Security vendor SECDO has launched an anti-ransomware solution. The technology called IceBlock seeks to detect and contain ransomware before it spreads through an organisation. In doing so, SECDO says it can stop ransomware in its tracks. If successful, SECDO will find itself catapulted from a small security vendor to an acquisition target.
According to Shai Morag, CEO of SECDO: “Ransomware has become one of the most popular methods of attack, and has recently been used to target organizations that cannot afford to have a shut down in operations, such as hospitals, government agencies and banks With SECDO’s anti-ransomware solution, we seek not only to provide an effective detection solution, but to couple this with our investigation and response platform, to prevent ransomware from spreading to other endpoints, thoroughly protecting the organization from infection.”
How does it work?
In response to some of our questions, SECDO says that it is using a combination of methods to stop ransomware. Part of that approach is to: “continuously monitor activity in-memory.” This is something that is common across the security business. SECDO also looks at network traffic to detect calls to known command and control C(&C) servers.
Where this gets interesting is that SECDO is using techniques to ‘con’ the ransomware into acting. This is done through a variety of virtual traps that it deploys. Among those traps are: “objects and files that are not really there. If the ransomware tries to access or modify one of the virtual objects, SECDO automatically triggers IceBlock.”
IceBlock is the name for the remediation capability that stops processes in memory. When activated it makes sure that no physical files can be encrypted. This stops the ransomware owners from being able to demand a ransom to unlock files.
Locating the point of infection
It is not enough to stop one attack. The key for any successful security solution is to identify the root cause. This is where the infection entered the enterprise. In medical terms this is referred to as patient zero. With the multi-layered nature of many cybersecurity attacks identifying the source of an attack is not easy. This is often due to the source machine being infected by another machine that was compromised in an earlier attack. That machine may not be the initial source vector for the first attack.
To identify the source machine SECDO continuously analyzes the activity and builds causality timelines for any event, even across multiple hosts. Malware is increasingly taking advantage of peer to peer connections to spread. SECDO watches for lateral movement and uses that to track back to the root cause of the attack. This is done by holding up to 100 days information on processes and threads on endpoints.
Visualising the spread of a threat
There is also a Visual Investigation platform. This helps determine whether the threat is present anywhere else in the organization. Visualisation can also help identify the spread of a threat. This could be through infected files, peer to peer or other methods. What makes this important is that it can show when a threat has jumped from site to site. By using this approach, investigators can identify users who are acting as a transmission vector.
Identifying ransomware before it can infect any files is difficult. Security vendors are now beginning to develop a range of approaches but so far, none of them have proven foolproof. Almost all vendors accept that there will be some compromised files but work on the basis that a fast response is better than no response at all.
What SECDO is offering with IceBlock is different. The question is, will it be effective? At the moment we can only take their word for it. It will be interesting to see if they participate in any of the security software group tests that regularly take place. At that point we will get information from researchers as to whether IceBlock really is a ransomware killer.