Posts

7 Factors to Consider When Evaluating Endpoint Protection Solutions

The threat landscape is evolving. Attackers are getting craftier with infiltrating secure environments. Is your endpoint protection able to keep up? In many cases, organizations just aren’t sure.

The increase in the number of cyberattacks targeting endpoints — and attackers using craftier methods to gain access to user machines — has lead to a highly competitive endpoint protection market. There’s plenty of confusion surrounding what differentiates one endpoint protection solution from another, let alone which product will meet your unique business needs.

Among the claims and counter-claims about which solution is best, the reality is that the right solution for your organization is not necessarily the one with the loudest voice in the marketplace.

Instead, consider whether your approach to endpoint protection matches that of the providers you evaluate. With rapid changes in the way malware and threat actors are compromising victims, which security solutions are keeping up?

Let’s take a look at seven basic checks that can help enhance endpoint compliance and lead to better protection against cyberattacks.

  1. Don’t underestimate the risks of mobility

    The traditional approach that legacy AV software is just there to protect your devices from malware and data loss creates a blind spot in defensive thinking. The task is to protect your network from both internal and external threats, and that includes the potential threat from end-user behavior when they’re mobile and off-network.

    Today, users who login from airports and cafés using public and open access points pose a greater threat to the corporate network.

    Modern, integrated security thinking understands that this means more than just anti-malware or AV coverage on the device. Off-network content filtering and media control are necessary adjuncts to protect your entire network, regardless of where the threat may come from.

    And in the event a verdict from the agent doesn’t have confidence, having a second layer of defense via a cloud-based malware analysis engine helps handle it in real-time.

  2. Avoid drowning in the noise of alerts

    Even today, some endpoint vendors still believe that the quantity — rather than the quality — of alerts is what should differentiate a superior product from the rest. But alerts that go unnoticed because they are swimming in a sea of hundreds of other alerts clamoring for attention are as good as no alerts at all.

    The Target Corporation learned this lesson at a great cost. False positives (i.e., the boy who cried wolf) condition weary admins and SOC specialists to “tune out” things that may be the next big threat because they simply cannot cope with the quantity of work.

    Rather than a security solution that provides hundreds of single alerts for each command with little or no context, choose one that provides a single alert with the telemetry and details of all the related commands — whether that be one or 100 — automatically mapped into the context of an entire attack storyline.

  3. Secure the endpoint locally

    We live in the age of the cloud, but malicious software acts locally on devices, and that’s where your endpoint detection needs to be, too.

    If your security solution needs to contact a server before it can act (e.g., get instructions or check files against a remote database), you’re already one step behind the attackers.

    Make sure that your endpoint protection solution has the capability to secure the endpoint locally by taking into consideration the behavioral changes and identify malicious processes without cloud dependency.

    And when using a cloud-based second layer, make sure the suspected threat is contained to eliminate impact while a verdict is made.

  4. Keep it simple, silly

    There’s power in simplicity, but today’s threat landscape is increasingly sophisticated. While some vendors think the number of tools they offer is a competitive advantage, it just increases the workload on your staff and locks knowledge into specialized employees who may one day take themselves — and that knowledge — elsewhere.

    You want to be able to eliminate threats fast and close the gaps without needing a large or dedicated SOC team. Look for endpoint protection that takes a holistic approach, builds all the features you need into a unified client and is managed by a user-friendly console that doesn’t require specialized training.

  5. Build for the worst-case scenario

    Let’s face it, ANY protection layer can fail. It’s the nature of the game that attackers will adapt to defenders. If you can’t see what your endpoints are doing, how can you be sure that one of them hasn’t been compromised?

    Has a remote worker clicked a phishing link and allowed an attacker access to your network? Is a vulnerability in a third-party application allowing cybercriminals to move around inside your environment undetected? Have you factored for attackers who have now embraced encrypted threats (e.g., HTTPs vectors) and acquired their own SSL certificates?

    The modern cyber threat landscape requires a defense-in-depth posture, which includes SSL/TLS decryption capabilities to help organizations proactively use deep packet inspection of SSL (DPI-TLS/SSL) to block encrypted attacks. DPI-SSL technology provides additional security, application control, and data leakage prevention for analyzing encrypted HTTPs and other SSL-based traffic.

    In addition, drive visibility into application vulnerability risk and control over web content access to reduce the attack surface.

  6. Drive compliance across all endpoints

    It’s the quiet ones at the back you have to look out for. If your enterprise is 95% harnessed to one platform, it doesn’t mean you can write-off the business risk presented by the other 5% as negligible.

