How SonicWall Signature “Families” Block Emerging Ransomware Variants

When you look at the most damaging network security invasions over the last year, you see a recurring pattern: leaked government cyber tools being repurposed by cybercriminals. The compromised NSA toolset leaked by Shadow Brokers was devastating in many respects. These were highly targeted tools that many nation states wish they had the operational capacity to deploy.

But the tools developed by the NSA fell into criminal hands, who used them not for state-backed cyber espionage, but for capital gain. They repurposed these tools into WannaCry, Petya and, most recently, BadRabbit, as a means to install ransomware, encrypt information and keep it hostage until a targeted victim pays to release it, typically via Bitcoin.

Alas, sometimes victims pay and the data is still not released.  Sometimes, other actors see an organization has been held hostage and sends their own ransom demands, even though they are not affiliated with the original ransomware creators. The victim organization pays for this misdirection but still cannot unlock their files. They are out of the money and damages are incurred. “There is no honor among thieves,” as they say.

WannaCry, Petya and BadRabbit form a “family” of ransomware variants developed from the same leaked NSA tools. It is when there are these multiple attacks using the same family of exploits that SonicWall can give you breathing room and help you sleep at night.

To explain, first let me discuss how signatures work in our next-generation firewalls (NGFWs). Individual signatures exactly match bit patterns from IP-based frame payloads to detect a specific variant of malware. Our award-winning Capture ATP technology, a multi-engine network sandbox,  not only stops unknown and zero-day threats from entering networks, but also helps create new signatures for detecting emerging malware.

Few vendors look at both incoming and outgoing packets for malware, as it can be a large performance hit to do both. Most vendors are only concerned with traffic going from the internet to the trusted zones and only inspect this pattern. Yet SonicWall inspects every single packet in each direction.

Why? Well, if you own a network and somehow a device is compromised, the only way you will find out is by seeing what it sends out. Is it talking to a command-and-control server (C&C)? Is it sending malware out, as infected machines do? Without scanning every packet, you do not have visibility of your internal network. While it is important to block incoming malware, it’s also important to determine what machines may have been infected and are trying to send data outside your organization.

This brings us back to our “family” of signatures. Have you ever wondered why SonicWall uses a different naming convention than other well-known malware strands?  It’s because we find them first, and give them their own names. Other vendors do this too, but we are vastly different. I am proud to say that SonicWall is extremely competent in creating a family of signatures to cover many individual signatures with one pass. SonicWall uses a fast memory-tree lookup as packets pass through the NGFW with our family of signatures, so only one lookup is needed. This is an extremely fast method of traffic processing.

Sometimes in sales, we have to quote statistics in answer to questions, such as “How many signatures do you store on the firewall?” And we dutifully respond, “Over 32,000 locally, with more in the cloud.” But this only tells part of the story. With our family of signatures, one family will catch 100 or more variation of one signature.

Going back to WannaCry, SonicWall created a family that caught WannaCry right after it was announced to the public. Since the NSA leak variants caused Petya and BadRabbit derivatives, the family signature in your SonicWall firewall blocked all these new attack vectors.

Even though these new variants were targeted delivery to networks, SonicWall blocked all these different bit patterns as part of our WannaCry signature family.  The signature updates were performed in the background – as you enjoyed the holidays with your friends and family.

Why GDPR Makes it Urgent to Scan Encrypted Traffic for Data Loss

“Inspect every packet, every time.”

This has been my advice to any network admin or business owner for many years.  This is equally important in regards to encrypted traffic.  Much of the Internet has become encrypted, meaning that it can only be perused and accessed over HTTPS.  While this rightly includes traffic such as online banking and financial sites, it also now includes webmail, social media, online streaming video, music and even search engines.

While encryption of the Internet enables online privacy, it has also opened a new threat vector for hackers and criminals to hide malicious content.  If you encrypt the whole Internet, you encrypt all the threats traversing it.

The painful truth is that the vast majority of networks (including governments, international enterprises, educational, medical and consumer networks) have yet to implement a security solution capable of inspecting the encrypted traffic.  If you cannot inspect it, you can not protect it.  With over 80 percent of Internet traffic now encrypted, this has become an open pipeline for attacks.  More than 67 percent of all malware attacks are still delivered via email.  Guess what? That email is most often encrypted via HTTPS.

