For companies with data to protect, their primary problem is how cheap hacking can be.
While ‘hacking’ encompasses a wide variety of activities, one company is specifically tackling the botnet problem: The ability to use a network of linked computers to overwhelm a website or break into user accounts.
A denial of service attack is probably most well known kind of attack using botnets. For $200, you can put 10,000 computers around the world to work on whatever nefarious purpose you prefer.
Shape Security is trying to put a stop to that with a new product, unveiled today, called Shape Shifter. It is a “botwall,” a hardware device that companies plug into their server architecture to protect their data and users by automatically scrambling web application code when users try to access it.
Shape Shifter has been in trials with companies like StubHub, the online ticket re-seller, and Citigroup, whose head of security praised it for “turn[ing] the cost equation back around in the defender’s favor.”
“Today, it’s extremely cheap for an attacker to bring down a website,” says Shuman Ghosemajumder, the company’s product lead. The idea is to make hacking a human endeavor again: If bots won’t work, hackers will face more time and expense to do the dirty work themselves, or hire others to do it for them (Picture the gold farmers of World of Warcraft.)
Learning from hackers
“In the world of security, most people are trying to prevent something from happening…a lot of the engineering was, ‘how do I detect a bot or malware and prevent it from landing?’” says Ted Schlein, a former Symantec executive turned cybersecurity investor at venture fund Kleiner Perkins Caufield Byers. That approach doesn’t work any more. “You have to have a mental shift, ‘you know what, I give, they’re there, I’m going to render them ineffective.’”
People need to be able to get into secure web apps, whether at their bank or on Facebook. Unlike traditional applications, where hackers would need to reverse engineer the code to learn how it works, web apps need to put their source code front and center, so it can be interpreted by browsers. Hackers seeking to crack systems can look at that code and write scripts to exploit it—maybe they purchased some of the credit card info stolen from Target and want to make as many online purchases as fast as they can. Or perhaps, unbeknownst to you, some malware is tracking your keystrokes as you log into your bank account.
The challenge is allowing people in while keeping bots out. Current methods, including identifying IP addresses or limiting the number of times someone can log-in, are easily surmountable. So Shape decided to learn from hackers, and adopt a different defense. Many kinds of malware rely on code that changes its appearance to avoid detection by anti-virus software, a tactic called “polymorphism.”
Shape’s flagship product replicates the polymorphism effect in real time, but for web applications, rewriting the code each time a page is reloaded. That means that bots have no frame of reference when searching for vulnerabilities to exploit—instead of seeing a variable name like “username” or “password,” they see new names like “v6DbNQEs4z” each time the site is reloaded. The website looks the same to you and me, but the bots can’t pick the lock if they can’t find the keyhole.
The “mystery” start-up
Since the company was founded in 2012, it has raised $26 million in venture funding, including a round lead by Schlein, who joined the board, and Google Chairman Eric Schmidt. This, while the company’s product was working in “stealth mode”—no one knew what Shape was developing or if an actual product was forthcoming.
Whenever you hear about a company raising lots of money with no product, it hardly sounds good—think Clinkle, the Stanford payments start-up that raised both $25 million and the level of dysfunction in Silicon Valley. When I was first pitched on Shape, I thought it might be vaporware.
But it’s hard to argue with the staff the company assembled, among them CEO Derek Smith, who sold cyber security firm Oakley Technologies to Raytheon in 2007; Sumit Agarwal, Google’s first product manager; Michael Coates, the former head of security for Mozilla; and Ghosemajumder, who helped develop the technology that prevents Google ad click fraud.
Into the field
With the company’s product finally revealed, it will meet the most important test: Bad actors seeking to break it. Perhaps more sophisticated scripts could circumvent the polymorphism: I asked Coates whether a bot could somehow link to user prompts for information to the scrambled code behind the scenes, and he said that was the first thing Shape expects hackers to try—and that the company “will be ready with the next six or seven moves.”
If the botwall works as promised, Shape’s executives and investors predict large demand: Virtually any company doing business online—banks, retailers, social networks, the government, you name it—will want to protect against swarming online hackers, who cost American businesses as much as $100 billion each year.
The first-ever botwall could change the economics of hacking forever
No comments:
Post a Comment