    Attackers are able to exploit vulnerabilities in one device and jump to another, regardless of what operating system the device itself may be running. To avoid the risk of vulnerable endpoints connecting to your corporate network, integrate endpoint security with your firewall infrastructure and restrict network access for endpoints that don’t have endpoint protection installed on the machine.

    Remember, you’re only as strong as your weakest link.

  7. Don’t trust blindly

    Blocking untrusted processes and whitelisting the known “good guys” is a traditional technique of legacy AV security solutions that attackers have moved well beyond, and businesses need to think smarter than that, too.

    With techniques like process-hollowing and embedded PowerShell scripts, malware authors are well-equipped to exploit AV solutions that trust once and allow forevermore. Endpoint protection needs to look beyond trust and inspect the behavior of processes executing on the device. Is that “trusted” process doing what it’s supposed to be doing or is it exhibiting suspicious behavior?

Endpoint protection integrated across your environment

SonicWall Capture Client is a unified endpoint offering with multiple protection capabilities. With a next-generation malware protection engine powered by SentinelOne, Capture Client applies advanced threat protection techniques, such as machine learning, network sandbox integration and system rollback.

The solution uses automated intelligence to adapt and detect new strains of malware through advanced behavior analytics. It provides multi-layered defense against advanced threats, like fileless malware and side-channel attacks, using SentinelOne’s AI-driven behavioral analysis and SonicWall Real-Time Deep Memory InspectionTM (RTDMI) engine with the Capture Advanced Threat Protection (ATP) sandbox service.

The solution also delivers granular visibility into threat behavior, helping identify potential impact and remediation actions. A sound endpoint protection solution also should be paired with a defense-in-depth security strategy across all the key layers of transport, including email, network and cloud.

New PDF Fraud Campaign Spotlights Shifting Cybercriminal Phishing Tactics

PDF cyberattacks are nothing new. They are, however, growing in volume, deception, sophistication and are now used as vehicles to modernize phishing campaigns.

SonicWall Capture Labs Threat Researchers announced a substantial increase of malicious or fraudulent PDF files. These fraud campaigns take advantage of recipients’ trust in PDF files as a “safe” file format that is widely used and relied upon for business operations.

In March 2019 alone, SonicWall Real-Time Deep Memory Inspection (RTDMI™) discovered more than 73,000 new PDF-based attacks. In comparison, we found 47,000 new attack variants in PDF files in all of 2018.

“Increasingly, email, Office documents and PDFs are the vehicle of choice for malware and fraud in the cyber landscape,” said SonicWall President and CEO Bill Conner in the official announcement. “SonicWall Capture ATP with its RTDMI technology is at the forefront of catching new cyberattacks that elude traditional security sandbox technology.”

Last year, RTDMI identified over 74,000 never-before-seen cyberattacks, a number that has already been surpassed in the first quarter of 2019 with more than 173,000 new variants detected.

In March, the patent-pending technology identified over 83,000 unique, never-before-seen malicious events, of which over 67,000 were PDFs linked to scammers and more than 5,500 were PDFs with direct links to other malware.

Since 2017, Capture ATP with RTDMI has discovered increasing volumes of new threats leveraging PDFs and Office files.

Most traditional security controls cannot identify and mitigate malware hidden in PDF file types, greatly increasing the success of the payload. This increase implies a growing, widespread and effective strategy against small- and medium-sized businesses, enterprises and government agencies.

That’s where SonicWall RTDMI is unique. The technology analyzes documents dynamically via proprietary exploit detection technology, along with static inspection, to detect many malicious document categories, including PDFs, Office files, and a wide range of scripts and executables.

PDF malware attacks: A technical autopsy

SonicWall Capture Labs threat researchers dissected specific paths these fraudulent PDF campaigns take victims to infect them with malware.

In one example (see image below), Capture Labs cross-referenced a malicious file, at the time of detection, with popular collaboration tools from VirusTotal and ReversingLabs. No results were found, indicating the effectiveness of the RTDMI engine.

Targets of the scam email campaigns receive malicious documents from businesses luring victims with PDF files that are made to look deceivingly realistic with misleading links to fraudulent pages. The proposed “business offer” within the PDF is enticing to recipients, often promising free and profitable opportunities with just the click of a link.

Pictured below, the victim is sent to a fraudulent landing page masquerading as a legitimate money-making offer.

SonicWall hypothesizes that by using PDFs as delivery vehicles within their phishing campaigns, attackers are attempting to circumvent email security spam filters and next-generation firewalls — a core reason RTDMI is finding so many new malicious PDFs.

What does this PDF fraud campaign mean?