Inspecting encrypted traffic is paramount in preventing threats such as viruses, exploits, spyware and ransomware. Numerous articles, findings, testimonials and forensic analyses of recent breaches (such as at the IRS, OPM, JPMorgan Chase, Home Depot, Target and Equifax) focused on threat prevention. They reported that varying degrees of security had not been deployed or utilized, alerts were missed, traffic went uninspected, or updates and patches were not applied.  In some breaches, there were financial penalties for failing to protect end-user data, such as providing credit monitoring services for consumers, refunds for past services, or government-levied fines.

However, another critical reason to inspect encrypted traffic was rarely discussed. Yet, in six months, that reason will have incredible legal and financial implications that many are underestimating.  That reason is data loss.  And while organizations have sought to increase their threat prevention, only minor attention has been applied to data loss prevention (DLP).  Well, that is about to change drastically.

On May 25, 2018, the European Union General Data Protection Regulation (GDPR) goes into effect.  While this is an EU regulation, it will play a tremendous role in the ways data protection is controlled worldwide.  The following is an excerpt from the GDPR:

Organizations can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million. This is the maximum fine that can be imposed for the most serious infringements e.g. […] violating the core of Privacy by Design concepts[….] It is important to note that these rules apply to both controllers and processors — meaning ‘clouds’ will not be exempt from GDPR enforcement.

Pay close attention to that last line, especially if you are a cloud provider or consumer.  Any organization that hosts or processes data for citizens of an EU member country will be held accountable to this regulation. Make no mistake, countries outside of the EU, including the USA, are in the process of enacting similar legislations.

While threat prevention should always be a cornerstone in any network security architecture, data loss prevention will now be as well.  For example, one may have a decent anti-malware client and other solutions for threat prevention, but what is in place to prevent a staff member unwillingly or willingly executing an application that uploads confidential end user data like credit card numbers, address, phone numbers, or other personally identifiable information?  What is in place today to stop someone from accidentally or willingly “dragging and dropping” a PDF containing personally identifiable information (PII) to a public FTP Server, or uploading it to their personal webmail?  Remember: all of these connections are now encrypted.

Fortunately, you can easily apply data loss prevention rules on all SonicWall firewalls to inspect encrypted traffic and prevent data loss.  By leveraging incredibly powerful Deep Packet Inspection of SSL/TLS Encrypted Traffic (DPI-SSL), and applying keywords or phrases defined using Regular Express (RegEx), SonicWall firewalls are able to inspect all encrypted communications for PII in real time. Should an application, system, or employee attempt to upload PII, the SonicWall firewall can detect it, block the upload, and provide incident reporting of the event. That is how you can inspect every packet, every time. That is how you prevent the breach.

Download our “Best Practices for Stopping Encrypted Threats” to help you prevent that breach.

Catch the Latest Malware with Capture Advanced Threat Protection

Now that Halloween is over and your coworkers are bringing in the extra candy they don’t want, let’s look back at the last quarter’s results from SonicWall Capture Advanced Threat Protection (ATP) network sandbox service. Grab the candy corn and let’s crunch some data. Note: terms in italics below are defined in the glossary at the bottom to help newbies.

63,432 new threats discovered using the network sandbox over the course of three months on customer networks.

30.6% of threats that were found through static filtering. Translation- less than a third of these threats were new to us, but not to someone among the 50+ scanners we compare against.

69.4% of threats that were found through dynamic filtering. Translation- there is nearly a 70% chance SonicWall will find new malware and develop protections against it faster than anyone else.

.16% of all  files sent to the sandbox were malicious. Translation- SonicWall can find the needle in the haystack.

72% of files were processed in under 5 seconds. Translation- Capture ATP is fast!

60% increase in the number of Capture ATP customers that sent files for analysis over the past quarter. Translation – more people supplying potential threat data gives us a wider net to catch the latest threats, making it easier to protect you. Double translation – the community helps to protect the community.

20% of all new malware were found in documents (.docx & .pdf specifically) on many days throughout the quarter. Translation – Attackers put more attention to getting you to open malicious documents. Double Translation – educate your employees to not open suspicious attachments in email or found online.

