift to a fundamentally new approach. The industry needs to abandon signatures entirely, and find a new solution that doesn’t interfere with normal data center operations, provides real protection against both common and advanced attacks, detects compromised credentials, and requires no intensive investment of time and manpower to operate.

Thus: Axiomatic Security.

7Security for the Next Generation Datacenter

Applying Axiomatic Security to the Data CenterIt is possible to have security that provides defense against both common and exotic threats without breaking the data center. This is necessary because signature-based antivirus can no longer credibly defend against attackers. Here are a few qualities that data center professionals should look for in a solution that assumes the mantle of axiomatic security.

Axiomatic security should run out-of-band without demanding a large share of processing resources from the data center. This means that business-critical applications don’t have to sacrifice efficiency for protection.

This new security solution needs to find both malware and exploit-based attacks. To do so, it needs to recognize malicious code, not based on what it looks like, but based on how it behaves. Bad actors can hide a malware signature, but they can’t hide the fact that a malicious program is trying to steal data or take over a system resource. If a security solution can recognize this behavior, it means that even an entirely new piece of malicious software wouldn’t be able to pass unnoticed.

Similarly, an exploit-based attack will cause a trusted application to behave in an untrustworthy way. A security solution relying on behavioral recognition may not see that an application is unpatched, but it will see that an application is leaking data in a way that it was never designed to do. Thus, even a previously unknown zero-day could be rendered less useful.

In addition to detecting threats, server protection must not detect false positives. For security to function properly, a security solution needs to be able to run at full capacity while generating as few false positives as possible.

Once server protection does detect a threat, it must be capable of acting with some autonomous capacity without generating additional IT resource requirements. This solution must be capable of automatically halting a suspect process, and then quarantining the host server to prevent the lateral movement of an attack. Lastly, the system should quarantine malicious files, activate forensics, and begin cataloguing the malware for further scrutiny.

By removing false positives, freeing up security personnel, stopping breaches, and accurately cataloguing the kind of threats that are up against them, administrators can begin a positive feedback loop. Axiomatic security should replace the old foundation that SecOps has been built on—endpoint protection—while leaving room to add other services that complement it. Good security justifies additional investment. Once security based on machine learning and behavior-based detection proves its efficacy, administrators will be able to apply additional layers of defense and architect better security policy for the enterprise as a whole.

With intelligent automation becoming an obvious replacement for signature-based detection, SentinelOne offers a comprehensive solution for servers and endpoints. As far as the data center is concerned, SentinelOne offers a lightweight solution that functions on both Windows and Linux servers without compromising performance. Behavioral threat analysis that leverages machine learning to capture and neutralize both known and unknown threats, while providing a forensics package that allows administrators to visualize attack paths and remediate vulnerabilities.

In terms of compliance, behavioral threat analysis also removes some of the necessity of patching systems to their latest version. While this is best practice, oftentimes updating one system will break the dependencies of its connected subsystems—meaning that administrators must trade a functioning data center on one hand for security and compliance on the other. Organizations can rely on SentinelOne to monitor unpatched systems, meaning that even an out-of-date program retains its security.

In terms of mitigation, SentinelOne can block and identify malware, even if it hasn’t been seen before in the wild. In Alert Mode, it can identify malware, such as ransomware, and detect malicious behavior, such as creating an executable file without permission. SentinelOne will display the entire attack path of malware—and then enable administrators to seamlessly rollback an infected machine.

With SentinelOne, IT teams finally have a viable path forward that allows them to stay ahead in the arms race against bad actors. Instead of spending limited time, money, and manpower remediating breaches that are already in progress, security practitioners can now usefully devote their time to reinforcing the solid foundation which SentinelOne provides.

Sentinel One

8Security for the Next Generation Datacenter

For more information about SentinelOne, please visit www.sentinelone.com.