PDFs are becoming a very attractive tool for cybercriminals. Whether or not these are new attacks — or we are just developing the ability to detect them with RTDMI — the volume indicates that they are a serious problem for SMBs, enterprises, governments and organizations across a wide range of industries.

What’s the motive?

While SonicWall data doesn’t help us understand motivation, it does show that the amount of malicious, PDF-related activity is on the rise. We believe that this is happening for a variety of reasons, including:

  • Better awareness. Users have learned that executables sent to them are potential dangerous and could contain viruses, so they are more hesitant to click .exe files, forcing attackers to try new techniques.
  • Deprecation of Flash. Adobe Flash was a key attack vector in the past, but has been deprecated and will be completely end of life in 2020. So, attackers’ ability to use Flash exploits have been greatly reduced, forcing them to change tactics.
  • Must-trust files. Businesses move fast. Users are under constant pressure and don’t have the time, experience or know-how to vet every file type that hits their inbox. As such, users make assumptions that trusted file types (e.g., PDFs, Office files) used daily are, for the most part, safe. So, users are more likely to read and click links within them without considering the source or ramifications.

What is the impact of the PDF fraud campaigns?

This is very difficult to determine. In the 2019 SonicWall Cyber Threat Report, Capture Labs reported that 34% of the new attack variants found by Capture ATP were either PDF or Office files — a figure that had grown from 13% since the last half of 2017. This data implies that this attack vector is growing, is widespread and is an effective strategy.

Who is behind this?

While attribution is difficult, SonicWall believes the latest spike in malicious PDF activity is Russian-based because of the use of many .ru top-level domains leveraged across analyzed campaigns.

How to stop cyberattacks that use PDF and Office files

  • Force attacks to reveal intentions. SonicWall RTDMI operates in parallel with the SonicWall Capture ATP sandbox service to quickly get a verdict on any suspicious piece of code as it operates in memory, including malicious PDFs and Office files.
  • Protect the most common attack vectors. Another important layer of defense against malicious PDFs is email security. SonicWall offers cloudhosted and on-premises email security solutions. SonicWall leverages advanced security controls to examine files, senders, domains and URLs to look for malicious activity.
  • Make training a policy. Improve awareness by implementing employee training protocols to ensure users know how to examine PDF and Office file attachments carefully before opening or clicking unknown links.
  • Use endpoint protection. SonicWall recommends using advanced endpoint security, such as Capture Client powered by SentinelOne, to constantly monitor the behavior of a system to scout for malicious behavior, including PDF attacks.

Stopping PDF Attacks: 5 Ways Users & Organizations Can Work Together

Leveraging malicious PDFs is a great tactic for threat actors because the file format and file readers have a long history of exposed and, later, patched flaws.

Because of the useful, dynamic features included in the document format, it’s reasonable to assume further flaws will be exposed and exploited by adversaries; these attacks may not go away for some time. Furthermore, there’s no way for the average user to diagnose a benign or malicious PDF as it opens.

Since the average SonicWall customer will see nearly 5,500 phishing and social engineering attacks targeting their users each year, it’s vital to remain vigilant about the dangers of PDFs and deploy advanced security to prevent attacks.

Why are malicious PDFs being used in cyberattacks?

In many kinds of malicious PDF attacks, the PDF reader itself contains a vulnerability or flaw that allows a file to execute malicious code. Remember, PDF readers aren’t just applications like Adobe Reader and Adobe Acrobat. Most web browsers contain a built-in PDF reader engine that can also be targeted.

In other cases, attackers might leverage AcroForms or XFA Forms, which are scripting technologies used in PDF creation that were intended to add useful, interactive features to a standard PDF document. To the average person, a malicious PDF looks like another innocent document and they have no idea that it is executing code. According to Adobe, “One of the easiest and most powerful ways to customize PDF files is by using JavaScript.”

If you are a threat actor reading this, you are well versed in the above. And your victims are not. If you are an administrator responsible for keeping threats out and their damage to a minimum, it’s time to take some necessary precautions.

Stop PDF attacks with user-side prevention

First, there are a couple of things users can do to help reduce exposure to PDF-based attacks. Most readers and browsers will have some form of JavaScript control that will require adjustment.

  • Change you preferences. In Adobe Acrobat Reader DC, for example, you can disable Acrobat JavaScript in the preferences to help manage access to URLs.
  • Customize controls. Similarly, with a bit of effort, users can also customize how Windows handles NTLM authentication.

While these mitigations are “nice to have” and certainly worth considering, these features were added, just like Microsoft Office Macros, to improve usability and productivity. Therefore, be sure that you’re not disabling functionality that is an important part of your own or your organization’s workflow.