I hope this helps you understand the importance of using a network sandbox, namely Capture ATP, the winner of CRN’s Network Security Product of the Year 2016 by customer demand. To learn more please review our Tech Brief: SonicWall Capture Threat Assessment or contact us with more information.

PS – I wrote a simple glossary of sandboxing terms for you to reference in case you are new to this. If you want more terms added to this, find me on Twitter and send me a note.

Glossary of terms:

Network Sandbox: An isolated environment where suspicious code can be run to completion to see what it wants to do. If your firewall doesn’t know the file, it will be sent to the sandbox for analysis.

Block until Verdict: A feature of the Capture ATP sandboxing service that blocks a file until a determination of the file can produce a verdict. If it’s malware, the file is dropped and can’t enter the network. If it’s good, a verdict for the hash of the file is stored and, if anyone tries to upload the file to our service, that verdict will be supplied within milliseconds to the user.

Hash (AKA: cryptographic hash): A cryptographic code to identify code (e.g., malware) across the community of researchers. Instead of storing malware and comparing new files against samples, the file is converted to a hash and compared against a database of known good and bad hashes. For example, the phrase “SonicWall Capture ATP stops ransomware” translates into “13d55c187dbd760e8aef8d25754d8aacadc60d8b”.

Once a new file is encountered, hashed, and doesn’t match a known hash, it is sent to the sandbox for analysis.

Static Filtering: A way of filtering out results of a file before taking it to time-consuming dynamic analysis. SonicWall static filtering compares new files against a database of shared malware hashes from over 50 anti-virus scanners.

Dynamic Filtering: The method of processing a file to see what it wants to do. SonicWall’s dynamic processing features three engines in parallel to find the most evasive malware. We use virtualized sandboxing, hypervisor-level analysis, and full-system analysis to uncover the most difficult forms of malware, including Cerber.

Strategic Re-routing with Equal-Cost Multi-Path (ECMP) – New in SonicOS 6.5 for Firewalls

As intranet networks grow and evolve over time, often duplicate, or even multiple, paths are created to reach a destination. As these paths evolve and get more complex, they can result in failed links. Interior Gateway Protocols provide fast re-routing around these failed links using link-state algorithms, such as Open Shortest Path First (OSPF) and Intermediate System to Intermediate System (IS-IS). Enterprise networks deploy OSPF much more often. However, I have seen carrier networks who prefer IS-IS, especially when acquiring other networks’ addresses.

Link-state algorithms do an excellent job of fast re-routing inside their areas due to their detection of link failure, and due to each Layer 3 device having a topology of their intra-area network.  (Outside of that intra-area, the networks require more of a distance vector routing protocol. But that is for another blog).  Link-state algorithms also give us the ability to take into consideration speed of links or costing when determining the best path.  This comes in handy when doing prefix evaluation, but it also can give us the ability to have multiple equal-cost paths to a destination.

Equal-Cost Multi-Path (ECMP), which is supported in SonicOS 6.5 for SonicWall’s next-gen firewalls, is an egress routing method used when you have multiple interfaces pointing to a destination. Equal cost routes are added to the connection cache for session setup. As sessions are created, SonicWall hashes the packet 5-tuple in the TCP header to decide which path the session will egress to the next hop.  A 5-tuple is comprised of a source IP address, source port number, destination IP address, destination port number and the TCP protocol. Do not confuse this with per-packet load-balancing. That was tried many years ago, and caused out-of-sequence packets. Large packets followed by smaller packets would egress faster, and would break applications, despite being part of the TCP specifications. This is why you want to have sessions stay on the interface, as opposed to multiplexing packets over the interfaces you have configured with ECMP.

So, what do you want to look out for when designing a network with ECMP?

First off, who is your downstream neighbors, and how are they configured? I mentioned how ECMP is an egress routing method. Typically, you would use ECMP when you are not connecting multiple interfaces to the same devices. The connections are not 1:1 from Device A to Device B, but rather Device A to Device B/C/D, etc. You would use some type of link aggregation for this design.

If your downstream device is a session-aware device, such as a firewall, it may see the source prefix and report that it has detected IP Spoofing. This is due to the arrival of a packet from a source that is not consistent with the routing table. For example, if the firewall expects 1.1.1.1 should come from X4, but instead sees it on X3, it would report IP Spoofing.

