K2 Cyber Security emerges from stealth mode to present what it describes as the first deterministic approach for protecting hybrid clouds against sophisticated attacks-- a technology dubbed Optimised Control Flow Integrity (CFI).
As K2 puts it, CFI ensures an application executes only as designed, enabling real-time attack detection with no false positives, regardless of application patch status. The company adds dynamic, workload identity-based micro-segmentation prevents the lateral movement of threats. The technology finds use in two modules making the K2 security platform, Prevent and Segment.
Prevent provides real-time attack detection based on Optimised CFI technology. Unlike signature- and behaviour-based approaches to security, Prevent does not require prior knowledge of threats, meaning it can even protect an application against zero-day exploits. Thus, the system flags any attempt to execute a command violating software control flow as an attack. Prevent does not need any source code or instrumentation to secure software, and also works with legacy applications.
On the other hand Segment enforces the correct isolation of workloads, secures data in motion and prevents lateral movement of threats in hybrid cloud environments. It uses a dynamic workload micro-segmentation method assigning strong cryptographic identities to workloads that authenticate each other before permitting communication. Thus, firewall and segmentation policies governing said workloads are applied based on these identities instead of static IP addresses. Such an approach enables bi-directional security policy enforcement and correct isolation, with latency and inaccuracies brought about by monitoring-based application-level segmentation.
K2 says the platform prevents attacks in real-time on unpatched software, web applications and workloads running in VMs, containers or on bare metal. Prevent and Segment are available now.