Stop PDF attacks with company-wide protections

Thankfully, SonicWall technology can quickly decode PDFs to see what the malware wants to really do, such as contact malicious domains or steal credentials. Here are three key ways organizations can limit exposure to PDF-based attacks.

  • Implement advanced email security. The first line of defense against malicious PDFs is email security. SonicWall offers cloud, hosted and on-premises email security solutions. SonicWall leverages advanced security controls to examine files, senders, domains and URLs to look for malicious activity.
  • Use endpoint protection. SonicWall recommends using advanced endpoint security, such as Capture Client powered by SentinelOne, to constantly monitor the behavior of a system to scout for malicious behavior. Capture Client stops threats before they execute and has great EDR capabilities to stop them as they do, see where they came from, and remediation steps, such as rollback in case they fully do.
  • Identify new threats. One thing that separates SonicWall from the rest is our patent-pending Real-Time Deep Memory InspectionTM (RTDMI). RTDMI operates in parallel with the SonicWall Capture Advanced Threat Protection (ATP) sandbox service. This is just one of our parallel engines in the sandboxing environment that gives us the ability to quickly get a verdict on any suspicious piece of code as it operates in memory, including malicious PDFs and Office files.

Malicious PDFs will be around for the foreseeable future, but through advanced security and good end-user awareness, your company will be better suited to prevent attacks.

For a more technical view on this, I recommend reading Philip Stokes’ blog from SentinelOne that inspired and supplied part of the content for this story. I also recommend watching our on-demand webinar, “Best Practices for Protecting Against Phishing, Ransomware and Email Fraud.”

Advanced Endpoint Detection & Response (EDR) Comes to Capture Client 2.0

Endpoint protection has evolved well past simple antivirus (AV) monitoring. Today’s endpoints require consistent and proactive investigation and mitigation of suspicious files or behavior.

With the release of SonicWall Capture Client 2.0, organizations gain active control of endpoint health with advanced Endpoint Detection and Response (EDR) capabilities.

With EDR capabilities in place, SonicWall Capture Client empowers administrators to track threat origins and intended destinations, kill or quarantine as necessary, and “roll back” endpoints to a last-known good state in cases of infection or compromise.

Capture Client now also enables organizations to mitigate malware and clean endpoints without manually pulling them offline to conduct forensic analysis and/or reimage the device — as is typically required with legacy AV solutions.

Protect Endpoints from Employee Mishaps with Web Threat Protection

For years, SonicWall’s Content Filtering options have been used by schools, small and medium businesses, and enterprises to either block people from malicious web content (e.g., phishing sites) or productivity-killing sites (e.g., social media), as well as manage the bandwidth an application receives.

A portion of this technology, called Web Threat Protection, is now in Capture Client 2.0. This feature utilizes the Content Filtering Service to block access to millions of known malicious URLs, domains and IP addresses. This helps prevent phishing email attacks, malicious downloads (e.g., ransomware) or other online threats.

Web Threat Protection gives admins another layer of security and helps avoid the cleanup of infections and/or the need to “roll back” the PC to a last known healthy state.

Shrink Attack Surface Area with Endpoint Device Control

Did you know in a recent Google social experiment that 45 percent of “lost” USB keys were plugged into devices by the people who found them?

Dropping infected USB drives in a work area (e.g., coffee shop, company parking lot, lobby) has always been respected as a very effective attack on companies. In fact, many retail outlets have point-of-sale (POS) systems with exposed USB ports that make it easier to infect networks from many locations.

To better prevent infected devices like USBs from connecting to endpoints, Capture Client Device Control can lock out unknown or suspicious devices. Admins have the ability to block endpoint access to unknown devices until they are approved, or whitelist clean devices, like printers and removable storage, to narrow the threat plane.

Endpoint Protection Licensing Better for Partners, Customers

SonicWall has done more than just improve the stability and functionality of the client. We’ve also spent the past year working with a global network of partners and customers to create better business practices behind the client.

Due to increased demand, we are proud to announce that our competitive conversion SKUs will live as an indefinite program that certified SonicWall Partners can use. This will enable customers to get three years of coverage for the price of two when switching from a competitive product.

SonicWall is also doing away with pack SKUs that people formerly ordered (and still supported) in favor of banded SKUs coming in March 2019. These ordering bands allow a partner to order the exact number of licenses required, at the appropriate discount, for their volume. These bands start at five seats and offer eight sets of volume discounts that go up to 10,000 or more seats.

Tech Brief: Roll Back the Impact of Ransomware

Capture Client Advanced enables quick, automated recovery without having to manually restore from backups or create new system images. Download the full tech brief to explore how Capture Client rollback helps optimize business continuity, reduce financial impact and shorten the mean time to repair.

