New Feature Spotlight – Application Virtual Patching and Exploit Shield

By SentinelOne -

It’s widely known that patching is one of the most involved, time consuming tasks, that also poses a constant chase down for software updates. Moreover, some application simply cannot be patched in a given time frame although vulnerable (legacy software, custom apps, factory lines, complex dependencies), and even if one manages to have a squeaky clean environment, we need to remember that by definition a “zero-day” exploit, means that there is an exploit available for a vulnerability in a fully patched, up-to-date application! It’s time to take vulnerability management to the next level – moving from passive management – to active deflection.

 

Patching – Mission impossible

The importance of patching is critical – so why are we all still struggling to make sure all of our applications are up to date? One of the most common problems is the application update process. Seamless updates with full functional backwards compatibility is not an easy feat, and many enterprise applications struggle to provide seamless updates that minimize the risk to breaking functionality and/or affecting usability and productivity. There are often long test cycles before an application can be deployed enterprise-wide, and for these reasons alone – relying on software updates alone as a means to mitigate vulnerabilities is posing sometimes more business risk by itself.

Then, there is the question of identifying vulnerabilities.  Traditional approaches relied on scanning the network and databases for vulnerabilities and matching them to CVEs.  These scans are slow and result in lengthy and incomplete reports of vulnerabilities.

Even when a vulnerable application is identified, sometimes the time it takes to apply a patch is enough for an attacker to take advantage of the security hole. In practice, immediate patching is often done only in acute cases of a gaping hole with severe possible effects, while most less prominent applications will take a much lower priority in the patching cycle. Enter “Virtual Patching”.

 

Virtual Patching – Patch me if you can

Identifying vulnerable applications and patching them is an ongoing task. SentinelOne Virtual Patching gives you the ability to identify out-of-date applications (using our Application Inventory module), and immediately deploy and use multi-method monitoring to shield applications from exploitation attempts at multiple inflection points, even for legacy and old, unpatched applications with known or unknown vulnerabilities.

SentinelOne Virtual Patching dramatically reduces the attack surface for a vulnerable application or process and can alert on any modification to the memory space of a process. The Exploit-Shield Anti-exploitation policy can be applied in real time, to any machine or group on the network – and is effective immediately. Additionally, being a single, full-context agent, the SentinelOne platform also leverages its Behavior AI abilities to identify anomalies in application execution profiles and provides an additional layer of protection for any behavior or memory based anomalies, that deviates from the normal operation of an application.

How does it work?

SentinelOne Virtual Patching protects systems –

  1. Against exploitation of vulnerabilities using various common techniques like heap spraying, stack pivots, ROP, memory permission modification, process hollowing, ASLR violations, NULL page allocations, Shellcode redirection, etc.  This blocks the vast majority of attacks, but we recognize and acknowledge that there will be true 0-day vectors that are impossible to block.
  2. By preventing a successful attack/intrusion from inflicting damage.  Typically, an attacker tries the following techniques post-intrusion –
    1. Migrate to a service or other long running processes to maintain persistence.
    2. Shutdown the endpoint protect agent on the system after escalating privileges.  If successful, the attacker can exfiltrate data or even use this system as a bot.
    3. Writing malware to disk and setting it to auto-run, again, in an attempt to maintain persistence.
    4. Modifying code path of exploited application to capture credentials and exfiltrate data.
    5. Running powershell, wscript, python or ruby scripts using the scripting engines that come installed with the OS.  This approach is quite commonly used by Ransomware.
  3. The SentinelOne agent uses multi-layered AI-powered engines to detect all these types of persistence, process migration, system manipulation and data exfiltration attempts without using any signatures or requiring constant memory or disk scans.
  4. You can also use the integrated S1 Application Inventory report to identify out-of-date applications using near realtime data:

 

 

In this Video, we show you how SentinelOne Virtual Patching provides full visibility into an IE9 exploit attempt that tries to run a vb script –

 

One Platform – One Agent

  • Identify vulnerable applications
  • Prioritize risk
  • Deploy Virtual Patching policies to reduce attack surface and detect and prevent exploitation of vulnerable applications
  • Continue and patch applications with business continuity and usability in mind.
  • You can keep Virtual Patching on even if your applications are up-to-date, to protect from zero-day exploits.

  

Get Patching!

Existing S1 customer? Check your console for the Anti-Exploitation module.

Don’t have S1? Click here to try it out!

 

Additional Resources: