It’s all about the data. As we’ve said many times in the past, there would be no need for security on our networks if we didn’t care about protecting the data that sit on them and travel on them. But we do. That means that, in addition to the trouble that we go to to protect our infrastructure, learn about the threatscape and, generally, spend money and time to make certain that our perimeter (such as it is) and our endpoints are well-secured, we also need to focus on the data. That’s what this section addresses.
All three of the Innovators in this category take very different approaches from each other.
We have some pretty interesting and, of course, innovative companies in this batch. You likely will notice that the usual anti-malware suspects are missing. We saw next to no innovation from the traditional companies. Just about everything out there is simply old wine in new bottles. We bounce from product to product when the one we have no longer seems to be doing the job, and it’s not long before we find out that the new choice is no better. Our Innovator this year is out to change that and we believe that there is a better than even chance of success.
Our other two Innovators are similarly clever. Just because of our pronouncement above, don’t think that there is only one Innovator in the anti-malware game. Our other two Innovators are as well, but they take a very different approach. All three, in fact, take very different approaches from each other. Interestingly, when we started combing for data protection products, it all came down to malware.
What we also find interesting is that as we looked at our Innovators in the various topic spaces, we saw what amounts to a significant war of dueling philosophies regarding how to keep data safe. We think that the next few years will sort this battle out and a consistent set of “directions for securing data” will emerge. It’s being driven by the bad guys. We follow the underground and the volume of new tools for stealing data on the internet is prodigious. That is quite a challenge – and that is just from the developers. Add in the criminals who use this stuff and the number of adversaries soars.
That all said, it still all comes down to protecting the data. When the perimeter finally disappears what is left? Just the endpoints and the mass storage…and the data. And those – even today – are where the action is.
Flagship product AppSecurity for Java
Cost Enterprise license averages $1k per application instance per annum.
Innovation A unique approach to implementing RASP.
Greatest strength Focus and significant ongoing, focused research.
This really is a unique company. Part of its uniqueness is that it came out of pure research with no particular objective. Then the founders evaluated several use cases and realized that cloud security was where it fitted. RASP – runtime application self protection – is the core of their offering but the way they do it is very interesting. Rather than filter data at runtime, Waratek virtualizes the runtime. They run in a secure virtual container. This protects the application which other approaches don’t do directly. This puts the application in a “bullet-proof jacket.” Rather than depend on pattern matching to identify rogue code, Waratek protects the entire software stack.
Waratek’s product is an approach to web security that protects Java applications and sensitive data from attacks, like SQL injection, zero-day and unpatched vulnerability exploits at runtime, without code changes or hardware. The security, then, resides in the Runtime Environment by Virtualization. The result of this non-heuristic approach is detection of attack vectors, such as SQL injection with minimal false positives.
Waratek AppSecurity for Java provides transparent RASP against malicious exploits, abnormal file manipulation or unexpected network connections using a small set of rules to quarantine illegal operations inside the application. It can be deployed in monitoring or blocking mode. The Taint Detection Engine identifies input injection attacks (such as SQL injection) that attempt to modify the logic of the outbound action.
A side benefit is the availability of threat forensics for Java applications. The tools generate an audit trail of both normal and abnormal behavior and track all key application operations, including network and file access, process forking and code linking, among others.
Waratek is a very new company with their product introduced just last year. Their approach is interesting in that, although they are not the first to use virtualization as a defense against the depredations of malware, their innovative approach to focusing on Java makes them unique. That said, being very new – but with very new ideas – they certainly will be one to watch. They are not in the obvious group of anti-malware products, but they have an approach to focused protection that may well keep them in the forefront.
Flagship product SentinelOne Endpoint Protection Platform
Cost Pricing is tiered based on the number of endpoints protected and offered as a subscription. MSRP pricing for the base version starts at $45/endpoint/year and varies based on the desired suite components.
Innovation Solid endpoint protection from malware.
Greatest strength Automated mitigation and rollback can save the day for an organization experiencing a ransomware attack.
This Innovator wanted to focus on endpoint protection because that is an important place where attacks run. Thus, it makes sense to locate a detection mechanism on that device. The weakest protection on the endpoint tends to be anti-malware. That is because traditional anti-malware products have heavy reliance on prior knowledge. Today, though, attacks are much more varied and there is little availability of prior knowledge. SentinalOne sees itself as the next generation of endpoint protection.
SentinelOne believes that it always has been a struggle to have an effective agent on the endpoint that doesn’t interfere with the user. So this Innovator developed an agent that has no need for updates and does not interfere with user. This becomes completely autonomous protection on endpoint only and, as an additional benefit, the agent can protect in real time. The SentinelOne product is one of the few products that can deal with everything happening on the endpoint in a holistic manner by focusing on the operating system. That allows the product to catch just about all vectors of attack. Additionally, the agent is very easy to port to other environments because it is built on SentinelOne’s core foundation.
We liked the automated mitigation and rollback. The tool is able to take files that have been damaged or deleted by malware, such as ransomware, and rollback to recover.
Further, a big benefit that SentinelOne offers that contributes to future development is that once you’re on the endpoint, even when looking at a large organization, you can add the product and retain your traditional anti-malware. But, if you want to move away from your traditional tools, they are the only endpoint tool certified by anti-malware testing organizations.
This Innovator is in a growth stage and do seem to be constantly growing. There are, of course, challenges. A major one is meeting demand given that they are a small company. Where are they going next? Artificial intelligence is a logical next step and, of course, they will continue expanding to other platforms.
Vendor Cylance cylance.com
Flagship product Protect
Cost $55/endpoint per year.
Innovation Expanding the breadth of layers of security that come to the endpoint.
Greatest strength Completely non-traditional view of anti-malware along with the technology to execute on that vision.
Every now and then we come on an Innovator that seems to go above and beyond most other Innovators that we see. Cylance is one such company. In fact, when we did a First Look on this company we received email from competitors claiming that we had simply succumbed to Cylance marketing hype. The truth was that we had observed the testing that we reported and there was no doubt in our mind that the test was legitimate. It takes some pretty outrageous claims to get competitors up in arms over our reviews and we had seen that only a few times in the 20 years we’ve been reviewing. So we found this time interesting given that we had viewed the test ourselves.
Cylance uses machine learning and static analysis to define the DNA of a suspect file and, therefore, can tell from the components whether the file should be run or not. To accomplish this they use machine learning-assisted static analysis. Typical endpoint programs depend on dynamic analysis/behavior analysis. However, current malware often turns off anti-malware, sandboxes, virtual machines, etc. So Cylance puts the focus on protection, not detection. The Cylance product is being built as a preventative technology with the objective of keeping the malware from running in the first place.
Cylance is expanding the breadth of layers of security that come to the endpoint, preventing script-based attacks and other next-generation attack tactics, techniques and procedures. That means that they must plan their roadmap three years out. Competing in a tough market is challenging for the best and largest of anti-malware companies. It turns out, though, that many large enterprises have current-generation, traditional anti-malware products and all are not pleased with what they have. That opens the market up for Cylance because these companies are looking for more.
Handling cryptors and packers can be a real challenge when the main tool is static analysis. These obfuscation techniques can make reversing and static analysis very difficult. Entropy is a huge indicator, but it is tied into machine learning and entropy is not the only thing considered. In fact, packed or encrypted malware is suspicious in itself. Cylance handles exploits as well as malware. For example, it easily detects anti-return-oriented programming and considers that a clue for exploits.