Protecting Your MSSP Reputation with Behavior-Based Security

You’ve been here before. Your customer gets hit by a cyberattack and they ask, “Why did this happen? Shouldn’t your managed security service have protected us?”

Unless you give them a satisfactory answer, they may be shopping for a new partner. Over the past few years, I’ve heard several MSSPs having to explain to their customers that the malware or ransomware attack could not be stopped because they didn’t possess the technology that could mitigate new attacks.

Don’t put yourself in a situation where you can’t properly safeguard your customers — even against new or unknown attacks. To protect both your customers and your reputation against the latest threats, you need to deploy behavior-based security solutions that can better future-proof your customer environment.

The Logistics of Threat Prevention

When talking with people about threat prevention I ask, “How many new forms of malware do you think SonicWall detected last year?”

I usually hear answers in the thousands. The real answer? 56 million new forms or variants of malware in a single year. That’s more than 150,000 a day. Every day, security companies like SonicWall have teams of people creating signatures to help build in protections, but this takes time. Despite the industry’s best effort, static forms of threat elimination are limited.

Layering Security Across Customer Environments

MSSPs understand the importance of selling perimeter security, such as firewalls and email security, to scrub out most threats. These solutions will cover roughly 94-98 percent of threats. But for the smaller percentage of threats that are no less devastating, this is where behavior-based solutions come into play.

On each edge-facing firewall and email security service you need to have a network sandbox, which is an isolated environment where files can be tested to understand their intended purpose or motive. For example, the SonicWall Capture Advanced Threat Protection (ATP) sandbox is an isolated environment that is designed to run suspicious files in parallel through multiple engines to resist evasive malware. With the ability to block a file until a verdict has been reached, you can ensure that you will deliver highly vetted and clean traffic to end users.

Endpoints require a form of security that continuously monitor the system for malicious behavior because they roam outside the network perimeter and encounter fileless threats that come from vectors like malvertising.

SonicWall’s endpoint security solution (called Capture Client) only uses roughly 1 percent of the CPU’s processing power on a standard laptop. It can stop attacks before they happen as well as halt attacks as they execute. MSSPs love the ability to prevent dynamic attacks but also roll them back (on Windows only) in case they do initiate.

Behavior-based Security in Action

The power of behavior-based security was clear with the initial WannaCry attack in 2017. It was made famous when 16 NHS hospitals in the UK were shut down due to this viral ransomware attack. These sites were protected by a competitor whose CEO had to explain himself and apologize on national television.

The sites protected by SonicWall were up and running and helped pick up the slack when the others went down. Three weeks before the attack, SonicWall put protections in place that prevented Version 1 of WannaCry and its SMB vulnerability exploit from working.

But it was the behavior-based security controls that helped to identify and stop all the subsequent versions that came after. This same pattern emerged again with the NotPetya and SamSam ransomware attacks; static defenses followed by proactive dynamic defenses.

Furthermore, SonicWall’s reporting enables MSSPs to be alerted when something has been stopped. SonicWall Capture Client attack visualization gives administrators a view of where the threat came from and what it wanted to do on the endpoint.

This approach gives our customers — and MSSPs powered by SonicWall — the ability to protect against threats detected by SonicWall. But this strategy also protects against attacks that shift and change to bypass safeguards. By doing our best to build protections in a timely manner, as well as providing technology that detects and stops unknown attacks, we protect your customer as well as your reputation.


This story originally appeared on MSSP Alert and was republished with permission.

The Evolution of Next-Generation Antivirus for Stronger Malware Defense

Threat detection has evolved from static to dynamic behavioral analysis to detect-threatening behavior. Comprehensive layers of defense, properly placed within the network and the endpoint, provide the best and most efficient detection and response capabilities to match today’s evolving threats.

For years, SonicWall offered endpoint protection utilizing traditional antivirus (AV) capabilities. It relied on what is known as static analysis. The word “static” is just like it sounds. Traditional antivirus used static lists of hashes, signatures, behavioral rules and heuristics to discover viruses, malware and potentially unwanted programs (PUPs). It scanned these static artifacts across the entire operating system and mounted filesystems for retroactive detection of malicious artifacts through scheduled scanning.

Traditional antivirus focuses on pre-process execution prevention. Meaning, all the scanning mechanisms are primarily designed to prevent the execution of malicious binaries. If we go back 20 years, this approach was very effective at blocking the majority of malware, and many antivirus companies capitalized on their execution prevention approaches.

