Posts

SonicOS 6.5, the Biggest Update in Company History, Delivers Powerful Security, Networking and Usability Capabilities

/0 Comments/in /by

Keeping organizations running safely, while improving business and user productivity in today’s accelerating threat environment, continues to be a non-trivial task for IT leaders. At the current pace of cyber attacks, we understand all too well that the effects of recent events, such as the Equifax, WannaCry and NotPetya attacks, have demonstrated their capacity to change the global business environment from normal to total hysteria in the blink of an eye.

When news breaks on new data breaches, we see a surge in conversations with our SonicWall partner and customer communities about security and risk assessments. These engagements reinforce our development commitment to ensure every new product release delivers more tools and capabilities to protect their networks and data, and subsequently avoid the unnecessary breach.

Delivering on that commitment, I am thrilled to introduce SonicWall’s biggest firewall feature release in its history. SonicWall SonicOS 6.5 is packed with powerful security, networking and usability capabilities, and meets the security operation requirements of organizations of various sizes and use cases. SonicOS 6.5 focuses on empowering IT leaders and their security teams to:

  • Elevate their breach detection and prevention capacity
  • Manage and enforce security controls across the entire organization
  • Bring the latest in wireless speed, performance and security for cloud and mobile users
  • Scale firewall networking, connectivity and performance for uncompromised, uninterrupted network services

SonicOS 6.5 delivers the following customer-focused outcomes as part of SonicWall’s expanding Automated Real-Time Breach Detection and Prevention Platform.

1. Bolster breach prevention capabilities for wired, wireless and cloud-enabled network environments

  • SonicOS 6.5 includes 60-plus new features, nearly half of which focus on enabling the latest Wi-Fi standard, 802.11ac Wave 2, to deliver matching network security performance, connectivity and security between wired and wireless networks.
  • The combination of SonicWall firewalls and the new SonicWave 802.11ac Wave 2 series of wireless access points gives customers the assurance that their users have uninterrupted, secure and fast access to business services and resources over wired and wireless connections.
  • Built-in features, like Wireless Deployment Tools, greatly aid in planning and building a robust wireless infrastructure, while Band Steering, Airtime Fairness and others improve the overall wireless service quality and performance to give users a safe, productive wireless experience. This helps eliminate dropped connections and slowness anytime, anywhere and in any environment within the workplace. Moreover, Dynamic VLAN assignment segments wireless users based on their roles and group associations to prevent advanced threats from spreading.
  • SonicOS 6.5 expands the threat API capabilities to help customers establish a path toward security automation. Through greater firewall collaboration with third-party security ecosystem, the firewall can automatically pull external intelligence sources for threat detection and protection, and security policies enforcement. For example, our Dynamic Botnet List feature enables customers to program their firewalls to download private third-party lists that contain desired security information, such as malicious IP and URL addresses, that they want the firewall to block for additional threat coverage.
  • For distributed organizations that have offices operating on different network domains, the new multi-domain security management capability in SonicOS 6.5 helps them manage and enforce discrete security policies across those domains. Based on service levels, risk tolerance, compliance and/or legal requirements, administrators can apply identical security controls to all domains or specific policy to a single domain or group of domains. This flexibility helps reduce the attack surface, eliminate security gaps, isolate risks and prevent any lateral movement of backdoor, network-based attacks, such as WannCry and NotPetya.

2. Increase scalability and connectivity of the firewall system

  • Advances in Layer 2/3 network and connectivity help customers optimize system availability and performance, and scale the firewall to deliver uncompromised, uninterrupted threat protection for every connected network domain. Supported on all SonicWall next-generation firewall (NGFW) models, including the newest NSA 2650, SonicOS 6.5 also supports daisy-chaining and management of Dell X-Series switches, Virtual Wire Mode, Dynamic LAG using LACP and Equal Cost Multi-Path (ECMP).
  • Using multi-domain security management in conjunction with virtual wire mode gives customers the ability to micro-segment and manage their virtual networks. These also provide independent security management, policies, controls and scanning to each virtual network with its separate security zone.

