HOPZERO: Providing Security at the TCP/IP Network Layer

HOPZERO

Bill Alderson, CTO Hopzero, HOPZEROBill Alderson, CTO
According to the founders of cyber security startup HOPZERO, the network-security industry has suffered considerably due to ineffective security solutions. As demonstrated by so many data compromises last year alone, security measures that were touted as “next-gen” or “bullet-proof ” failed to remedy the mistakes that were made behind the firewall, a flaw that could jeopardize an organization.

Realizing these inherent flaws, they decided to change the status quo by creating an effective data containment system. HOPZERO’s security solutions represent a stark contrast to that of their competitors. Instead of keeping hackers out of an organization’s data center HOPZERO keeps data inside the servers with a unique algorithm that imposes an absolute travel limit for critical business data and thereby prevents data leakage. HOPZERO can stop data travel at any router – it’s like placing a firewall right where it’s needed.

After years of research, the company successfully tested its solutions at JIFX (Joint-Interagency Field Experimentation) at the U.S. Naval Postgraduate School and went on to build prototypes for the defense sector. In this interview with “CIO Applications,” Bill Alderson, the CTO of HOPZERO, outlines the benefits of their flagship enterprise security product and their unique approach to achieve top-notch security.

Tell us more about your flagship enterprise security product?

The HOPZERO data exfiltration prevention system uses data containment to prevent data from traveling beyond a safe perimeter. We can show what data is leaking out of a company and set parameters to contain it. Our data containment capability makes us unique in the enterprise security arena.

Our technology works in stark contrast to conventional ways of firewall protection. Our flagship product detects data exfiltration across an entire enterprise and classifies data travel as safe or unsafe, depending on the location. After that, our exfiltration prevention system, called HOPSphere Radius Security, prevents data travel beyond a safe perimeter. Additionally, we have a visibility solution that monitors network traffic to detect attempts to breach the radius.

We achieve this by limiting the number of devices data will travel to by setting an appropriate HOP count. HOP count is a simple parameter every computer uses since the beginning of TCP/IP and the entire Internet. A HOP occurs when a packet of data is passed from one network segment to the next. The HOP count refers to the number of intermediate devices through which data passes, starting from the source to the eventual destination. If the HOP limit is less than the distance to the edge of the data center or enterprise, information cannot be directly accessed or exfiltrated. It’s as simple as that. Lower the HOP value – contain the data at the distance you choose.

How does the data containment work?

Each time a packet goes through a router, the value of the HOP count is decremented. When a router decrements the HOP limit to zero, the same router discards the packet and issues an alarm.

We limit data travel by managing packet lifespan. Setting the initial HOP limit shortens the distance a packet can travel before being discarded. This approach creates a short virtual leash, preventing data from leaving the network segment, data center, or enterprise.

Our technology works in stark contrast to conventional firewall protection. Our flagship product detects data exfiltration across the entire enterprise and classifies data travel as safe or unsafe, depending on location

For instance, if you are communicating with a server in Russia, the packet goes through the Internet, and the HOP count is decremented every time it goes through a router. We learn how many HOPs are necessary to keep data inside an organization’s data center.

We will then learn how many routers are there in the data center and set that server to the same HOP count. When the HOP count for that packet goes to zero, the data packet is unilaterally destroyed. When the packet is destroyed, the router simultaneously sends an alert message back to the data center. There are two advantages to this approach: 1) data cannot travel beyond the data center and 2) if someone tries to break into your most valuable HOPZERO protected server, we contain the data and alert the IT security team. HOPZERO catches phish and ransom attacks before they can reach valuable data, providing protection of data and alarms on any attempt to connect.

What makes your solution unique?

Our patent pending data containment and visibility solution make us unique. Our technology was appreciated by Vincent Cerf, the father of the Internet. He was surprised to know that HOP counts would be used to create a “clever” security perimeter solution. So, we built a whole suite of products that learn the HOP count and set a lower more appropriate value. The lower HOP value lowers the “attack surface” by reducing the number of devices that can reach or be reached by a vital server. A lower attack surface equates to much greater security.

Data containment is a powerful capability. But in order to implement our ground-breaking data containment solution, we need to generate statistics about HOPs and inform the customer where data travels. This is the visibility aspect of our solution. We show both sides of network devices on a map where the data travels. We can even show them where exactly the data travels inside the organization. They can even set limits for the path it takes inside the company. Effectively, clients get visibility into where their data is going, and we fix some constraints to the path it takes. That’s what our real flagship product does.

What are the features and functionalities of your product?

The very first thing our client might do is look at where their data is traveling on our portal. The portal shows the customer every available source where the data goes. The client can pick a source where they want to see where data is traveling. Automatic alarms tell security teams when valuable data is exfiltrating or even when an attempt occurs giving security professionals and executives confidence their data is safe.

In addition to that, the distinct dots on the map correlates to an IP address from where it’s coming. We can also show the customer the application protocol which is being used to communicate outside, like an Oracle or Microsoft SQL server. Moreover, our system automatically alerts on data packets that are at high risk.