As that technology waned, the provider we had for traditional antivirus discontinued their legacy antivirus solution and SonicWall sought new and more effective alternatives.

Traditional Defenses Fail to Match the Threat

In the past, attackers, determined to beat antivirus engines, focused much of their attention on hiding their activities. At first, the goal of the attacker was to package their executables into archive formats.

Some threat actors utilized multi-layer packaging (for example, placing an executable into a zip then placing the zip into another compression archive such as arj or rar formats). Traditional antivirus engines responded to this by leveraging file analysis and unpacking functions to scan binaries included within them.

Threat actors then figured out ways to leverage documents and spreadsheets, especially Microsoft Word or Excel, which allowed embedded macros which gave way to the “macro virus.”

Antivirus vendors had to become document macro experts, and Microsoft got wise and disabled macros by default in their documents (requiring user enablement). But cybercriminals didn’t stop there. They continued to evolve the way they used content to infect systems.

Fast forward to today. Threat actors now utilize so many varieties of techniques to hide themselves from static analysis engines, the advent of the sandbox detection engine became popular.

I often use an analogy to explain a malware sandbox. It’s akin to a petri dish in biology where a lab technician or doctor examines a germ in a dish and watches its growth and behavior using a microscope.

Behavioral Sandbox Analysis

Sandbox technologies allow for detection by monitoring malware behavior within virtual or emulated operating systems. The sandboxes run and extract malware behavior within these monitored operating system to investigate their motives. As sandboxing became more prevalent, threat actors redesigned their malware to hide themselves through sandbox evasion techniques.

This led SonicWall to develop advanced real-time memory monitoring to detect malware designed to evade sandbox technology. Today, SonicWall uses a multitude of capabilities — coupled with patent-pending Real-Time Deep Memory Inspection (RTDMITM) — to identify and mitigate malware more effectively than competing solutions.

SonicWall Automated Real-Time Breach Prevention & Detection

The Endpoint Evolves, Shares Intelligence

Next comes the endpoint. As we know, most enterprises and small businesses are mobile today. Therefore, a comprehensive defense against malware and compliance must protect remote users and devices as they mobilize beyond an organization’s safe perimeter. This places an emphasis in combining both network security and endpoint security.

Years ago, I wrote research at Gartner about the gaps in the market. There was a critical need to bridge network, endpoint and other adjacent devices together into a shared intelligence and orchestrated fabric. I called it “Intelligence Aware Security Controls (IASC).”

The core concept of IASC is that an orchestration fabric must exist between different security technology controls. This ensures that each control is aware of a detection event and other shared telemetry so that every security control can take that information and automatically respond to threats that emerge across the fabric.

So, for example, a botnet threat detection at the edge of the network can inform firewalls that are deployed deeper in the datacenter to adjust policies according to the threat emerging in the environment.

As Tomer Weingarten, CEO of SentinelOne said, “Legacy antivirus is simply no match for today’s sophisticated file-based malware, which proliferates much faster than new signatures can be created.”

Limitations of Legacy Antivirus (AV) Technology

To better understand the difference between legacy antivirus (AV) and next-generation antivirus (NGAV), we should know the advantages and unique features of NGAV over legacy signature-based AV solutions. Below are four primary limitations of legacy offerings.

  • Frequent updates. Traditional AV solutions require frequent (i.e., daily or weekly) updates of their signature databases to protect against the latest threats. This approach doesn’t scale well. In 2017 alone, SonicWall collected more than 56 million unique malware samples.
  • Invasive disk scans. Traditional AV solutions recommend recurring disk scans to ensure threats did not get in. These recurring scans are a big source of frustration for end users, as productivity is impacted during lengthy scans.
  • Cloud dependency. Traditional AV solutions are reliant on cloud connectivity for best protection. Signature databases have grown so large that it is no longer possible to push the entire database to the device. So, they keep the vast majority of signatures in the cloud and only push the most prevalent signatures to the agent.
  • Remote risk. In cases where end-users work in cafés, airports, hotels and other commercial facilities, the Wi-Fi provider is supported by ad revenues and encourage users to download the host’s tools (i.e., adware) for free connectivity. These tools or the Wi-Fi access point can easily block access to the AV cloud, which poses a huge security risk.

Switching to Real-time, Behavior-focused Endpoint Protection

Considering these limitations, there is a need for viable replacement of legacy AV solutions. For this reason, SonicWall partnered with SentinelOne to deliver a best-in-class NGAV and malware protection solution: SonicWall Capture Client.

