UPDATED 10:00 EDT / NOVEMBER 09 2017

INFRA

Bracket says it can head off attacks operating systems don’t see

Bracket Computing Inc. has upped the ante in its security software suite with new protections against a variety of difficult-to-detect attacks.

The new feature set, called Server Guard, is part of a workload isolation technology the company calls Metavisor. Similar to a hypervisor, but sitting closer to the operating system, Metavisor safeguards critical parts of the operating system while on disk and in memory. This additional virtualization layer isolates the guest operating system from low-level operating system calls that attackers frequently use.

Bracket is attacking the problem of persistence, in which attackers gain root-level access to a system and then embed themselves there, often lingering for months while they compromise other systems on a network. By attaching to the operating system, they evade detection by standard defense tools that operate at a higher level.

Server Guard features a centrally managed antipersistence tool that allows applications to execute from their trusted paths, but prevents attackers from installing unknown binaries. It also prevents anomalous writes to sensitive configuration files. Server Guard can enforce these permissions even if an attacker root access to a system, the company said.

New features protect against in-memory privilege escalation such as buffer overflow and use-after-free attacks that achieve root-level access without detection by the operating systems. It prevents root shells spawned from exploited processes and defends against all known Linux rootkits, which is malicious software designed to provide access to a computer that’s not supposed to be allowed.

Low-level hypervisor

Metavisor is “kind of like a lightweight, nested, virtualized hypervisor,” said Chief Technology Officer Jason Lango. “The operating system is literally running on top of Metavisor, so anything it does has to go through Metavisor.” Out of the box, the software protects against common exploits such as rootkits, and it can also be custom-configured according to security policies.

Even if it has no prior knowledge himof an attack, Server Guard causes Linux privilege escalation and rootkit attacks to bounce harmlessly off the Metavisor, even if the server is running a known and un-patched vulnerability. The company said its technology could have headed off the recent massive breach of Equifax Inc., which was caused by an attack on a known bug in the Apache Struts web application framework.

Metavisor loads upon startup before loading the operating system and then runs in the background, typically consuming less than 15 percent of central processing unit resources. “Once the guest operating system is up and running, the Metavisor can’t be seen,” Lango said. “We’ve optimized so that it’s immutable from a hacker’s perspective, but transparent from a DevOps perspective.”

Bracket’s technology uses memory introspection, which monitors memory at a level below the guest operating system “We focus on making the system itself immutable, meaning that apps can’t run and modifications to the kernel can’t be made, without permission,” Lango said. While acknowledging that it’s “theoretically possible” for the Metavisor itself to be compromised, “the smallness and tightness should make an escape as uncommon as an operating system escape into the hypervisor,” he said.

Bracket emerged from stealth mode in 2015 with $130 million in funding from a host of blue-chip investors. The company initially targeted workload virtualization for multicloud environments, but with the surging popularity of containers, it has more recently pivoted to security.

Server Guard is a subscription service. Priced by the number of compute units in which its deployed. Administration is done via a hosted portal. List pricing is $60 per core per year with volume discounts available.

Image: Pixabay

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU