• United States



Review: Zero tolerance malware and code blocking with Solebit

Jul 23, 20187 mins
Endpoint ProtectionSecurity

By shifting malware detection away from signatures and behavior to whether any kind of code exists where it’s not supposed to be, the SoleGATE Security Platform from Solebit has the potential to disrupt both endpoint security and sandboxing.

malware attack
Credit: Thinkstock

The one thing that all malware has in common is that it’s comprised of computer code. But in cybersecurity, so is everything else. Lots of companies have tried to make the distinction between good and bad code, whether by comparing samples to the signatures of bad files, setting programs into a sandbox and seeing what they do, or applying artificial intelligence and machine learning to behavioral analytics while examining how a file acts. None of those methods has been entirely successful, and some, like signature-based protection, are almost completely outflanked by today’s most advanced malware.

That is the environment that Solebit and its SoleGATE Security Platform is wading into. The company might just have found a foolproof way to identify malware, any kind or flavor, known or unknown, and block it before it even gets into a network. It does this by taking a new approach to detection that ignores heuristics, behavior or signatures. It simply presumes that there is no legitimate reason for executable code to be present within a data file, and blocks entry to any file that breaks that zero-tolerance rule.

Skeptical IT administrators are given a dashboard that tracks every file and incident where Solebit acted to block access. Threats are identified by their type, such as code, malicious macros, micro-URLs, file execution or other programming exploits. Solebit breaks down the attacks, showing what the code would have tried to accomplish should it have been allowed to proceed. It even gives the exact code, line by line, of the exploit or malware.

Solebit Dash John Breeden II / IDG

Captured malware and malicious breach attempts are gathered in the Solebit dashboard. This can be exported as an API to help improve other cybersecurity programs, or simply studied for training purposes by IT teams.

The interesting thing about Solebit’s show and tell is that it’s completely peripheral to the program’s operation. Because any code that the program blocked existed inside a data file, or was disguised as a data file, Solebit would have blocked it regardless of what it would have attempted to do if it got through. But because other cyber defenses might still have passed it through, especially in the case of something like a zero-day attack, Solebit company officials feel like they need to justify their program’s decisions. There is a practical reason to do this, because while the data about malware is provided as information within the dashboard, it can also be bundled into an API that can feed other defenses like firewalls or network sandboxes to help improve their accuracy rates.

Solebit Zoom John Breeden II / IDG

Looking at all of the captured malware and intrusion prevention attacks can enable IT teams to discover if their organization is being targeted by hackers or campaigns.

Because Solebit is operating at a network entry point, with the base installation comprised of a management console and data handler, it can protect endpoints without the need for either agents or an active outbound connection. It can be installed as a protector of e-mail, or to provide security for cloud-based online services such as Dropbox or other file sharing apps. For locking down e-mail, Solebit pricing is based on the number of seats. When protecting files being used by other programs coming into networks outside of e-mail, it’s based on the number of files per hour being scanned. It can also be installed to protect everything, which yields a discounted price based on volume.

The SoleGATE Security Platform was tested in a live environment where active threats were pouring in during the test period. That way we had access to both historical data on blocked threats as well as up-to-the second program actions. Within this environment, Solebit was fed several types of difficult-to-classify threats, and plenty more came in unscripted to the live testbed.

There were a few that were particularly interesting. In one, a PDF file contained a JavaScript code that was on its own, not malicious. Instead, it was designed to assemble malicious code after landing inside a network, and presumably after passing through other security defenses like network sandboxing. In fact, only four out of 50 antivirus and anti-malware programs flagged the code as malicious or suspicious when submitted to a virus totaling site. Solebit was able to show, step by step, how the code would have worked. Not that it needed this information. The fact that the code existed within the data file was enough to get it blocked.

Solebit File Explain John Breeden II / IDG

Though not a sandbox, Solebit is able to show exactly what a malicious file wanted to accomplish, and how it was designed to try and slip past defenses.

In another attempted attack, the advanced malware tried to use return-oriented programming (ROP) which would have exploited a call stack to execute code that was already within an endpoint’s memory, eventually allowing it to open up a hole in defenses for other malware. Some ROP attacks are very difficult to detect, and are in fact designed to get around signature based and sometimes behavioral-based defenses. But it could not escape the fact that the code was hiding within what was supposed to be a non-executable data file, and thus was caught and rejected by Solebit.

Solebit See John Breeden II / IDG

Solebit can show the individual code that malware would have used if it had gotten past defenses. This can be used as evidence when Solebit blocks something that other defenses think is clean.

One might think that using such a heavy-handed kind of blocking defense would generate a lot of false positives, but that is not the case here. There is simply no legitimate reason why a company or organization would want to hide obfuscated, executable code within a data file. If for some reason they do, then specific sender and destination paths can be defined within Solebit to allow those transactions to happen, basically asking the program to ignore files traveling between specific senders and recipients.

Solebit Block John Breeden II / IDG

Because Solebit considers all executable code inside data as malicious, it will block zero-day threats and other unknown malware, but does a good job of explaining why something was blocked, with transparency down to the code level.

While we didn’t see any false positives during our examination of the program, company officials said that the rate was around .0002 percent, only occurring when Solebit identifies code as executable that really isn’t. Given that hackers are attempting to make their code look that way, seeing something strange and flagging it makes sense as a possibility. Every time that occurs, clients who submit the error to Solebit can have it examined to improve the accuracy rate in the future. Company officials say their false positive rate was much higher three years ago when Solebit was being developed, but that it’s now extremely accurate at properly identifying executable code and ignoring irregular occurrences when something just looks like it.

It’s extremely rare when a cybersecurity program emerges that could disrupt the status quo, but by shifting detection away from signatures and behavior to whether or not any kind of code exists where it’s not supposed to be, Solebit could become the new standard for either endpoint security or sandboxing. In the meantime, Solebit can be used to help train their would-be competitors, making them more accurate and better able to spot the hidden dangers lurking within seemingly benign files.