SonicWall Capture Client is a unified endpoint offering with multiple protection capabilities. With a next-generation malware protection engine powered by SentinelOne, Capture Client applies advanced threat protection techniques, such as machine learning, network sandbox integration and system rollback. Capture Client uses automated intelligence to adapt and detect new strains of malware through advanced behavior analytics.

SonicWall Capture Client was a direct response to multiple market trends.

  • First, there has been a detection and response focus, which is why SentinelOne offers our customers the ability to detect and then select the response in workflows (along with a malware storyline).
  • Second, devices going mobile and outside the perimeter meant that backhauling traffic to a network device was not satisfying customers who wanted low latency network traffic for their mobile users (and, frankly, the extra bandwidth costs that go along with it).
  • Third, because of all the evasion techniques that attackers use, a real-time behavioral engine is preferred over a static analysis engine to detect advanced attacks.
  • Fourth, the Capture Client SentinelOne threat detection module’s deep file inspection engine sometimes detects low confidence or “suspicious” files or activities. In these low confidence scenarios, Capture Client engages the advanced sandbox analysis of RTDMI to deliver a much deeper analysis and verdict about the suspicious file/activity.

One crucial feature of the latest Capture Client solution is the ability to record all the behaviors of an attack and the processes involved on an endpoint into an attack storyline — essential for security operations detection, triage and response efforts.

By listening to the market and focusing on the four key points above, SonicWall delivered best-in-class protection for endpoints, and another important milestone in SonicWall’s mission to provide automated, real-time breach detection and prevention.

SonicWall Capture Client combines multiple technologies to provide the most efficient and effective defense against threat actors. The solution should be paired with a defense-in-depth security strategy across all the key layers of transport, including email, network and endpoints.

Capture Client Endpoint Protection: What’s New in Version 1.5

In April 2018, SonicWall released Capture Client 1.0 featuring a next-generation, behavior-based antivirus (AV) engine, reporting and management, trusted certificate management, and endpoint enforcement on modern SonicWall firewalls. Despite landing with great enthusiasm as a superior upgrade over previous SonicWall AV clients, this was just the beginning.

In September 2018 we will release Capture Client 1.5, a next-generation endpoint antivirus solution. This blog will cover the five core missions of the release:

  • Expanded visibility and control
  • Better white/blacklisting
  • Automated malware analysis and response
  • Enriched threat intelligence
  • General enhancements

Expanded Visibility and Control

Capture Client will support Microsoft Windows servers. Furthermore, the cloud-based management console how allows persistent visibility and control of managed servers, irrespective of whether they are on premise or in a hosted private/public cloud.

Better White/Blacklisting

With a full application inventory, administrators will be able to easily — with one-click action — whitelist known good applications to minimize any false positives and proactively ensure a good user experience when deploying Capture Client.

No longer will there be a need to remember the path, executable name or even the hash value of the file. Just select the application to whitelist (even specific to a version) and off you go. In a similar fashion, administrators will be able to leverage blacklisting capabilities to disallow the running of unauthorized application in the environment.

Automated Malware Analysis and Response

Capture Client Advanced will integrate with SonicWall Capture Advanced Threat Protection (ATP), the network sandbox featuring RTDMI, which examines the behavior of suspicious files to discover new malware.

If you are paying attention, you’re thinking, “But doesn’t Capture Client continuously monitor the system for suspicious behavior?”

Yes, but a network sandbox can manipulate code and do things with files that an endpoint with antivirus is not supposed to do, like strip apart sequences in memory or fast-forward malware into the future. This is designed to find malware, such as Trojans, before they execute, and save people time from remediation, such as rolling the endpoint back to a state before the malware was downloaded and/or activated (e.g., malware with timing delays).

Enriched Cyber Threat Intelligence

Every business day, Capture ATP receives over 1.5 million requests to analyze suspicious files. To analyze that volume of files, the following process is followed:

  1. In order to make it as efficient as possible, every file is given a hash (unique identifier).
  2. Next, it checks to see if there is a verdict for the same hash.
  3. Then it completes a community check of over 60 virus scanners to better understand if the research community knows anything about the file.
  4. It is only after that investigation do we funnel the file automatically into the behavior-based engines of Capture ATP to process the file in question.

Since 45 percent of all requests are unique, the third and fourth processes eventually create hundreds of thousands of new verdicts every business day that we instantly apply in the second step listed above.

This growing database is then leveraged by Capture Client administrators to conduct manual checks of suspicious files on computers with Capture Client without the need to manually upload the file for analysis. This will return a near-instant verdict (for previously evaluated files) and will help mitigate any compliance issues for potentially sensitive files.

