Review: Zero tolerance malware and code blocking with Solebit

By shifting malware detection away from signatures and behavior to whether any kind of code exists where it’s not supposed to be, the SoleGATE Security Platform from Solebit has the potential to disrupt both endpoint security and sandboxing.

malware attack

The one thing that all malware has in common is that it’s comprised of computer code. But in cybersecurity, so is everything else. Lots of companies have tried to make the distinction between good and bad code, whether by comparing samples to the signatures of bad files, setting programs into a sandbox and seeing what they do, or applying artificial intelligence and machine learning to behavioral analytics while examining how a file acts. None of those methods has been entirely successful, and some, like signature-based protection, are almost completely outflanked by today’s most advanced malware.

That is the environment that Solebit and its SoleGATE Security Platform is wading into. The company might just have found a foolproof way to identify malware, any kind or flavor, known or unknown, and block it before it even gets into a network. It does this by taking a new approach to detection that ignores heuristics, behavior or signatures. It simply presumes that there is no legitimate reason for executable code to be present within a data file, and blocks entry to any file that breaks that zero-tolerance rule.

Skeptical IT administrators are given a dashboard that tracks every file and incident where Solebit acted to block access. Threats are identified by their type, such as code, malicious macros, micro-URLs, file execution or other programming exploits. Solebit breaks down the attacks, showing what the code would have tried to accomplish should it have been allowed to proceed. It even gives the exact code, line by line, of the exploit or malware.

Solebit Dash John Breeden II / IDG

Captured malware and malicious breach attempts are gathered in the Solebit dashboard. This can be exported as an API to help improve other cybersecurity programs, or simply studied for training purposes by IT teams.

The interesting thing about Solebit’s show and tell is that it’s completely peripheral to the program’s operation. Because any code that the program blocked existed inside a data file, or was disguised as a data file, Solebit would have blocked it regardless of what it would have attempted to do if it got through. But because other cyber defenses might still have passed it through, especially in the case of something like a zero-day attack, Solebit company officials feel like they need to justify their program’s decisions. There is a practical reason to do this, because while the data about malware is provided as information within the dashboard, it can also be bundled into an API that can feed other defenses like firewalls or network sandboxes to help improve their accuracy rates.

To continue reading this article register now

7 hot cybersecurity trends (and 2 going cold)