Security firm Trusteer believes it has invented the first ever system that can reliably block attacks targeting vulnerabilities in a clutch of common applications such as Java, and Adobe’s Flash and PDF Reader.
It’s a straightforward enough claim, but if it’s true the firm better known for the Rapport browser plug-in used to protect customers of many of the world’s top online banks from phishing, will have achieved one of security’s holy grails; stopping unpatched exploits and zero-days.
Launched in the US in February and called ‘Apex’, the company describes the software as “stateful application control,” a system for monitoring what every application and process is doing, comparing this with a subset of known legitimate behaviours.
If that sounds like an impossible ambition considering the size of the software universe, Trusteer stresses that Apex is targeted at the behaviours of a small group of applications responsible for the overwhelming majority of exploits, namely Java, Adobe’s Reader and Flash, and Microsoft’s Office.
According to Trusteer, it turns out that the legitimate behaviour of such applications is surprisingly finite, which it discovered after modelling this using its established Rapport browser protection system installed on 30 million PCs.
Trusteer’s enterprise security director Dana Tamir estimates that about 98 percent of the exploits encountered by Apex are connected to Java vulnerabilities most of the final 2 percent targeting Adobe.
The software could also block malware that injects code into legitimate processes, an increasingly common tactic for hiding infection, as well as protecting against the exfiltration of data.
Given that the product is designed to run as a client on a PC, receiving whitelisting updates from a cloud service, isn’t this doing some of the job already carried out by antivirus software?
The company is not entirely unhappy to position Apex against antivirus software, seeing it as offering a form of endpoint protection that goes way beyond what traditional antivirus software is capable of.
Certainly, there is plenty of evidence that old-style antivirus protection no longer works well enough against the attacks targeting known and unknown software flaws, which many do.
“Today, the weakest link is [still] the end user endpoint. Enterprises have tried to battle the problem but they have failed,” said Tamir.
“Our research shows that a lot of endpoints are not up to date with their patches.”
The problem is simply that man endpoints simply can’t be patched quickly enough, leaving them open to exploits that antivirus software was never invented to be aware of.
What is also likely is that mainstream antivirus companies and startups will jump on the same idea so Trusteer will find itself with competition in time.
Deployed either as a convention install or as a download for mobile or remote users directed to a web portal, enterprises could use the protection with almost no overhead.
Trusteer wasn’t willing to give pricing which would vary by volume, Tamir said.
The company admits it has uncovered interest from consumers for its software, but is likely to follow the model that worked for Rapport; let large enterprises offer protectin for their customers if they think it worth doing so.