General Enhancements

Beyond the delivery of more features without a change to price, multiple stability and user-experience enhancements will be added to Capture Client 1.5, including:

  • Attack Execution Visualization – For threats that are detected during execution, the Capture Client console will show an advanced visualization of all the indicators of attack associated with the threat and how it progressed through its lifecycle.
  • Advanced Network Visualization – A unique network map will show admins the status of endpoints behind SonicWall firewalls that are enforcing the clients and allowing for drill down into device status, threat events and response actions.
  • Alerting and Notifications – Addition of email-based alerting for threat events as a foundation for admin notifications, reducing the need for “eyes-on-glass” monitoring.
  • Threat Analysis UX Improvements – Multiple enhancements will be made to the user experience of the threats page, providing more information about the threats, its lifecycle stage, indicators of attack and easy-to-understand threat response actions.
  • Client Improvements – Improved install/uninstall/upgrade experience for Capture Client and its modules.

Capture Client Endpoint Protection

To learn more about SonicWall Capture Client endpoint protection, download the in-depth data sheet. It explores the solution’s key capabilities, including advanced malware protection, continuous behavioral monitoring, workflow automation, cloud-based management and more.

RSA Conference 2018: See You Next Year

Every year, RSA Conference 2018 is a fast-paced, high-energy gathering for cyber security discussion, networking, innovation and learning for attendees, panelists, speakers and exhibitors alike. It’s almost impossible to see and hear all the show has to offer.

To help, we’ve collected all the interesting events and news from the week. It was an amazing four days — or eight days if you are part of our event staff — and we thank everyone for visiting us.

Endpoint protection still top of mind

While endpoint protection was a major theme at RSA, the technology partnership between SonicWall and SentinelOne stole the show with a modern take on endpoint protection. Throughout the week, SonicWall and SentinelOne collaborated to show off the new SonicWall Capture Client and integrated SentinelOne capabilities, like continuous behavioral monitoring and unique rollback capabilities.
> READ MORE

Awards and honors deserve a ‘thank you’

The CRN accolades noted above were just the start for SonicWall, which collected eight awards, including Gold in the CEO of the Year and Security Marketing Team of the Year, at the 2018 Info Security Product Guide Global Excellence Awards ceremony Monday in San Francisco. Also at RSA, SonicWall was named Cybersecurity Company of the Year in the Cyber Defense Magazine InfoSec Awards 2018.

These honors were the result of true dedication from our amazing SonicWall SecureFirst Partners and loyal customer base that spans 200 countries across the globe. Sincerely, thank you.

Streaming RSA Conference live

No matter your good intentions, sometimes it’s impossible to make it out to RSA every year. But that doesn’t mean you have to miss out on SonicWall’s presentation on the cyber arms race. That’s why we streamed a session from SonicWall malware expert Brook Chelmo on Facebook Live. Relive his presentation again and again, or watch it for the first time.

Music to inspire

While this musical inspiration was published before RSA kicked off, we had so much fun with our RSA Conference 2018 playlist on Spotify we’d be remiss in not offering it up once again.

Worn out

By the final day of RSA Conference, we’re spent. Our presenters logged dozens of hours presenting during the week. Their voices tired. Their legs weak. And some couldn’t even wait to get back to the hotel for some much-needed rest. And you know what? We can’t wait to do it again next year. See you at RSA Conference 2019, March 4-9.

Farewell, RSA Conference 2018

RSA Conference 2018: SonicWall is Hot

Fresh off of April’s massive SonicWall Capture Cloud Platform launch, SonicWall has been featured in a pair of CRN articles highlighting the hottest products at RSA Conference 2018.

The SonicWall Capture Cloud Platform is lauded in CRN’s “10 Hot New Cloud Security Products Announced at RSA 2018” listing. CRN recaps the platform’s ability to integrate security, management, analytics and real-time threat intelligence across SonicWall’s portfolio of network, email, mobile and cloud security products.

Complementing that accolade, a pair of new SonicWall products were listed in the “20 Hot New Security Products Announced at RSA 2018” category. The new SonicWall NSv virtual firewall (slide 7) and SonicWall Capture Client (slide 12) endpoint protection were showcased.

SonicWall Capture Client is a unified endpoint offering with multiple protection capabilities. With a next-generation malware protection engine powered by SentinelOne, Capture Client delivers advanced threat protection techniques, such as machine learning and system rollback.

SonicWall Network Security virtual (NSv) firewalls protect all critical components of your private/public cloud environment from resource misuse attacks, cross virtual machine attacks, side channel attacks and common network-based exploits and threats. It captures traffic between virtual machines (VM) and networks for automated breach prevention and establishes access control measures for data confidentiality and ensures VMs safety and integrity.