Keep Malicious Applications from Compromising your Networks

When I was eight years old, my friend Scott and I crashed a wedding reception. Our families were on vacation together and our parents (perhaps unwisely) left us alone in the room while they went to the hotel bar downstairs. It was the 80s, we were in a hotel located in a safe neighborhood, security personnel were stationed at the front entrance, and our parents were just a pushbutton desk phone dial away.

Scott and I were well-behaved kids, but we also liked to have fun. On this particular evening, we’d seen the reception kicking off when we returned from dinner. Music! Dancing! Free soda! (Remember, it was the 80s.) We brazenly made our way down to the party and walked right in as if we belonged there, despite our non-festive attire and complete lack of connection to invited guests. Yet, we danced and drank the soda we were given at the open bar and not a soul questioned us.

It wasn’t until our parents walked by that we were discovered. The stakes weren’t terribly high, and we didn't get in trouble for our mischievous deed. What if, though, our intentions had been malevolent? What if we’d been older and had an ax to grind? What if we’d stolen decorations, eaten the $100-per-plate entrée meant for invited guests, or damaged the audio equipment? Our unauthorized access to a private environment wouldn’t have been such a funny incident.

This tale may be a humorous little anecdote, but imagine a parallel in the cyber security realm. Scratch that. If you’re a seasoned security professional, which I expected the majority of TAG Cyber’s readers to be, you live the parallel. You know that networks are vast, heterogenous environments connected by the processes and services that communicate over them. Software dominates server-to-server, host-to-host traffic, and that software may never communicate outside its perimeter, i.e., cross a traditional security barrier. Certain software may initially look like it belongs on your network (which might be a cloud or container environment), but its true identity may be that of a malicious entity.

Keeping the bad guys out

Aporeto entered the market in 2016 to give organizations a tool to quickly identify suspected gatecrashers (a.k.a., unauthorized applications and services). Speaking recently with Jason Schmitt, CEO, and Gregg Holzrichter, CMO, they shared that the keys to Aporeto’s solution are:

  1. Security for applications that is decoupled from network infrastructure
  2. Cryptographic workload identity
  3. Uniform, portable whitelist security policies
  4. Secretless, least-privilege access
  5. Zero trust principles: authenticate, authorize, and encrypt every communication, end-to-end

What makes Aporeto a little bit different than other products in the space is that, initially, Aporeto was built for containers. “A container is just another form of a Linux process to us,” said Schmitt. Of course that’s not entirely the case technologically, but tackling the ephemerality of containers first made the jump to cloud and on-premises environments a little easier. Consequently, the primary focus had to be the cryptographic identity of applications.

Schmitt explained how this works: “When a pod is created in Kubernetes, Aporeto automatically gathers attributes about the application service from the API to the cloud provider and Kubernetes. Based on these attributes, we automatically associate the correct policy.” What are the attributes that form an application's identity? Everything from system calls to operating environment, associated name spaces, UUID from the SMBIOS, processor information, checksum of the binary, library dependencies of the application, manifest data, run-time information, vulnerabilities (ingested from 3rd party scanners), and so on.

The identity of an application then becomes a cryptographically-signed JSON document that is used to verify for L3-L7 session handshakes. All managed applications pass a token before time-bound access is granted. If a token isn’t present or isn’t valid, access is denied. Easy.

Identity is a multi-faceted authentication mechanism

What I found particularly interesting about Aporeto after speaking with Schmitt and Holzrichter was that they really seem to grok that identity is a multi-faceted problem. Identity, in Aporeto’s case, is tied to software and services, but traditionally identity refers to users and devices—it’s simply a fact that most cyber attacks today start with a compromised endpoint.

To cover all their bases, Aporeto partners with several leading identity and access management (IDAM) vendors to layer device/person authentication on top of application identity and authentication. "Partnering with endpoint identity providers brings user context and user access claims into workload security directly. We get richer data and more context for app-to-app communications,” said Schmitt.

Aporeto operates entirely in user space, which makes it low friction, easy to deploy, and multi-platform, meaning, deployment and ongoing management looks the same whether you need to secure your apps in Docker, in an on-premises data center, or across multiple public clouds.

Finding compromised applications across highly-distributed, multi-platform ecosystems is a huge challenge for most organizations today. And picking out software that’s been updated versus software containing malicious executables is even harder—especially if you don’t know what an authorized “guest” looks like in the first place. Aporeto makes it easy for organizations to identify then authorize trusted entities and keep the bad guys out.

If you’re looking for a way to eliminate bad application communication on your networks, we recommend taking a look at the Aporeto solution.