Two other scenarios could also trigger an IP Spoofing message in the firewall log that drops the session. One is if you have a router and are performing Reverse Path Forwarding checking to create a loop-free multi-cast network. Another is if are truly looking for malicious spoofed-source IP addresses.

Another possible scenario I’ve seen before is where, after the hashing of the 5-tuple has occurred, the balance of sessions puts the sessions on one interface.  It’s the result of another ECMP hash that has been performed on the 5-tuple prior to receiving those sessions. Since the hash calculation has already been performed, and the device has been given one set of sessions that were derived from the hash value, when we hash again they have the same value, hence, they land on the same interface. A quick fix is to have the upstream device modify the 5-tuple down to four. This lets the downstream device have a different value on the TCP header.

Ultimately, if you account for these potential issues, ECMP offers a great way to utilize multiple paths in a dynamic network and maximize investment in your infrastructure.

This is just one of the 60 new features in SonicOS 6.5 for all of SonicWall next-gen firewalls. Want to learn more? Check out a new video on SonicOS 6.5.

Take Steps to Minimize the Impact Black Friday and Cyber Monday Online Shopping Poses to Your Network

Now that Halloween has passed and Thanksgiving is on the near-term horizon, the holiday shopping season is kicking in. Almost as soon as the trick-or-treating ended the Black Friday ads starting pouring into my email box. This season some of the major retailers are announcing their Black Friday deals early even though they won’t be available for purchase until Thanksgiving. Of course most of us can’t resist peeking to see what we can get for less. According to a survey by the National Retail Federation (NRF), over half of holiday shoppers start their research in October or earlier. More than one-third will make a purchase in November, most likely during the period between Black Friday and Cyber Monday.

Shopping for gifts is typically a fun experience whether we do it in the stores or online. The latter continues to in grow popularity as we become more confident making our purchasing decisions on mobile devices. In a PwC survey 84 percent of respondents said they would spend at least some of their shopping time online. That’s a pretty high number. We can expect this trend to continue, which has implications for every organization.

Online shopping in the workplace poses potential risks for organizations, especially around the holidays. Cyber criminals know that we’ll be spending time shopping online so they’re more aggressive when it comes to launching spam and phishing attacks. Have you been receiving more emails lately about special offers such as a big sale or a new credit card? If you did make a purchase and you’re having the item delivered you’ll get an email on the delivery status. You may also be receiving holiday e-cards. Are you certain the email or e-card is legitimate? How about the website that you’re directed to? Open any of these, click on a link to go to a website where you’re asked to provide login credentials or financial information and you could be exposing your organization and yourself to potential threats such as ransomware. It doesn’t matter if your employees are connected over a wired, wireless or mobile network.

Securing your organization’s network and the data that travels across it from threats is a big concern. It’s not the only one, however. We know that during the holiday season employees will be spending work time researching and purchasing gifts online, which means their productivity will take a hit. In addition, these activities can consume large amounts of network bandwidth that would otherwise be used for business-critical applications. So do other holiday-related activities such as streaming promotional videos and holiday music. With the growing use of personal devices in the workplace the line between our professional and home lives has blurred. Employees often feel that if they’re using their own device, engaging in online shopping and other activities at the office isn’t an issue. The problem is, the device is often connected to the corporate network which introduces risk.

Look, no one wants to ruin the holiday spirit, so completely eliminating online shopping, watching videos and listening to music at work probably isn’t realistic. However there are steps can you take to minimize the impact these activities have on your organization. For example:

  • Warn employees to be wary of emails from sources they don’t recognize
  • If they do open an email, think twice about clicking on links
  • Establish a policy for strong passwords and consider 2-factor authentication
  • Utilize security technologies such as intrusion prevention and anti-malware to create multiple layers of protection
  • Make sure you have a next-generation firewall than can decrypt and inspect TLS/SSL-encrypted traffic

Why is this last point important? Increasingly cyber criminals are using encryption to hide their attacks and legacy firewalls aren’t able to decrypt HTTPS traffic and scan it for threats. In our 2017 Annual Threat Report we found that over 60% of web traffic is now encrypted. Firewalls that can’t inspect encrypted traffic leave organizations susceptible to ransomware attacks and other threats.

