With a background in security and ancient history, I love to draw correlations between the famed battles of old and the network security struggles of the modern world. To better understand this you have to look at the data. Since our customers started using SonicWall Capture Advanced Threat Protection (ATP) Service we now have a better look to see where attacks are coming from and how often they happen. To get a manageable sample size I thought I would narrow this down to 300 companies; one for each Spartan in the battle of Thermopylae.
It was this legendary battle where a small force of 300 Spartans teamed up with a few thousand Greek soldiers to defend their homeland from an invading force more than 10 times their size. Every day, companies are pitched in a similar conflict with those who want to penetrate their network’s defenses to gain access to their data. Outnumbered by an onslaught of newly authored malware, companies need help keeping their data secure in the face of ransomware and other zero-day attacks. In the technology world, one of SonicWall’s Spartans is Capture ATP, a multi-engine cloud-based isolated environment where customers can examine suspicious code, files, and executable programs.
This ATP Service was released for general availability in August 2016 and the metadata has been coming in. One of the biggest questions our partners and customers have is about the amount of data that is sent to the cloud and the speed of the service. In short, the speed of cloud-based analysis is fast; but to help you understand, let’s take a peek at one day’s data from 300 customers in their “Battle of Thermopylae” to stay secure.
In one day, a pool of 300 average customers can expect (rounded numbers for readability):
- 28,800 files will not be known to the firewall and will be sent to Capture for further analysis.
- 10,700 will be known or duplicate to the Capture service and won’t require further processing. The file verdict will be returned to the firewall and the file blocked or released per policy.
- 18,100 will be unique and will go through pre-filtering before sandbox analysis.
- 15,450 will be identified as good and allowed to pass through into the network.
- 130 will be fairly new malware known by Capture pre-filter but not the firewall’s static-filters at the time of scan but will very soon.
- After this step 2,520 (+/- 15%) will be labeled as suspicious and will be sent to Capture ATP sandboxes for analysis. Most will be identified as good and hashes are created and sent to our Capture database so we don’t have to analyze them again.
- On this day, six were found to be never-before-seen malware (44 were found in the previous seven days; with a high of 10 and a low of 1).
- These six were a mixture of Trojans, ransomware (Locky) and other malware.
- In near real-time, six hashes for the newly discovered malicious files were submitted to the Capture database and all other Capture ATP subscribers are immediately protected from follow-on attacks. These files were also sent to the SonicWall GRID team to analyze and create signatures to be added to the GAV and IPS database within 48 hours.
- Two seconds was the median processing time per file.
- 83% of files are analyzed with a verdict in under five seconds.
- The total amount of data sent to the cloud for all 300 was less than 9.8 GB which is about 32.6 MB uploaded for each organization; the equivalent of watching a 10-minute YouTube video.
- To understand the plight of the 300, they will see 2,450 new malware variants in a year which is more than eight per network.
It stands to reason that SonicWall Capture ATP’s multi-engine environment gives customers a powerful and fast tool to stop the most advanced persistent threats from hitting an organization’s infrastructure. To learn how you can leverage SonicWall Capture read this technical brief on how to deliver deeper network security. Remember together, we are Sparta!