Invary: Breaking the Cycle
What’s not working?
That is what we should be asking ourselves in the face of escalating cybersecurity attacks. Ransomware is on the rise, especially in higher education, healthcare, and local state and municipal governments. Data breaches  have grown so commonplace most people often simply assume our data has been stolen multiple times and our only hope is that our personal information isn’t singled out in the stack of billions of other records.
The cost of this invisible war is staggering. 60% of small businesses that suffer a cyber attack go out of business . The average cost of a breach is $4.45M according to IBM. Cyber insurance premiums are rising at an unsustainable rate. The world spends more than 1% of our global GDP fighting these crimes.
I bet you glossed over those stats because you are so used to them (I don’t blame you). I’m not numb to them, they infuriate me.
Why is all of this still happening, especially given the sophisticated and innovative cybersecurity products on the market today?
We almost always approach security reactively.
I don’t just mean our processes or approach, I mean our tools and technology. Today’s solutions are built to react, giving threat actors an advantage. They are not to blame, the pace of innovation has made it nearly impossible to stay ahead of the threat actors.
I presented the following slide at a joint KU/FBI cybersecurity conference this past winter:
Of all my slides about Invary and our mission, this simple one resonated the most with the audience. We are constantly playing defense, and constantly losing to new threat innovation.
I know what you're thinking, there are lots of examples of proactive security. Penetration testing, AI driven <insert your favorite marketing acronym here> solutions, MFA, audits and compliance processes are all proactive right? Nope, they are almost always reacting to, or trying to prevent, known threats. For an analogy, we are constantly looking for an evolving needle in an ever expanding haystack. We can engineer ways to look for needles faster, but the pace of the haystack expansion makes that a losing game.
What should we do?
This is where Invary comes in, we flip the script. Invary performs Runtime Integrity validation, verifying systems are behaving as intended. Instead of looking for the needle in the expanding haystack, we validate the haystack is only doing what it was intended to do. Regardless of how a needle makes its way into the haystack, or what it’s doing while there, we know the haystack isn’t right. If a threat actor causes a system to deviate from its intended behavior we know immediately.
Trusted mechanisms aren’t new ideas, secure boot technology is a widely deployed and proven example, however Invary extends them to runtime. The concept of Runtime Integrity isn’t really new either, but has historically been met with roadblocks that make it non-viable for production systems: bespoke kernels, performance and effectiveness problems. Invary solves these issues, allowing you to use the OS of your choice and effectively appraises systems with little to no impact to performance of the system.
How does it work?
At a high level we capture a baseline of a known good system, continuously measure a target system at runtime, and appraise those measurements against the baseline, accounting for intended dynamic changes at runtime, to ensure the system is only doing what it was designed to do.
Our baselines are large graphs that describe the shape of the static and dynamic instructions and data structures that will be appraised at runtime. Essentially we map the intended invariances the developers design into the system. To use an analogy, if we apply our baseline process to the night sky, we record the relative position & movement of the stars (invariance) and the constellations they exist in (shapes).
We then repeat that process at runtime to obtain a measurement, with great care to not impact the mission or performance of the system being measured. The resulting graph is sent off system for independent appraisal. We don’t just gather “signals”, we intelligently structure that data to create context.
The appraisal process ensures that sets of nodes in the graph have the expected shape defined by the baseline, and verifies the expected invariance of the system as the graph is traversed. Going back to our night sky analogy, we ensure the stars in the big dipper maintain their shape and relative positions.
If you want more detail, Invary’s CTO, Dr. Wes Peck, wrote a great article on how Invary works in the context of operating systems and a modern rootkit.
Runtime Security is gaining popularity in the buzz word heavy space of cybersecurity. The idea is right on, but there is a difference between a system that provides you countless signals that you must interpret, and Invary which provides you clear & actionable intelligence about the integrity of your system at runtime. The decision making process with Invary is simple, a failed appraisal is an obvious and high priority threat. No thresholds, noise, guesswork, configuration, tuning, tweaking, or learning time required. This is what makes Invary’s Runtime Integrity solution a superior form of Runtime Security.
How did Invary get here? We are an interesting mix of experts in trusted mechanisms and operators of cloud scale commercial platforms. This allows us to bring the experience of defending high value commercial platforms together with the latest research in a way that works at scale. We stand on the shoulders of technology we license from the NSA’s Laboratory for Advanced Cybersecurity Research, and the decades of research and experimentation put into it.
We exist to protect organizations of any size, and our goal is to democratize security for all. No matter your size, we are here to support you. If you recently had a breach and want to verify an attacker isn’t dwelling, or simply want to know if your systems have integrity right now, you can utilize our free Runtime Integrity Score service to spot check your systems.