SE-OPS Ransomware Detection/Prevention Technology and Philosophy
SE-OPS technology and philosophy about Ransomware protection is unlike anything else.
SE-OPS technology and philosophy about Ransomware protection is unlike anything else. It is based in what we call the “Common Sense Actions™” (CSA) that are routinely performed inside a computing device. Our philosophy about Ransomware Protection is that it is infinitely more effective to stop “Harmful Activities” on a computing device than it is to attempt to detect tens of Millions of variants of “Cyber-Threats”.
Comparing Cyber-Threats to Harmful Activities
A Cyber-threat is exactly that. A Threat to the device or system. These threats come in millions of
variants, most of them created by an actor with the intent to damage the system, infiltrate and lock
down critical processes or information, or to capture and steal critical data. A Cyber-Threat is; “The
possibility of a malicious attempt to damage or disrupt a computer network or system.” And, there are millions of variants currently in existence and millions more on the way.
A threat becomes a Harmful Activity once it has activated or executed the threat payload and one of these threats begins to adversely affect the device or system. A Harmful Activity is; “Energetic action or movement, Causing or capable of causing harm.” This activity is at the core of SE-OPS Ransomware Protection.
Our philosophy toward Ransomware Protection is actually very simple. Attempting to detect a Threat, in its myriad rapidly mutating forms is far less effective than detecting the initiation of a Harmful Activity. In essence, a threat is only benign code until it executes a payload, and becomes a Harmful Activity. Prior to activation, it does nothing to injure the device or system.
Detecting a Harmful Activity is infinitely more precise than attempting to detect a threat. A Harmful
Activity is specific in its logic and intent. It is easily identifiable as an activity that falls outside of any
Common Sense Action which would be performed by a computing device. By contrast, a threat may take many forms, including being cloaked in encryption, masking its true intent. It will likely not be detected until AFTER it executes its threat payload, which means any threat detection has failed in its mission to protect the device or system/network.
Detecting and blocking Harmful Activity is a much more effective and logical approach to Ransomware Protection than any other type of Behavior Based Threat detection. It is based on “Common Sense Actions™” as explained below.
Common Sense Actions Explained
There are certain processes that Ransomware and Keylogging execute that are not “Common Sense
Actions™” inside a computing device. There are very basic, simple actions common to all types of
threats that must happen before a threat can execute an effective attack. For instance, not all
Ransomware is based in file encryption. Some Ransomware only locks up the windows boot.ini file or other critical systems files. (Anti-Ransomware that detects only file encryption, or attacking of “bait files” will not detect this activity.) Because locking up critical systems files is not a “Common Sense Action”, SE-OPS will stop this activity and notify the user of the threat immediately. This is just one example of hundreds of “Non-Common Sense Actions” that SE-OPS will recognize and stop.
“Common Sense Actions™” are, simply put, any behavior that falls outside of the norm for the
computing system. These actions are determined by observing the computing system and determining how it normally works. Any activity which falls outside of that normal behavior is detected and blocked by SE-OPS technology and the user is notified and allowed to remove the associated threat.
Will there be some “false-positives”. Yes, a few. But, we believe that most users and IT Managers will
agree that dealing with a few false positives is much better than dealing with a Ransomware Infection or losing all of your critical login information to a Keylogger. Besides, once you allow a legitimate program to run, it won’t popup again.
So, what happens when hackers release the next iteration of threat technology? (And, trust us… it’s
coming!) There will be millions of undetected infections worldwide until the new threat can be assessed and new blocking technology created. Exempt from this, of course, will be SE-OPS users.
SE-OPS “Common Sense Actions™” Detection Development Theory
Most Behavioral Analysis malware detection software developers utilize a process wherein they
evaluate existing threats and compare the threat’s basic interaction and delivery processes with the
systems they infect. They then use the information gathered to create their prevention strategies and technology. We note several issues with this methodology. Primarily, that this detection method is based on EXISTING, KNOWN threat technology, and the creation process is extremely lengthy and cumbersome.
Most Threat Detection developers believe that ALL forthcoming threats will use existing technology in one form or another. They couldn’t be more wrong. Only by detecting activity that falls OUTSIDE of “Common Sense Actions™” can a cybersecurity product have the best likelihood of detecting a new threat. This practice is not “Whitelisting”... far from it. This is a radical new process for detecting
aberrant behavior in computing systems, not just allowing only specific types of behavior from a
whitelist to be executed as is the case with most other cybersecurity software.
SE-OPS “Fail-Safe” Technology
In addition to the CSA detection system, SE-OPS contains an exclusive “Fail-safe” technology that
prevents the encryption of multiple files/folders and/or multiple changes to any file extension. In the unlikely event that the Ransomware execution was undetected by the behavioral analytics engine, it is impossible for any Ransomware to infect/encrypt multiple files without triggering the fail-safe. Users may still encrypt data with their approved encryption products. SE-OPS will determine that there is a valid encryption process in use, and allow it to execute… within reason, of course.
Why is it Smart to Protect a System from Ransomware at the Device Level?
This is a question that we get frequently when talking to potential clients. Again, we like to keep the
answer simple. Single or Concentrated points of Cybersecurity within a system are easy targets for
cyber-criminals. Protecting each device individually spreads the Cybersecurity throughout many points within the Network.
Single Points/Concentrated Points of Cybersecurity Failure
Certain components inside of a network or system should be observed as either single points or
concentrated points of cybersecurity failure. Common among those are Firewalls and security
appliances. These devices concentrate cybersecurity into a very small and defined space which
intruders/hackers love. These cyber threat counter-measures are focused, easy to locate, and generally operate on well-known technology which generally is subject to multiple, readily available, known exploits. This means that hacking a single point, or in the case of multiple Firewalls and appliances, concentrated points of security, gives the intruder full access to all devices under their protection once the exploit is implemented.
Moving cybersecurity protection to the device level makes defeating the security of an entire network or system much more time consuming and difficult. And, we know that most hackers/intruders are generally lazy or at least focused on the most return on their effort. If there is too much effort involved in hacking one system, they will simply move on to the next, where there is less security.
Detecting or Disabling the SE-OPS Anti-Ransomware Software on a Device
Because most Ransomware attacks are dependent upon many types of unreliable delivery systems,
generally involving some interaction with users, there is little expectation that the threat payload will
always be executed, and that the Ransomware attack will be successful. The intruder or hacker who has created or distributed this Malware has no “expectation” that the attack will actually be triggered by a specific action within the intended target’s system within an allotted time.
SE-OPS Passive nature is undetectable by the Ransomware Payload, and when a successful attack is thwarted, the Ransomware creator does not know why. Cyber-criminals know that sending a successful Ransomware attack into a certain internet web space, IP Range, an email system, or to a network is not an exact science. Because Ransomware attacks are generally not monitored to their endpoint, it is highly unlikely that a cyber-criminal will pursue the reason for a delay in payload execution and discover SE-OPS on the attacked devices. It is even more unlikely that they will determine exactly what technology derailed the attack. The attacker will usually just move on to another target.
SE-OPS cannot be disabled without direct, local administrative authority. Attempting to disable it with Ransomware or remotely will result only in SE-OPS blocking the attempt and/or reinstalling itself immediately.