As part of my daily security readings, I came across application shielding. I had never really given much attention to the idea, but the basic premise is that rather on focusing on detecting the countless threats, application shielding aims to prevent malicious exploits from compromising computers through software vulnerabilities. I reached out to Pedro Bustamante, founder and CEO of ZeroVulnerabilityLabs (creators of ExploitShield) to find out more about his company's application shield tool and how it fits into the security ecosystem.
Preamble: What is ExploitShield? Is it a single product or a group of services? According to your website there are security intelligence and software hardening services? How do these fit in?
Bustamante: ExploitShield is the name of the "application shielding" technology we have developed at ZeroVulnerabilityLabs. Even though it is currently only in beta, it has many potential applications such as products for consumers and companies as well as services. In terms of services, the technology itself can be implemented by other software vendors to protect their applications or it can be used as a web service to detect exploits and provide security intelligence to companies or researchers.
Question 1: What problems does ExploitShield address (malicious insiders, nefarious external actors, mistakes, drive-bys, targeted attacks, etc)?
Bustamante: According to various sources, the percentage of malware infections via exploit kit vectors is becoming more and more prevalent. Exploit kits implement exploits for various vulnerabilities such as Java, Flash, Shockwave, and Adobe, and they are very effective at infecting users, even those with the latest security updates and patches. With this in mind we have created ExploitShield Browser Edition to provide free protection against the plague of exploit kits so that they can be a little more secure while browsing the web.
ExploitShield Browser Edition, which is currently in beta, is helping us identify bugs in order to improve the application and its protections. With these improvements we are also working on ExploitShield Corporate Edition, which incorporates other shields such as for the Microsoft Office suite of applications and for other types of more advanced attacks. As such, the core engine for ExploitShield Corporate Edition is different to that of ExploitShield Browser Edition.
Question 2: What kind of security problems is ExploitShield not designed/intended for?
Bustamante: ExploitShield does not try to compete with any other security solution. Rather it is meant as a layered complement. For example, currently anti-malware solutions have to take care of many different infection vectors, while ExploitShield focuses only on the ones which we think are more prevalent and dangerous for consumers, companies, and organizations nowadays, the execution of payloads from vulnerability exploits. It is also worth noting that ExploitShield does not try to prevent other type of vulnerability exploits related to insufficient configurations such as directory traversals, XSS, etc.
Question 3: How would a company go about implementing ExploitShield solutions in a corporate setting? What sort of planning/architecture changes need to be carried out? Is enterprise integration a major undertaking? What is the architecture behind the solution? Is it installed on every computer (or is there a central server)?
Bustamante: Architecture-wise ExploitShield Corporate Edition incorporates more powerful protections as opposed to the free ExploitShield Browser Edition. ExploitShield Corporate Edition is a centrally managed solution. It needs to be deployed to each endpoint that the company wishes to protect. Through a centralized console, the administrator can view blocked attacks on any endpoint as well as manage the security policies of ExploitShield enterprise-wide.
Question 4: What makes ExploitShield unique? At a high level how does it "work"? Does it focus more on protecting vulnerabilities than identifying and preventing countless threats?
Bustamante: There are many really good security solutions and techniques on the market, such as sandboxing, white-listing, and exploit mitigation to name a few. One of the problems with many of these is that they require complex management or implementations. For this reason we felt that there was a need for an anti-exploit solution which was truly "install-and-forget" in order to protect users and companies without requiring them to be security experts. ExploitShield works without requiring signature updates to identify individual vulnerabilities or payload (malware) samples. It consists of a proactive way of blocking exploit payloads from executing on the attacked machine.
Question 5: What is the initial licensing plan/structure? Is this a solution that will be practical for organizations of all sizes? Small businesses? Or just major enterprises?
Bustamante: Our objective is to create different products for each market, consumer, SMB, and enterprise, each adapted to the needs of each segment. Of course we are currently still in technology beta phase so it's a little early to discuss details of each of these implementations.
Question 6: What operating systems will ExploitShield be available for (Windows, Mac OSX, Linux flavours)? What about mobile devices (iPhone, Android?)
Bustamante: Currently we are focusing only on Microsoft operating systems but in the future we could investigate implementing our technology in different platforms.
Question 7: Is ExploitShield a disruptive solution - does it make other security solutions (such as antivirus) obsolete? Or is it meant to be used as part of a layered defence-in-depth security model?
Bustamante: ExploitShield does not make other security solutions obsolete by any means. It is meant as an additional security layer. Implementing a layered approach to security, knowing the limitations and shortcomings of each layer, is the best approach, and will be for a long time, to raising the bar against intrusions and infections. At the end of the day no security system is 100% and the real value of a security technology is measured hand in hand with the company behind it, its continued support of the technology and its customer service.
Question 8: Is it meant to be a "set it and forget it" product? Or is it actively providing customers with actionable security intelligence?
Bustamante: ExploitShield is meant to be a completely "install-and-forget" solution. Of course enterprises will want to customize and manage its deployment and configuration options, but from the perspective of end-users it is completely install-and-forget.
A technology to watch
I wish to thank Pedro for his cooperation in providing such detailed answers during our conversation. Application shielding is certainly an interesting concept, and while it is certainly not mature, given the rapid proliferation of threats, it may prove to be an important tool in the security defense arsenal.
Dominic Vogel is currently a security analyst for a financial institution in beautiful Vancouver, British Columbia.