3. Improve ease of use and firewall management

  • SonicOS 6.5 introduces a completely redesigned user interface (UI) for a fresh, productive user experience (UX). This new UI gives users an executive dashboard loaded with security, user and traffic information. It also offers an organized, familiar and easily-understood menu-driven security management console. The dashboard presents a consolidated view of the live firewall security environment. This view includes a threat index, security events and data, network performance and connectivity, and application and bandwidth usage. The intuitive UI lets users complete security tasks faster, and with greater ease, from a single-pane-of-glass.
WATCH VIDEO

Meet the New SonicWall NSA 2650 Next-Gen Firewall – Where Faster Meets More Secure

/0 Comments/in /by

Today I am excited to share the new addition to SonicWall’s NSA product family of Next-Generation Firewalls, the NSA 2650.  Three key trends form the design drivers for the new NSA 2650

  1. Wireless Devices Explosion – The demand for increased bandwidth from wireless networks is constantly on the rise with the growing number of wireless devices used per person. The wireless industry is going through waves of transformation (pun-intended) to support the requirement for more bandwidth. With the latest 802.11ac Wave 2 wireless standards opening the door for multi-gig WiFi performance there is a strong need for switches and firewalls that connect to wireless access points to support these faster speeds without increasing the cost to the network infrastructure.
  2. Multi-gig Campus Requirements – Campus/branch networks require technology trend adoption without adding significant costs to the network infrastructure. For example, switches and firewalls supporting wireless access points must be able to do so with existing the Cat5e/Cat6 cabling infrastructure.
  3. Encrypted Traffic Surge – The trend towards Secure Sockets Layer/Transport Layer Security (SSL/TLS) encryption has been on the rise for several years. Articles on the use of SSL/TLS encryption typically indicate that a little over 50% of all web traffic is now encrypted and that percentage is expected to continue growing. At SonicWall, data gathered by our Capture Labs Threat Research team shows the percentage to be a little higher, around 62%. We found that as web traffic grew throughout 2016, so did SSL/TLS encryption, from 5.3 trillion web connections in 2015 to 7.3 trillion in 2016. As vendors such as Google, Facebook, Twitter and others continue to move to HTTPS, we expect the use of HTTPS to increase. So, organizations now require a secure platform to protect their network from the sophisticated encrypted threats that evade the traditional security mechanisms. 

The NSA 2650 firewall is aimed at campus and branch networks that must secure their environments against the growing number of threats looking for new ways to burrow into networks. The new NSA 2650 firewall is the first branch and campus firewall to deliver automated real-time breach detection and prevention, as well as TLS/SSL decryption and inspection, over multi-gigabit wired and 802.11ac Wave 2 wireless networks. The SonicWall NSA 2650 represents the continuing evolution of SonicWall’s vision for a deeper level of network security without a performance penalty. More than simply a replacement for its predecessor, the NSA 2600, the NSA 2650 addresses the growing trends in web encryption and mobility by delivering a solution that meets the need for high-speed threat prevention.

The NSA 2650 is a 1U-device powered by four cores that provide the processing power necessary to support the compute-intensive deep packet inspection services such as:

  • Intrusion Prevention
  • Anti-Virus
  • Anti-Spyware
  • TLS/SSL inspection and decryption
  • Application Visualization
  • Application Control, Botnet detection
  • Geo-IP identification
  • Anti-Spam
  • User Identification and Advanced Threat Protection

Real-Time Inspection of SSL and TLS Attacks:

Unlike competing firewalls that perform well only with unencrypted connections, the NSA 2650 is built to support the need for more TLS/SSL inspection connections. The NSA 2650 features an unmatched number of encrypted web connections, up to 12,000 and performs deep packet inspection on each connection after first decrypting the traffic.

To protect against more advanced threats such as unknown and zero-day attacks that are concealed in encrypted web traffic, the NSA 2650 utilizes Capture, SonicWall’s cloud-based multi-engine sandboxing service that runs on the firewall. Suspicious files are sent to the award-winning SonicWall Capture service for analysis before rendering a verdict.

The NSA 2650 is a high-port density firewall that features 4×2.5-GbE SFP, 4×2.5-GbE, and 12×1-GbE interfaces with a dedicated management port. In addition to the multi-gigabit ports, high-speed processors and robust onboard memory, the NSA 2650 includes additional hardware enhancements that make it the ideal NGFW for mid-sized organization and distributed enterprises. An optional second power supply is available in case of failure for added redundancy. To help with scalability, the NSA 2650 includes two expansion slots. One is pre-populated with a 16 GB storage module to support features including logging, reporting, last signature update, backup and restores and more. The second slot provides flexibility to add future feature and physical capability expansion. Expandable in the future with additional modules, this versatile, high-port density firewall platform has the capacity to evolve through firmware updates to keep ahead of threats such as ransomware and intrusions.

With the NSA 2650, SonicWall yet again adds a ground-breaking security product to its portfolio. Combined with new 802.11ac Wave 2 SonicWave wireless access points, SonicWall creates a high-speed wireless network security solution that provides wireless users with an enhanced mobile experience.

