Skip to main content

Protection Beyond Operating System - Development of the next generation cyber security solution

Periodic Reporting for period 2 - ProBOS (Protection Beyond Operating System - Development of the next generation cyber security solution)

Reporting period: 2017-10-01 to 2019-03-31

One of the main issues to address today in cyber security is the timely identification of cyber-attacks, this is essential not just to contain the damage but also to obtain a full picture in the aftermath of an attack. Cyber attacks have in fact a larger impact than the breach itself: data is lost, sensitive information is exiltrated and possibly the attackers have maintained a way of regaining access to the compromised systems even after the breach detection. To this it must be added that the legal repercussions of a data breach can be severe and they present themselves in forms of several collateral damages: lawsuits from customers and related legal fees, government fines due to regulations in place (GDPR for instance), loss of reputation and brand damage. On a more technical level the costs of a breach becomes obvious during the forensic stage in which experts are normally called in to analyse the scenario and reconstruct the series of events that lead to the intrusion and eventually to the loss of data. Such risks and the correlated costs can be mitigated by adopting a smart technology capable of analysing and responding automatically to similar events.

A strong cyber-posture is essential to the whole society, especially today where information is travelling in digital form and often shared by different parties, with companies hoarding more and more data the amount of damage that an attacker can realize is growing every day. Security is a process that is very hard to put in place as it's often seen as a cost center instead of a cost-saving item so, in our view, this process has to be as simple as possible and automation must place a large role to avoid overloading human operators and also to guarantee a timely response to any potential dange.

Our objective is that of developing a complete and comprehensive platform for monitoring the endpoints (workstations, servers and mobile phones) used within an organisation in order to identify the emergence of new behaviors that might signal the presence of an active attacker. Such an approach provides a strong safeguard against new and unknown kinds of attacks that would otherwise go undetected using traditional technologies. At the same time we want the platform to act as a continuous monitoring tool capable of providing valuable intelligence information even at later stages of a cyber attack in order to offer quick response capabilities. We also want the platform to become a single place to manage the endpoints fleet that is accessible to entities unable to run endpoint monitoring because of lack of resources, for this reason the platform is structured to work as a SaaS, enabling Managed Security Service Providers to offer services to those customer that are smaller in size but still in need of advanced detection and protection capabilities.
We have developed over the course of the entire project several new technologies:

- A NanoOS (live hypervisor) capable of monitoring security activities from outside the operating system, this approach guarantees a strong resilience of the monitoring system that cannot be easily disabled by the attackers to prevent tracking and it's also immune to evasion attempts.
- A live agent capable of working on different platforms: Windows, Mac OS, Linux and Android. The agent is a highly sophisticated component that gathers security information from every device and translates it to a single and unified format, independently from the platform it's working on.
- A dedicated dashboard capable of managing every stage of the cyber-kill chain: identification of the attack, tracking, protection, mitigation, eradication and reporting.
- A dedicated Multi-tenant platform to allow access to the same infrastructure from several unrelated parties, guaranteeing data segregation. This has been done in order to enable security partners to offer the solution as a service to those customers unable to afford the infrastructure required to acquire and process security data.
- A highly scalable backend that can easily transition from a small installation capable of handling few hundred endpoints to an installation capable of handling hundred of thousands devices simply by adding computational power and without requiring any complex setup
- A series of Artificial Intelligence engines capable of analysing all the aspects of the cyber-kill chain. This includes real-time behavioral analysis of activities coming from the endpoint, infrastructural analysis of internal and infrastructural interaction, time-based analysis of multiple events such as user logins, access to network resources etc
- A set of engines capable of ensuring automated protection at different levels: we developed a dedicated and machine-learning driven anti-ransomware engine, to prevent data tampering and destruction. A set of engines dedicated to behavioral policing capable of blocking specific and generic behaviors without impeding the usage altogether of a certain application. A set of engine for the detection and protection of kernel level exploits
- A dedicated customisation engine capable of creating new kind of detections, automation and policing on-the-fly and completely in real-time. This engine ensures that customers can add their own detection/protection/response/management playbook within the solution itself
- A dedicated machine-learning engine for on-device and real-time detection of threats on mobile phones (Android)
- A comprehensive threat hunting platform to allow user to run proactive threat hunting campaigns, aimed at detecting malicious behaviors and dormant threats that might have gone undetected by the behavioral engines.
- An Artificial Intelligence based supply-chain attack detection system capable of understanding when trusted software is behaving in potentially malicious ways after receiving updates.

During the development cycle the results of our works have always been constantly reported on our website and by participating to relevant security conferences in our region of interest. ReaQta remains always active in the dissemination of knowledge and our blog shows the results achieved while using our solution in real environment, this includes analyses of new kind of threats and cyber intelligence related to threat actors and their activities worldwide. We also communicate our results on platforms like Twitter and Linkedin.
At the beginning of this project the landscape of solution like ours was just being set and we've been innovating since then, not just with the creation of a unique NanoOS, but also with the development of entirely new processing pipelines capable of speeding up the detection, protection and response process.
With the establishment of GDPR companies in Europe and outside have been forced to establish security measures that went overlooked for too long and in this aspect our solution presents an excellent choice for any organisation looking at achieving not just compliance but also better detection and response capabilities.

We have run an analysis on a banking customer to understand the economical impact of acquiring and operating a solution like ours against the scenario in which no solution is adopted, the data speaks clearly:

- Without any solution, for that customer, 51% of cyber incidents would end up costing an average of 2.51M$ USD
- With our solution, for the same customer, the cost of 51% of cyber incidents drops to just 0.05M$ USD