On Jan. 21 a new, until now, secretive start=up created a loud buzz in the cyber security world after it announced the unveiling of a technology that takes a new approach to fighting malware attacks. It has the potential to cut global cyber attacks in half.
Shape Security is the first to attack the problem of hackers stealing information from large website servers containing critical personal information such as usernames, passwords, credit card and Social Security numbers. Instead of trying to detect bots or malware the new technology disrupts the ability of hackers to steal such information with controlled bots.
"There are armies of 'bots' sitting on user machines that quietly take over for a few unnoticed moments, then go back to sleep," Shape co-founder Sumit (pronounced "summit") Agarwal said recently from the company's compact offices.
A botnet is a sprawling network of thousands of infected PCs or Web servers, referred to as bots. The top dozen or so cybercriminal rings command massive botnets which increase their ability to send out things such spam scams, the booby-trapping of legit websites, and the hijacking of online financial accounts.
Botnets can't be stopped largely because the bad guys have mastered a technique called polymorphism. It continually changes or tweaks the underlying malicious code to stay a step ahead of the latest security systems which are monitoring for known malware coding.
"This problem (bots) is bigger today than it's ever been because every American household is wired," Agarwal said. After brainstorming with another security expert, they came to the conclusion that the key is to disrupt or block the ability to steal data from websites that bots have visited.
Simply put, Shape Security’s software program creates a wall of confusion so a malware program or directed bots that are searching for fields such as username, Social Security or credit card numbers and password can’t find them.
The software actually replaces the codes each field with constantly changing random coding preventing the malware from tagging the real information coding. It is invisible to Internet users. Essentially it blocks all commands from bots, malware and scripts to lift data.
Those rapid changes are called "real-time polymorphism," a technique traditionally used by malware to rewrite its code every time a new machine is infected. In a clever turn of events Shape turned this scrambling activity into a unique, proactive tool to stop hackers and organized cybercrime groups.
"It can be a game-changer," said Gartner Research vice president Avivah Litan, a security consultant who previously was director of financial systems at the World Bank. "You don't run across something this radical very often."
Current security software is often handicapped because it fights reactively and is based on recognizing known malware coding. A new virus or bit of malicious software may not be discovered until long after it's begun to work.
While not discussed, it is highly probable that Homeland Security is interested in Sharp’s new technology. Former Defense Secretary Leon Panetta, in a recent speech in San Jose, said the agency is hit with malware attacks more than 100,000 times each day.
Shape's software has been used for the past six months by about a dozen Fortune 200 companies, though the start-up isn't identifying them.
The question will be if these beta-testers and others will invest in this revolutionary software. The upfront investment could be more than $1 million. However, taking into account both the actual costs of a breach along with the secondary financial costs attached to investigations, consumer ire, lawsuits or even an attack on a critical energy system, it might be both the preferable and the cost-effective choice.
"It's almost the wild west in security, because threats are happening at so many levels," said Daniel Ives, a security analyst with FBR Capital Markets. "Every enterprise and every government agency in the world is trying to figure out what's the next shiny toy in security software."
Another security expert has said that the Internet has badly needed something like this. Avivah Litan believes hackers eventually will find ways to outfox any new technology -- a point Agarwal also concedes. One would expect this forward-thinking company is already strategizing the next level of proactive technology.