Avivah Litan, Gartner Research VP and Distinguished Analyst, highlights Shape Security her latest blog post.
To read more about her analysis on solutions for automated attacks, read below.
Gartner Research VP and Distinguished Analyst, Avivah Litan, mentioned Shape Security on her blog discussing the growing threat of automated attacks on websites. Shape Security has been mentioned in multiple otherreports. The difference here is this blog that is publicly available for everyone (including those without a Gartner subscription).
According to Avivah:
[Shape Security is a] new web application security technique that scrambles website code using a process called polymorphism. This precludes the hackers’ ability to decipher how a web site can be attacked since the logic of the web application is no longer transparent (e.g. no more ‘in the clear’ HTML code).
In her blog, Avivah features Shape Security as a solution to these automated attacks. Specifically, she states that Shape’s polymorphic technology deflects malicious automation, preventing the attacks from executing at the point of entry. Deflection is better than detection – preventing attack is better that finding the attacker ex post facto.
The security industry has focused largely on preventing malware infections, yet has failed to protect websites against attacks from hundreds of millions of infected consumer computers.
Today we launch the most advanced website defense.
We founded Shape Security two years ago to tackle one of the hardest problems in web security: how to protect the front door of modern websites. The pervasive rise of malware-infected desktops, botnets and automated attacks threaten the foundation of the new Internet economy. We realized this called for a new approach to security—one that dealt with the reality that we can never truly eliminate malware from the desktop.
The security industry has focused largely on preventing malware infections, yet has failed to protect websites against attacks from hundreds of millions of infected consumer computers. Our core strategy is to provide technology to protect websites even when they are serving infected desktops. In military terms, this is called “continuing to operate in a denied and degraded environment.” The ubiquity of malware-compromised desktops creates a degraded environment within which we must still find ways to enable everyday online activities like banking, shopping, socializing, and checking health records.
To accomplish these goals, today we unveil the ShapeShifter, a web security product that protects websites from malware, botnets and scripts.
Botnets: A Massive Criminal Infrastructure of Infected Computers
Today’s cybercriminals assemble massive networks of infected computers (botnets) to attack websites. Most security products fail to block such attacks because criminals are able to make their botnet-based attacks look like legitimate usage.
These botnets are the backbone for a wide variety of high-volume, automated attacks against websites. Some of these attacks are well-known, such as when banking botnets steal millions of dollars across many online banking sessions, or when bots abuse basic website functionality, crippling websites with traffic that is almost impossible to block. Other attacks are much more subtle but just as damaging. For example, a botnet can slowly test stolen usernames and passwords against an e-commerce site in order to take over millions of accounts and defraud end-users. In fact, the same underlying mechanism is likely how miscreants will turn the the vast trove of over 100 million credit cards stolen from Target into money: they will use automated scripts running on botnets to purchase things like gift cards and other easy-to-sell goods from e-commerce websites.
Introducing the ShapeShifter
Many web attacks are only profitable if automated. Criminal enterprises pursue profit: without automated scripts, many of today’s attacks cease to be economically viable. Instead of constantly detecting and reacting to threats, the ShapeShifter targets the economics of web hacking, and makes the preferred approach of criminals—automation, too expensive. This provides broad protection from automated attacks against websites and represents a completely new approach to security.