Google-Backed Security Technology ShapeShifter Changes Website Code to Thwart Attackers

Add Your Comments

Security threats are constantly evolving as new sophisticated methods for distributing malware emerge. Unfortunately, this can mean that the technology deployed by the average user is not equipped to detect and mitigate modern cyberattacks.

A new patent-pending technology by Shape Security that protects websites against cyberattacks sets to change that, using a method called real-time polymorphism.

Polymorphism is a common technique used by malware, enabling infections to bypass antivirus detection systems by changing its code every time a new machine is infected. Shape Security’s product, ShapeShifter, is a network security appliance that dyanmically changes code on any website, removing the static elements that botnets and malware use in their attacks.

“Modern cybercriminals employ sophisticated attacks that operate at large scale while easily evading detection by security defenses,” Derek Smith, CEO of Shape Security said in a statement. “The ShapeShifter focuses on deflection, not detection. Rather than guessing about traffic and trying to intercept specific attacks based on signatures or heuristics, we allow websites to simply disable the automation that makes these attacks possible.”

ShapeShifter protects a website by changing its HTML, Javascript or CSS code, so rather than static, fixed elements for attackers to program an attack against, they are faced with a “moving target, constantly rewriting itself.” Legitimate users continue to see the unchanged user interface.

“Shape is operating on a previously inaccessible layer of the security problem: the fact that everyone has a user interface, but user interfaces are inherently vulnerable to attacks from malware, bots and scripts,” Robert Lentz, former chief information security officer of the United States Department of Defense and member of the board of directors of FireEye said. “By preventing automation against a website’s user interface, Shape’s technology allows enterprises to block dozens of attack categories, such as account takeover, application DDoS, and Man-in-the-Browser, with a single product. This is not only a powerful new tool for enterprises but a potentially disruptive technology for multiple sectors of the cybersecurity industry.”

While security researchers are excited by the invention, Ron Austin, senior lecturer on computer security at Birmingham City University, told the BBC that given enough time, a hacker would be able to look for parts of the polymorphic code within the software that doesn’t change.

Earlier this year, Shape Security secured  $20 million in Series B financing, led by Venrock, and including Kleiner Perkins Caufield & Byers, Allegis Capital, Google Ventures, Google executive chairman Eric Schmidt’s TomorrowVentures, and former Symantec CEO Enrique Salem, according to a report by Dark Reading.

Organizations may be more reliant on innovative technology like ShapeShifter as they continue to see a shortage of cybersecurity professionals, making it difficult to keep up with attacks, according to a recent study by Cisco.

Add Your Comments

  • (will not be published)