If you’re unsure whether your current firewall can detect threats hidden in encrypted traffic, SonicWall can help. Our next-generations firewalls provide protection from threats hidden in encrypted traffic. Visit our website to learn more about comprehensive threat prevention at multi-gigabit speeds.

Phishing Threats – How to Identify and Avoid Targeted Email Attacks

Phishing threats have been around for years. By now anyone can easily detect a fake email, right?

Wrong. How confident are you that you wouldn’t divulge your password, credit card info or online identity? Here is a quick refresher on phishing threats and what you can do to protect yourself.

What is Phishing?

As you may already know, phishing threats involve malicious emails that attempt to get you to disclose your personably identifiable information (PII) to compromise your personal identity or corporate data.

Hackers create emails that look like official communications from familiar companies. These are sent to millions of unsuspecting addresses in hopes that someone will follow the links and share sensitive information that the hackers can exploit. These phishing emails employ a variety of techniques.

How to Spot Phishing Attacks

The best way to protect yourself from phishing threats is to recognize and avoid these common phishing tactics:

  • Generic greetings: The opening lines of phishing emails are often very vague and general in nature.
  • Typos or Poor Grammar: A poorly written email is less likely to have come from a legitimate company. In addition, do not be tricked if the email happens to include a legitimate-looking logo.
  • Urgency: Phishing emails often sound alarmist, trying to scare you into taking action (and sharing your information) immediately.
  • Fake Links: Phishing emails routinely obscure the URL addresses, and instead take you to an unsecured site where your sensitive data is solicited. To see exactly where a link will take you, simply hover over it. If in doubt, don’t click it. Instead, open a new browser session and manually enter the address (i.e., don’t copy and paste) you want to visit.
  • Attachments: Delivered via email attachments, malware that is executed (i.e., the attachment is opened) allows a hacker to exploit vulnerabilities on your computer Never open an attachment unless you are sure it is legitimate, safe and expected. Be cautious with any unexpected invoices from companies you’re not familiar with, as attachments might contain malware that installs upon opening.
  • Spoofed Sender: Makes it easier for a hacker to impersonate someone you’d normally trust (e.g., coworker, bank, government agency)

Take the Phishing IQ Test

Interested in seeing how well you are at telling the difference between a legitimate website and one that is a phishing attempt? Take the SonicWall Phishing IQ Test to find out.

SonicWall and our Channel Partners Team to Deliver New High-Value Security Professional Services to Fight the Bad Guys

I can only imagine the pressure that comes with the job of being responsible for a company’s network security.  These individuals are not only entrusted with protecting company and customer data, but the reputation of the company and its brand.  In the case of smaller businesses, the stakes are particularly high, where a network breach and data loss can threaten the very existence of the company. According to the Ponemon Institute Cost of a Data Breach 2017, the average cost of a breach for the average total cost of a data breach is $3.62M, and over 60 percent of SMBs cease to exist 6 months following a data security breach. Add to these grim statistics the incredible rise in malware, ransomware and other advanced threats in a constantly evolving cyber threat landscape and you have the plot of a very scary true (cyber) crime movie – the good guys vs. the bad guys.

Network security vendors like SonicWall and the channel partners who integrate our products in to security solutions for their customers are most often the first line of defense to help organizations defend against the bad guys. These organizations rely on SonicWall to deliver highly efficient security products that can stop today’s known and unknown threats. And they rely on our channel partners as their trusted advisors to deliver their security solution. With so much at stake, it is critical that the right SonicWall products are designed in the security solution. And just as critical that the solution is implemented properly and optimized for the customer’s environment and business requirements. Even the best security products, if not properly spec’d and implemented, can leave an organization vulnerable. To address this reality, SonicWall has announced the launch of a new lineup of valuable professional security services to help customers and channels design, implement and operate SonicWall security solutions that keep the bad guys at bay and defend against their relentless cyber attacks.

Organized around three areas of competency, the security professional service offerings were jointly developed and blueprinted by SonicWall and a group of channel partners (the good guys) with deep security services expertise. Each service incorporates the real-world services experience of these partners, essential knowledge gained through hundreds of services engagements.

