Shape Security emerged from its state of secrecy this morning in a security stealth launch that has famously raised and impressive $26 million dollars through two rounds of funding, without publicly telling anyone what they actually do. It’s been a bit of a mystery and that changes today.  The company is introducing an entirely new kind of security protection technology and is led by Sumit Agarwal, Google’s first Mobile Product Manager and a personal appointment by President Obama as the Assistant Deputy Secretary of Defense at the Pentagon.  The company’s stable of talent features a list of high-profile experienced executives and the Mountain View-based company shares board members and advisors with two other hot security companies you’ve probably read about recently: FireEye and Mandiant.  After being in R&D mode for the last 2 years, the product they’re releasing today focuses on one of the biggest vulnerability fields in the industry today in the form of web security.  This product is expected to completely alter the economics of web hacking.  Disruptive is a good word for what they’re taking on.

Shape’s page announces –

On January 21, we are launching a completely new type of web security product.

Shape alters the economics of web hacking. We shift costs from defenders to attackers, forcing hackers to spend much more to achieve much less. Our military-grade technology doesn’t rely on past signatures, so it uniquely protects against zero-day and other advanced threats.

Today is that day.  In a briefing last week, Shuman Ghosemajumder, Shape’s VP of Strategy (and former Google “Click Fraud Czar”) and Agarwal shared the details of what their product actually does.

“What we do is protect web apps and make it easy by introducing a real-time polymorphic approach.”

ShapeShifter

ShapeShifter from Shape Security

The product is called ShapeShifter and while it looks like any number of devices, it is most certainly something entirely different.  ShapeShifter works at the level where web applications interact with your browser, client or applications.  Web applications tend to give away quite a bit of information through seemingly innocuous ways that actually end up being massive vulnerabilities that hackers use to attack.  Before you’ve even logged in, there are many ways that the web application tells the outside world what to it expects in various fields.  This constitutes a ripe attack vector that can fall prey to the tools of automation that are behind the impactful yet simple attacks that many hackers use today.  Things like username fields, field names and other static elements are all code that can help form an attack template on the application infrastructure itself.  Every web application has these static elements and what is basically source code in their infrastructure and when these things are broadcast on the internet, you can see how big of a problem this is.  All a hacker has to do is become aware of the flaw, pipe it into a simple bot and the attack begins.

Rewrites vulnerable web code on the fly

ShapeShifter flips the script by rewriting these chunks of published code on the fly, transforming the source code into something unrecognizable to the hacker, yet still functions exactly the same way to the end user.  By producing an unending stream of randomized code variations, it makes this code information different on every single page field.   Enemies rely on these pages being static to programmatically attack web applications – significant because for years, malware authors have been circumventing detection by changing the profile of their programs, so that signature-based detection cannot detect them as they do the harm they’re designed to do.  That polymorphic aspect is what ShapeShifter is now bringing to the application side – patternless, meaningless, and useless to a hacker.

Liz Lopez -left- Tim Peacock -right

The uses are many, as Ghosemajumder describes just a few applications in financial, healthcare and commerce situations.  The banking industry for one is encumbered with many security challenges, and one of the newest phenomenons has been the evolution of advanced web application attacks.  “A 9-figure problem”, Ghosemajumder calls it.  The global proliferation of the malware family known as Zeus and a similar fraud software known as Spy Eye have been especially challenging in the industry.  Each of the top ten banks in the United States has witnessed some form of infection from these malware schemes that infects user computers, lies in wait, dormant, waiting for the user to browse over to a specific bank web site.  That’s when the fun begins as transactions are then rewritten to an account that then goes out to money mules, people on the street that go cash these accounts out.  In the meantime the user at the end of the computer is presented with information that says everything is as expected when actually thousands of dollars may have been lost.   ShapeShifter makes those attacks economically irrational for these perpetrators by obfuscating the code that would have been targeted in the first place.

ShapeShifter takes on Advanced DDoS attacks, as in cases where flaws in user interfaces are bombarded with sustained programmatic attacks that can bring a system to its knees.  By exploiting a known soft element of an application interface, an Advanced DDoS attack doesn’t even require much volume, relying on its repetitive nature to overwhelm systems until significant resources are consumed.  Without any exposed code to target, such attacks don’t even have a place to start.

Financial fraud – when large troves of credit information have been stolen out on the net somewhere, thieves will look to monetize this information somewhere.  Typically, this information is fenced through a system that is initially launched in a large-scale systematic botnet-based purchasing spree across various retail targets, specifically targeting known web application payment input fields.  Items purchased in a run like this includes gift cards, vouchers, coupons, and even postage, the loot is non-repudiable and has a certain street value.  With those code component fields shielded from the would-be attacker, that automated attack is significantly degraded, the fence operation moves on to easier targets elsewhere.

Set and forget – that’s a philosophy that the product was built around.  That should be quite appealing as there is no interaction needed on the part of a developer, nothing needs to be rewritten, not one line.  The product is completely stateless, and can run in multiple data centers anywhere in the world.  With a cloud-based management interface, raw log exfiltration and meta-control integration, ShapeShifter completely integrates into modern data environments easily.

photo credit: *n3wjack’s world in pixels via photopin cc