Look for “What’s Not Right” Instead of “What’s Wrong”


In cybersecurity, we tend to focus on things that appear wrong, and act accordingly. For instance, if we detect someone inside our network who doesn’t belong there, we take steps to remove them, then determine and mitigate any damage they caused (or try to). We look for a specific action or event that is “wrong” and that dictates how we try to correct it. 

However – and stay with me here – if you only look for things that are not right, you only find things that are incorrect. 

I realize this seems like a very small distinction to make. But understanding this distinction is critical to your ability to implementing a wider and more effective range of detection and protection mechanisms.

When you search for things that are wrong, you have to know what to look for. That leaves the figurative door open for new threats you may not be aware of yet to slip past you. 

This is one reason why signature based anti-malware programs fail to detect new malware and require regular updates. They monitor for what they “know” is wrong, and that does not include new malware variants that are created every day.

Consider your organization’s accounting department and its focus on the proper categorization of monetary assets to ensure the books are balanced. If there are any discrepancies, they are quickly identified. They do not have to know the source of the discrepancy, just that there is a discrepancy. Then they can investigate and figure out the root cause, and that should not be too difficult. 

In the cybersecurity field, we typically don’t approach a problem in the same way because it’s usually too complicated to figure out the “Right Way” for things to happen. For example, when a user deletes a file from his PC’s desktop, he moves the mouse cursor over the file, selects it and sends it to the Recycle Bin. He doesn’t see how that procedure results in thousands of system calls happening in a specific sequence. 

If you can map how an operating system is designed to function, it becomes possible to detect whenever there is a deviation, and stop it from occurring.  It doesn’t matter what the wrong system calls might be; just that those system calls are not what occur during normal operations.

This is how Nyotron works. We have solved the issue of figuring out how an operating system functions. From there, it was just a matter of applying that knowledge to cybersecurity. Even when a new or unknown attack hits, it must touch specific areas of the OS and it will never be able to do so in a way that follows all the legitimate path(s). As soon as it deviates from the path, Nyotron detects and stops it. Additionally, Nyotron doesn’t interrupt the end user with notifications or alerts, and never requires regular updates against the enormous and ever-evolving cyber threat landscape. 

Again, this is a finite problem and the demonstration of a very complex and invaluable investment by Nyotron.

Rene Kolga is Senior Director of Product and Marketing at Nyotron, the developer of PARANOID, the industry’s first OS-Centric Positive Security solution to strengthen your AV or NGAV protection. By mapping legitimate operating system behavior, PARANOID understands all the normative ways that may lead to damage and is completely agnostic to threats and attack vectors. When an attack attempts to delete, exfiltrate or encrypt files (among other things), PARANOID blocks them in real-time.