The services include:

  • Implementation Services – compliance audit prep, remote and onsite implementation services for SonicWall products
  • Solution Services – security health checks,  wireless security deployments, campus network and distributed network solutions.
  • Architecture Services – more complex or large-scale solutions and customer environments, such as DPI-SSL deployment or SuperMassive next-gen firewall implementations.

It makes so much sense to have these types of services surround the SonicWall product portfolio, as a means to ensure our customer have the best possible protection. As SonicWall’s Channel Chief, I’m equally proud of the new services as I am of the way in which they are delivered.

This is where our new Partner Enabled Services Program comes in. Just launched, the program identifies and showcases SonicWall SecureFirst channel partners who have a security focused professional services practice and enables them to deliver the new services. These partners are vetted, granted status as a SonicWall Advanced Authorized Services Partner and given access to exclusive training, tools, sales, marketing and technical resources. All of the services are branded and sku’d by SonicWall, so the entire SonicWall channel can resell them. Once sold, the services are delivered by the Advanced Services Partners.

This breakthrough approach to delivering professional security services is only possible due to the collaboration and trust that exists within the incredible SonicWall channel partner ecosystem – one that has developed over the last 25 years. SonicWall channel partners genuinely trust each other to engage respectfully with their customers to deliver high-grade professional security services and, in doing so, they deliver the most effective security solution and drive incremental opportunity for their business. With this program, SonicWall’s broad channel, our Authorized Services Partners, and most importantly, our customers, can join forces to fight the bad guys and win the war against cyber attacks. Score one for the good guys!

Feedback from our channel on this approach to services offer creation and delivery has been fantastic.

“This year marks 20 years of our relationship with SonicWall and we are excited about deepening our engagement with SonicWall and showcasing our SonicWall based services expertise through the Partner Enabled Services Program. The Exertis team is highly skilled in SonicWall distributed architecture deployments, proven time and again to be the real leader when customer security is at stake,” Jason Hill, Security Sales Director of Exertis in United Kingdom, a leading SonicWall distributor in Europe..

“As a dedicated SonicWall Platinum Partner with a mature services practice, we are delighted to see SonicWall making such significant investments in driving partner growth in security services.  Our team of security experts have a passion for security and phenomenal service,” said Timothy Martinez, President of Western NRG Total Internet Security, based in Camarillo California. “With more than 15 years of SonicWall implementations, we go to battle for our customers in the cyber arms race. The Partner Enabled Services Program is an excellent opportunity to grow our services further with SonicWall.”

“Our unwavering commitment is to protect and empower our customers against today’s most damaging cyber attacks,” said Michael Crean, CEO of Solutions Granted, a SonicWall SecureFirst Platinum partner in Virginia. “In our case, as one of SonicWall’s longest-term Managed Security Services Providers, this requires additional services and expertise to ensure we’re delivering the value and guidance our customers require to be secure. SonicWall understands our needs and, yet again, delivers the structure, resources, training and incentives to enhance customer loyalty, satisfaction and market recognition.”

Customers interested in the new security professional services should contact their SonicWall channel partner.  For interested SecureFirst Partners, we have a webinar planned for Nov. 30 at 8:30 am PT: Grow your Services Business with the New Partner Enabled Services Program.

SonicWall First to Identify 73 Percent of New Malware with Capture ATP Sandbox

Last month, I wrote how we found nearly 26,500 new forms of malware and shared some general stats.  Let’s take a look at the new threats found by SonicWall’s network sandbox, Capture Advanced Threat Protection (ATP).

While the general number of new threats dropped, there were some interesting figures and trends to point out.

Of the 16,115 new forms of malware and zero-day attacks:

  • Only 4,321 were known by one other security firm (that we partner with), just moments before us
  • This means over 73 percent (11,794) were never seen until SonicWall identified them

This is very encouraging because it demonstrates three important points:

  1. The SonicWall customer base of Capture ATP subscribers are protecting each other by serving up samples before researchers can find them
  2. The technology is working wonderfully
  3. The month-over-month data proves that SonicWall is your best defense against new threats

Interestingly, last year at this time, I was finding a lot of ransomware versions by the big boys, such as Locky & Cerber. Now we are seeing attacks from copycat malware authors who conduct smaller attacks. The overall numbers are down, but the number of cybercriminals involved are up. As a result, a lot of ransomware attacks may fly under the radar.

