Contrary to popular belief NanoOS is not an end point agent of ReaQta. It is a component of the ReaQta endpoint agent that runs in the hypervisor space of an endpoint device. The host operating system (Windows) runs on top of this component of the ReaQta agent.
The term hypervisor was coined in the 1960s by IBM. In late ‘60s IBM programmers created the first hypervisor to build a timeshare system for the mainframes. It was built for the IBM CP/CMS Operating system running on System/360 mainframes. It enabled IBM to run multiple operating system images concurrently increasing the robustness of the System/360; even if one OS crashed the others continued without interruption.
From its early roots in the 60s, fast forward to today and it should come as no surprise that IBM is the only vendor to leverage this technology to secure endpoints via. its ReaQta EDR solution.
Hypervisors have come a long way since those early days in the 60s. They have been mostly applied to maximize utilization of compute resources in servers, I/O, storage or to provide portability and stability. IBM Security has leveraged this concept to deliver a unique value to our customers by way of security for their endpoints (ex. Windows computers.)
NanoOS is a component of the ReaQta agent. It is installed as a driver, but it operates outside the operating system in the hypervisor space. The analytical logic resides inside the ReaQta agent that operates both in the user and the kernel space of the OS.
NanoOS observes the operating system and its activities, for example the syscalls being made or inspect the memory of the endpoint. It acts as a telemetry service that provides the ReaQta agent with syscalls and other process’ information. It can also act for the ReaQta agent, it can block or inhibit specific syscalls from executing successfully.
The value or the unique insights the NanoOS delivers to IBM customers is the ability to rapidly detect Kernel exploits (ex. token stealing), Credential harvesting1, Screen captures, Process impersonation and similar other threats on the endpoints.
Using the NanoOS to monitor the syscalls gives ReaQta another advantage over the threat actor, the attacker cannot disable the monitoring as they would do in the classic hooking techniques used by other EDR solutions.
NanoOS, a feature of the ReaQta agent, is currently available on Microsoft Windows endpoints. In the future we may consider extending this functionality to certain flavors of Linux and/or MacOS operating systems.
For more information on IBM Security ReaQta and an EDR buyers guide, please visit our website.
.
1. 1. Verizon 2022 data breach reports 45% of all breaches in the study found their way in via credential theft