Enhancing IoT Cyber Resilience with Deterministic Protection
Leading cybersecurity company CrowdStrike and its Falcon platform are highly regarded for endpoint protection capabilities. However, the recent global outage has shown the inherent weaknesses of CrowdStrike’s constantly changing Endpoint Detection and Response (EDR).
The concept of EDR relies on frequent policy updates based on continuously discovered new attack patterns. This is a fundamentally flawed approach to addressing cyber threats, for two reasons:
- It requires frequent software updates, which may contain bugs that risk the systems’ business continuity. As CrowdStrike mentioned in its response: “there was a defect found in a Falcon content update for [MS] Windows hosts.”
- It is a reactive process, lagging behind hacker activities and trying to mitigate attacks that have already been launched.
Mission-critical applications that run as closed, predictable systems (such as airport and hospital servers, vehicle systems, medical devices, and printers) should be hardened to ensure they only run authorized programs and deterministically prevent any foreign code from executing.
Embedded cybersecurity solutions are called for, that address these challenges through deterministic protection. This approach eliminates the need for frequent policy updates, and it proactively blocks any attempts to run foreign code, or change/delete sensitive files. It ensures continuous protection and operational integrity, to provide a strong security posture while not being exposed to issues similar to the CrowdStrike disruption.
The needed solution has a number of key characteristics:
- Deterministic Protection: The local embedded solution operates independently to enforce security policies without requiring constant updates or connectivity. This ensures consistent protection and reduces the risk of disruptions caused by faulty updates.
- Automated Policy Generation and Enforcement: Unlike EDR endpoint protection solutions, deterministic protection automatically generates and enforces security policies for each device, ensuring that only authorized code and updates can run.
- Real-Time Anomaly Detection: Real-time monitoring detectors continuously analyze device behavior to detect fundamental anomalies that indicate attack attempts, such as excessive call or return, brute force passwords, command injection and more.
- Comprehensive Incident Response: In the event of an issue or attack attempt and local prevention, deterministic solutions provide detailed forensic data and collaborate closely with your security teams to resolve problems quickly and effectively.
As proven by the CrowdStrike incident, robust and resilient security measures are a top priority. Traditional endpoint protection solutions must be complemented by advanced features such as autonomous deterministic protection that ensure secure and reliable update processes.
Karamba’s portfolio of solutions provides this protection, and also supports fast recovery so that business continuity can be maintained even in the case of an incident.
