Blogs

Importance of evasion resilient security architecture

Last week, I had the pleasure of presenting at the SCSP AI Expo in Washington, D.C. Many attendees were very interested in the concept of Evasion Resilient Security Architecture. I want to elaborate on how this architecture has been foundational to Stairwell from the beginning. It is more than just a guiding principle of our product; it’s a critical concept that I believe is essential to share within our industry.

So, what does “Evasion Resilient Security Architecture” actually mean? It means striving to create systems that are effective, robust, and opaque to adversaries, ensuring they cannot study and circumvent our capabilities.

Consider a hypothetical situation where a company is evaluating new endpoint antivirus options. They engage with top vendors, consult with their compliance and IT departments, and conduct thorough product evaluations. Despite this comprehensive diligence, they often miss a crucial question: How resistant are these products to evasion by sophisticated attackers? Could an adversary obtain these tools, reverse engineer them, and craft attacks specifically to bypass them? Thinking like an attacker isn’t optional; it’s necessary.

In “Star Wars,” once the Rebel Alliance had the Death Star plans, they identified its vulnerabilities and devised a plan to destroy the supposedly invincible space station. Imagine the advantage the Rebel Alliance would have if they had access to all schematics of the Death Star design in real time. In the cybersecurity world, the irony is that vendors might inadvertently assist attackers by selling them the very tools meant to defend others from them.

The discovery of Stuxnet in 2010 vividly highlighted this exact issue. Researchers reverse-engineered the malware and found it could evade detection from several endpoint security tools, from Kaspersky to Symantec to McAfee. Today, the ability for malware to evade detection has not only persisted but has become more common, even among ransomware and general commodity malware. The challenge isn’t the significant effort vendors put into product and engineering; it’s in how these products are distributed and function.

At Stairwell, we’ve built our platform from the ground up to be highly resilient against such threats. We collect every unique executable and executable-like file from every machine across an enterprise and store them in perpetuity in an immutable vault on our cloud platform. All analysis, scanning, processing, and decision-making occur out of band.

While an adversary might reverse engineer conventional security products to bypass them, our approach leaves nothing to evade—every such file is collected. I often say, “No piece of dust can selectively evade a vacuum cleaner!” With Stairwell, analysis occurs without feedback to endpoint devices; there’s nothing for an adversary to reverse engineer or test their tools against. Moreover, rapid iteration of file variations would trigger our variant discovery systems, spotlighting any attempts to actively probe our analytic capabilities. While an adversary would learn nothing from us, we would gather insights from each evasion attempt, effectively turning the tables on them!

True Evasion Resilient Security Architecture offers a strategic advantage that few defenders have ever experienced—the literal high ground. At Stairwell, our goal isn’t just to reclaim the high ground for you; we aim for you to hold it indefinitely. Even if Stairwell isn’t in your immediate purchasing plans, we encourage you to question your current vendors on how they handle active adversary evasion. This not only strengthens your security posture but also ensures that your defenses remain as dynamic and resilient as the threats they aim to thwart.

Threat report: xz backdoor
Threat report: xz backdoor
Threat report: xz backdoor
How Stairwell users have insight into xz backdoor in their organizations, pIus IOCs & YARA rules.