Plus, this is what is now hitting the radar: credware.

What is Credware?

Credware is a term for a type of malware that is designed to steal credentials — and I’m finding a lot of credware every day, in many formats. I see new forms of spyware and a lot of Trojans that are going after all of those saved passwords in browsers. Since Chrome is harder to attack, hackers are targeting saved passwords in Firefox, Safari, Opera, Internet Explorer, and Edge. (See below).

Infected Documents

Hackers are adding their new versions of malware inside of document, such as Microsoft Word and PDFs. On a typical day, I saw that roughly 3-6 percent of new malware samples are found in these file types, but I have noticed a large increase as the days progressed.

Some days, as much as 39.3 percent of malware is found in digital documents, mostly Office files. Even if I set a high baseline of 5 percent, you can see how some days have an alarming rate of malicious documents (See below).

What is also surprising about this data is that you would expect a lot of this to be found in email traffic. Although most of it was, a lot of it was not, especially PDFs. In fact, on Sept. 26, 82 percent of malicious PDFs were found online by protected customers.

This data comes on the heels of SonicWall improving its backend performance for how quickly we can examine and return a verdict for PDFs. As we look back at the data, I’m happy to announce that the median time to process a file is around one second, and 71.3 percent of all files in September were processed with a verdict in under five seconds.

If you’d like more information on how you can add Capture ATP to protect your network and network based endpoints read: Executive Brief: Why network sandboxing is required to stop ransomware.

California School District Amps Up Content Filtering with SonicWall’s Security-as-a-Service

We know how much value SonicWall network security brings to our customers, and we know how much value our partners add when incorporating our solutions into their solutions for our customers.

The case of Calistoga Unified Regional School District is an excellent example.

Calistoga is in California’s Napa Valley. The district has more than 850 students, divided among an elementary school, junior/senior high school and an alternative-program continuation high school for students between the ages of 16 and 18. Administration offices are in a separate building near the junior/senior high school.

The district felt that its existing content-filtering services were not providing all the functionality it needed. Calistoga couldn’t get the flexibility and granular control over content filtering it needed to define different roles and access permissions for students, faculty and staff.

Like all K-12 school districts, Calistoga’s content filtering is there to protect against inappropriate and malicious web content, as well as to control application access.

“Our No. 1 priority is making sure that the students are protected,” says Jenna Burrows, Calistoga’s Director of Business Services.

Regulatory requirements regarding content filtering are also part of the picture. The Children’s Internet Protection Act (CIPA), is the most directly relevant. Content filtering is also important with regards to the Family Educational Rights and Privacy Act (FERPA), which protects students’ personally identifiable information (PII) from unauthorized disclosure, and is a requirement for districts to be eligible for discounts through the federal E-rate program.

Faced with a clear need to upgrade their content-filtering capabilities, Calistoga turned to their local managed services provider, Napa Valley Networks (NVN). NVN has been a SonicWall partner for more than 15 years. NVN recommended SonicWall’s Content Filtering Service for Calistoga.

But NVN didn’t stop with content filtering. After an initial audit of Calistoga’s network, they uncovered an issue with the district’s gateway. NVN’s Vice President and Chief Technology Officer, Kyle Lumley, says the existing gateway “didn’t give them the control or feature set that they needed.”

NVN’s recommendation for Calistoga was a SonicWall SuperMassive 9800 next-generation firewall with High Availability capability.

All well and good so far. More granular, customizable content filtering and a new gateway to provide better control for the present, as well as being better able to handle future increases in networked devices and utilization.

Then came the 400-pound gorilla. How could Calistoga afford to pay for these improved capabilities? School districts work under very tight financial constraints.

Fortunately, NVN and SonicWall had a solution.

Calistoga leveraged SonicWall’s Security-as-a-Service (SECaaS). Rather than paying a large amount upfront as a capital expenditure, Calistoga pays a much more manageable monthly fee which fits within its operating budget. Burrows says this is a much more reasonable solution for the district.

Additionally, much of the cost is eligible for discounts through the federal E-rate program.

NVN coordinated the transition to the new gateway and Content Filtering Service. All went well, even in the face of tight deadlines. Calistoga’s happy with the results.

Read the Case Study here.