Why Exposing Hypervisor APIs Is Your Next Best Move Against Targeted Attacks

Martin Zugec

April 05, 2017

Why Exposing Hypervisor APIs Is Your Next Best Move Against Targeted Attacks

Organizations have been facing an increase in sophisticated cyberattacks attributed to governments or corporate and financial espionage. What’s striking is that it takes companies an average of 5 months to detect a data breach, easily enough to incur even crippling losses.

Many of these breaches started with a zero-day vulnerability. After the initial breach, an attacker can remove his traces and make himself mostly invisible. Even when the zero-day attack is detected by traditional security solutions, it’s no longer visible, as the attacker is using more concealed methods of access.

While the complexity of attacks rises exponentially, the security industry struggles to keep up. The complexity of these attacks needed to be addressed with a radical departure from traditional in-guest security solutions. While physical and virtual endpoints have benefited from both full and lite security agents tasked with scanning disk and memory to remove known malware, they can still fall victim to sophisticated, targeted attacks.

Among the biggest limitations to traditional approaches is that offloading VM security scanning relies mostly on disk sweeps and that these technologies are designed to combat common malware with predefined signatures. Even today’s more sophisticated next-gen endpoint tools might still fall prey to certain exploits of zero-day vulnerabilities and kernel bugs.


How Low Can You Go?

Virtualization and hypervisor technology have made it possible not only to lower operational costs and improve data center efficiency, but also to enable security from outside guest operating systems. Citrix XenServer introduced in 2016 a ground-breaking XenServer Hypervisor Introspection that takes a new approach towards protecting servers, applications and desktops from malware; it leverages the hypervisor to provide both isolation and full context of what’s happening inside VMs.

Citrix’s Direct Inspect APIs reside directly in the hypervisor layer, allowing security vendors to leverage them to defend against attack techniques – such as buffer overflows, heap spray, code injection, API hooking, etc. - rather than malware.  With more than 400,000 malicious samples emerging daily, reducing all of them to a handful of shared attack techniques is far more effective as it can help defend even against unknown advanced attacks that share similar attack methods.

BD HVI instead looks for the tools and techniques these criminals use. If someone new enters the bank with a fake mustache and blowtorch, he is most probably not planning to open a new savings account.

In partnership with Citrix, Bitdefender is the only business security provider to have achieved a raw memory introspection technology that can use this unique APIs and look at unaltered, reliable memory pages to root out zero-days and deep threats that have hidden successfully so far at OS level.

Unlike traditional security solutions, Bitdefender’s hypervisor introspection technology requires absolutely no agent running inside the VM. At the same time it’s capable of watching the VMs raw memory in real-time. With isolation provided by the hypervisor and context given by raw memory analysis, Bitdefender’s hypervisor introspection technology can block malicious attack techniques before deploying any malicious payloads inside the guest VM. Malware running inside the guest machine cannot detect the presence of Bitdefender’s Hypervisor Introspection or that it’s being watched. It is impossible for it to hide from our technology, as it Bitdefender Hypervisor Introspection leaves no footprint on the VM.


Why is This Revolutionary?

Traditional security solutions rely on in-guest operating system API calls and hooking to collect information about running applications and disk input/output. While running at ring 0 (kernel mode), advanced malware can sometimes avoid detection and feed the traditional security solution false information about the operating system.

This context problem has always been the Achilles heel of the detection of advanced threats, as traditional security solutions and advanced malware often fight for the same level of privilege – ring 0. Bitdefender’s hypervisor introspection technology changes and challenges traditional security by responding to advanced attacks from outside the operating system – ring -1.

Citrix and Bitdefender’s approach is truly immune to traditional attacks, offering zero day protection that sits on top of existing security layers, and with minimal performance overhead, keeping consolidation ratios high in your data center.

This extra layer of security is also fully compatible with any in-guest security solution, fortifying existing security to include protection against any type of attack technique employed by targeted attacks or advanced persistent threats.

An industry first for virtualized infrastructures use cases – desktops, applications, and server workloads – this combination is invulnerable to zero day attacks or any other advanced threat that companies, organizations or datacenters face.


Unprecedented Context and Isolation

Over the past few years, performance pressure has driven workload security to evolve into agent-based offloading, but it has not leveraged the virtualization context to improve the quality of the security service. Direct Inspect APIs is a revolutionary approach enabling true agentless protection and profound insight of guest workloads.

The key to this technology is the use of the hypervisor, which already knows how to isolate VMs from one another in a performant way, to provide a security virtual appliance with the context required to monitor critical memory activity inside the VMs it protects. Hypervisor controlled strong isolation and the context offered by a security virtual appliance provide unprecedented insight into advanced threats.

For more information about Bitdefender Hypervisor or to request a demo, click here.



Martin Zugec

Martin is technical solutions director at Bitdefender. He is a passionate blogger and speaker, focusing on enterprise IT for over two decades. He loves travel, lived in Europe, Middle East and now residing in Florida.

View all posts

You might also like