What were the founding factors that led to the conception of your organization?

HOPZERO was co-founded by information security professionals who wanted to change the status quo of network security, to give security professionals a powerful, new tool for their toolbox. We realized existing solutions in the market were no respite for network security breaches, regardless of industry, geography, and budget. We brought our years of experience and innovation to address major challenges in the cybersecurity landscape.

Tell us more about the company’s track record and the future?

In the year 2020, we plan to move from on-premise to cloud and make our capabilities available to new industry segments. We currently serve both classified government and commercial organizations. Our products protect sensitive information such as employee PII, financial information, trade secrets, customer lists, and regulated information like PCI, FERPA, HIPAA, GDPR, and SOC2, to name some. Through our solutions, we intend to put hackers on notice by combining our experience, innovation, and tenacity.

Read Also

HOPZERO News

HOPZERO Officially Launches HopSphere Radius Security to Prevent Unauthorized Access to High-Value Servers

AUSTIN, Texas - HOPZERO Corporation (www.hopzero.com), pioneers of intelligent data containment based on routing distance, announced the availability of its flagship product, HopSphere Radius Security. Addressing challenges of insider abuse and compliance requirements, HopSphere Radius Security imposes absolute travel limits for data packets based on security policy and learning what distance is normal, allowable and safe.

Designed specifically for use by data owners and InfoSec managers, HopSphere Radius Security represents an agentless endpoint security solution that proactively identifies data compromises and prevents undetected exfiltration. Unlike firewalls that don't detect or stop data exfiltration and are prone to configuration error, HOPZERO proactively constrains information from traveling outside an organization's network by leveraging existing security and network infrastructure.

Available immediately, HOPZERO provides organizations continuous intrusion and exfiltration detection prevention with enterprise-wide visibility of all data travel, effectively eliminating threats to the most valuable data. Reversing the direction of IDS (Intrusion Detection Systems) and IPS (Intrusion Prevention Systems), HOPZERO stops data from leaving an organization, as opposed to data entering an organization. HopSphere's Exfiltration Detection and Prevention System (EDS/EPS) complements IDS/IPS by providing a powerful data exfiltration security solution: https://hopzero.com/exfiltration-detection/.

"The data breach crisis grows increasingly worse, and traditional means of security have proven largely ineffective at stopping a determined cybercriminal, activist or rogue insider," said HOPZERO founder and CEO Bill Alderson. "HOPZERO utilizes immutable networking principles to effectively put high-value data on a leash and govern how far it can go. Unlike anything available, this method represents a whole new way of implementing security to safeguard valuable assets."

HopSphere Radius Security utilizes a unique approach to network security by setting data lifespan "hop" routing, limiting how far servers can reach or be reached. In networking, hop distance refers to the total number of routers, from source to destination, that a packet passes through. HopSphere Radius Security is designed to protect mission-critical systems.

These critical systems, such as high-value databases, are limited to communicate with only previously determined neighbors. By monitoring normal traffic, HopSphere Radius Security builds custom neighborhoods, keeping unauthorized users — even those within the company — out of protected servers. The product effectively cloaks the server, making it invisible and unapproachable to the would-be attacker, while sending an alarm to the security team detailing where the unsuccessful attack is coming from. The alarm captures the IP address of the attempting station (Threat of Phish), identifying the attacker and storing evidence of the attempt for remediation and potential legal action.

This method of reducing data travel distance results in fewer reachable devices, proven mathematically to shrink the potential attack surface. Accessibility to fewer global network devices means fewer hackers can reach, or be reached, by a target computer or server, improving security. Access to designated servers may be limited to a hop count or radius that only enables internal access or connections to a smaller "sphere of trust" — a fundamentally new approach to security. HopSphere Radius Security makes it impossible to access systems directly from outside the sphere of trust created by the lower packet lifetime.

"The HOPZERO product offers great value to organizations who are concerned about data loss," said Kerry Kelley, former CIO of U.S. Strategic Command. Now a private consultant working in the security industry, Kelley says, "With HOPZERO, the attack surface can be deterministically reduced and data fully protected using the novel approach of router hop count in a game-changing way of turning the tables on would-be attackers."

HopSphere Radius Security helps organizations assess risk and meet compliance requirements. With it, organizations can comply with privacy and data storage laws and regulations. For cloud environments, HopSphere Radius Security could be used to show where a cloud hosting company, CDN or other partner or provider is sending or storing an organization's data. Particularly useful is HOPZERO's one-click GDPR filter, which maps where any GDPR data is collected by an organization's servers. One GDPR compliance company, https://icomply365.com/, uses HOPZERO's solution to vet which servers are collecting information subject to GDPR.

HopSphere Radius Security is a cloud-based solution that applies standard routing principles and complements existing security and networking hardware without requiring changes to individual components. The system is easily implemented by the HOPZERO support team without the use of endpoint software agents. In an emergency breach situation, HOPZERO can have their system up and running in less than one hour to quickly identify potential hackers.



Featured Vendors