Summary: Siemens is impressed at what
Israeli security startups CyActive can do – developing ways of mitigating
attacks before they can take place.
Biblical-style prophecy may be a thing of the past,
but Israeli security startup CyActive is developing technology that
can predict what exploits malware writers are going to come up with next,
allowing developers to come up with a way of mitigating the attacks — even
before the malware agent behind it is even created.
The technology, which CyActive has been working for
about a year, is garnering attention in the enterprise — to the extent
that the company announced several weeks ago that it had received a "substantial
strategic investment" from the venture capital Unit of Siemens. CyActive
didn't say how much it got, but Ralf Schnell, CEO of the Siemens' unit, said
that he was "particularly excited" by CyActive's approach "to
securing industrial and utilities assets. CyActive’s founders are leaders in
the field and the company’s unprecedented cyber security technology turns the
economic equation in favour of the defender".
Abetting CyActive in its prophetic efforts are the
technical limitations of malware writing — or, some would say, the
laziness of the malware writers themselves. According to CyActive CEO Leron
Tancman, malware — like legitimate software — is often derivative,
and even advanced attacks have the same core components as earlier versions.
"You
can see very clearly what the 'kill chain of exploitation' is, the methods
hackers are using now and the variants they are likely to use," Tancman
said. "Even the major attacks of recent years, such as Flame, Stuxnet, and others, use a similar core."
Two
recent high-profile attacks provide a good example of the phenomenon, Tancman
said. According to a CyActive analysis, the attackers who hit US chain
Target last December usedmalware called BlackPoS (aka Kaptoxa)
for a point of sale malware attack that compromised the credit card
information of millions of customers.
But
BlackPoS came back for an encore, said CyActive, when a variant reusing a
number of code pieces and methods seen in other malware was unleashed on another chain,
Home Depot.
A blogpost
by CyActive lists many
similarities between the components, activities, and methods of both attacks,
and concludes that the Home Depot malware was basically a remix of other
previously used malware components attached to BlackPOS in order to make it
appear new.
But it wasn't new, Tancman said, in the sense that
nearly all the components and the defences against them were well-known in the
security community.
"It's not fair for me to comment on this
specific instance, but I believe that we would have been able to predict the
new BlackPoS variant if we had been able to analyse the original one. That's
what our technology does, very effectively. In 20 minutes we can predict 10,000
variants of a particular piece of malware, allowing for the development of
defences against them."
CyActive, Tancman said, changes the equation in the
online security war. "Security is reactive, and as we have seen over and
over, the hackers just need to make slight adjustments to their code in order
to wreak havoc on the enterprise, which over and over has to spend millions to
mitigate the threats.
"There is an economic imbalance, and there
shouldn't be, because so much of malware is derivative. Well, cyber-defence can
be derivative too, and that changes the balance of power in favor of the
defenders."
Siemens sees the system's value especially for SCADA
and other long-life systems used in critical infrastructure that need to be
protected. "CyActive offers the opportunity to change the model of
Industrial Control Systems (ICS) security from a reactive model to a proactive
model," said Rajiv Sivaraman, global head of Siemens Plant Security
Services. "This achievement addresses the long life cycles within ICS for
critical legacy devices."
"We
are thrilled by this vote of confidence from Siemens, global leader in
industrial and utilities markets," Tancman said. "The investment
recognizes the need for industrial and CIP technologies that
tackle the toughest security challenges. We look forward to expanding
CyActive's ability to protect the world's most critical assets."