5 ways Nyotron are breaking the mould
During Infosec Europe 2017 I sat down with Nir Gaist, CEO of Nyotron, and discussed the new Nyotron offering Paranoid. Paranoid is a security offering where instead of looking at how a malicious actor gains access to a network instead looks at what a malicious actor is doing inside of a network and blocks accordingly. This being the case it is plausible for the platform to be able to block an endless amount of actions by a malicious actor. Nir Gaist stated “Nyotron is really ambitious. It’s because we want to solve everything.” It’s going to be a hard run for Nyotron to confront the challenges they’re going to face, however we’ve pulled together five reasons why we think they’re breaking the mould.
1 – A GPS for the OS
The way Paranoid detects and prevents malicious actors performing unauthorised actions is by mapping the legitimate and illegitimate actions that can be performed on an OS. These activities including: creating, deleting and even encrypting files. Nir Gaist referred to this as a GPS for the OS, and stated:
“You can look at it as a kind of GPS for the operating system, we map all the ways to get to the different places on the operating system. So if for example you want to delete a file in a legitimate way; you will take your mouse, you will point it at the file, you will right click it, you will get a content menu, and you’ll be asked yes or no. It may look like only a few steps to you but at the operating system and kernel level there are hundreds or thousands of system calls representing this information. We precisely map all these flows. This way we don’t care what the attack is.”
2 – A Maverick of a security offering
The premise of the Paranoid platform could be categorised in a few ways. It could be listed as a white-list, as it defines the actions of users by known mapped actions. It could also be defined as a behaviour based IPS as it actively prevents actions based off known behaviour patterns. The team at Nyotron however instead stated that it fits into it’s own space, outside of these categorisations. When asked Nir stated:
“Both are right. It’s right to say white-list, its right to say behaviour. We will not use these terms as much as possible but this is true. People will always try to put you in a category. So when you say white-list they have other companies in mind. We widely review the entire operating system and that’s the behaviour we’re looking at but when you say behaviour people have learning in mind, they think ‘okay you have to create a baseline’ but we don’t care what your organisation is doing we don’t create a baseline of behaviour.”
3 – Keeping up with legitimate vendors over malicious actors
Unlike most security offerings where the event horizon is defined by how long it takes for a provider to update their system to recognise new attack vectors Paranoid works slightly differently. Paranoid’s mapping is instead based on a vendor’s operating system. Nir refereed to this as:
“What we do is to research the only thing that is actually finite in the industry. Threats are infinite, the vulnerabilities are infinite and it’s a losing war. This is because there are unlimited ways to get into a network. Attackers will however always want to eventually do the same thing. They will try to delete files, they’ll want to steal files, to create communications in and out. I’m not saying it’s a small list but it is a finite list.
That’s our challenge we obviously need to keep up with changes, exactly like an anti-virus where they needed to keep up with all the virus variants. Our job is much easier because we follow normal behaviours. So when Microsoft changes something we need to change something also.”
4 – Paranoid is a security compound not a security gate
Most typical security offerings like perimeter firewalls, NIDS and network load balances commonly work on the idea of stopping external threats from reaching the internal network. Such a model works well until a threat is able to slip through the perimeter. The team at Nyotron referred to such security tools as ‘gates’ and explained how Paranoid functions far beyond such methods, Nir stated:
“We’ll protect even if it’s coming from the inside or the outside and unlike most of the companies even if it’s already in there we’ll know. Most technologies are like gates, they try to prevent the attack. The biggest problem with a gate is the fact that once you bypass the gate you are in and you can do whatever you want.
Our solution is not a gate at all in any sense. I mean there is no point when you bypass Paranoid because we analyse every activity so even if you managed to bypass us with one system call and manage to read some files you then need to send them somewhere, we will analyse everything. That being the case if the machines are compromised when you install Paranoid we will detect and prevent the next step of the attack.”
5 – A strong standalone
While it is commonly important to practice diversity in defence, the idea of implementing security offerings from a variety of vendors, it is sometimes practical or required to only implement one offerings. When it comes to such a situation it is important to look for an offering that can cover as many bases as possible. The team at Nyotron believe Paranoid is one such offering, with Nir stating:
“There is obviously no 100% in this industry, but we believe that we’re one of the closest to it. Eventually the world will understand what it needs, and what it doesn’t. So if you install Paranoid alongside an antivirus, which is what most customers will do at the beginning, you will eventually notice that what the antivirus blocks we also block. While in turn the antivirus cannot block all the unknowns so eventually you’ll get rid of it. We believe that eventually we will help you get rid of almost everything on the endpoint except for Paranoid.”
There you have it 5 reasons why Nyotron are breaking the mould. You can find more out on the company at nyotron.com.