Our latest firmware release, SonicOS 6.5, has more than 60 new features, and provides support for NSA 2650 hardware platform where faster meets more secure without any compromise on performance to all traffic including encrypted traffic.

Test drive the new NSA 2650 on SonicWall live demo: https://livedemo.sonicwall.com

VIEW LIVE DEMO

Network Sandboxing Takes On Malware, More than 26,000 New Strands Identified in August

/0 Comments/in /by

Malware never sleeps. Threat actors and criminal organizations are relentless in testing, optimizing and deploying exploit kits that target businesses and organizations across the globe. August 2017 was no different.

In fact, the month presented SonicWall’s network sandbox, Capture Advanced Threat Protection (ATP), with a few milestones.

First, the Capture ATP service celebrated its first anniversary protecting customer systems across the globe. Second, according to some sources, it surpassed install base figures of some of our competitors. Finally, the service also broke its own record for the number of new forms of malware it discovered and stopped on our customer networks.

How many? 26,438 to be exact!

This means that nearly 26,500 forms of malware — ranging from ransomware, to other Trojans, to Malvertising — were never seen by SonicWall before this month. Out of this, a little more than 7,100 were identified by one of the numerous anti-virus sources we work with. But over 19,300 were never seen by anyone and this includes a strong list of over 50 vendors including some very large names.

On top of this, last year we cataloged 60 million new forms of malware in order to prevent a patient-zero situation among the customer base. But despite our round-the-clock vigilance, there will always be a customer out there who will find something before we do.

To better eliminate this type of rare event, we created the industry’s first multi-engine network sandbox that can block until verdict, which means a customer can elect to have all unknown files blocked at the gateway until SonicWall can vet the code.

By combining the power of hypervisor-level analysis, full-system emulation and virtualized sandboxing, we have been very successful at finding some of the most evasive forms of ransomware in history, such as Cerber.

By combining the research from SonicWall’s Capture Labs, which place their signatures in SonicWall’s Gateway Security (and other places like Email Security for example) and Capture ATP, customers can stop known and unknown forms of malware. It is the latter group that causes the most fits for security professionals and gives end users with good technology something to brag about.

Since February we’ve seen a large increase in the new malware Capture ATP catches. This momentum stems from an ever-expanding customer base, but also a large rise in the percentage of malicious files that are out there. Here are some key facts:

  • Since February 2017, we’ve seen an increase of 524 percent in the new forms of malware discovered
  • In August 2017, the percentage of malicious files found was .22 percent, which is up from .14 percent
  • We made improvements in our performance and saw that 71.5 percent of all files were processed with a verdict in under 5 seconds

Is network sandboxing right for you? Based on our data, the average Capture ATP customer is on pace to detect and stop 30 new forms of malware within a year.

To learn more about the power of network sandboxing, I encourage you to read this executive brief: Why Network Sandboxing is Required to Stop Ransomware.

READ EXECUTIVE BRIEF

SonicWall Expands Scalability of its Next-Generation Firewall Platforms and DPI SSL to Address Encrypted Threats

/0 Comments/in /by

Day after day, the number of users is growing on the web, and so is the number of connections. At the same time, so is the number of cyberattacks hidden by encryption. SonicWall continues to tackle the encrypted threat problem by expanding the number of SSL/TLS connections that it can inspect for ransomware.

Today, a typical web browser keeps 3-5 connections open per tab, even if the window is not the active browser tab. The number of connections can easily increase to 15 or 20 if the tab runs an online app like Microsoft SharePoint, Office web apps, or Google Docs. In addition, actions such as loading or refreshing the browser page may temporarily spike another 10-50 connections to retrieve various parts of the page. A good example this scenario is an advertisement heavy webpage that can really add connections if the user has not installed an ad blocker plugin. Also keep in mind that many ad banners in web pages embed a code to auto-refresh every few seconds, even if the current tab is inactive or minimized. That said, it makes a lot of difference how many browser tabs your users typically keep open continuously during the day and how refresh-intensive those pages are.

We can make some assumptions on the average number of connections for different types of users.  For example, light web users may use an average of 30-50 connections, with peak connection count of 120-250.  On the other hand, heavy consumers may use twice that, for up to 500 simultaneous connections.

If a client is using BitTorrent on a regular basis that alone will allocate at least 500 connections for that user (with the possibility to consume 2,000+ connections). For a mainstream organization it is safe to assume that on average 80% of the users are considered as light consumers, whereas the remaining 20 percent are heavy consumers. The above numbers will provide a ballpark of a few hundred thousand connections for a company of 1,000 employees – 3 to 5 times higher than the number of connections for the same organization a decade ago.

With all the changes in browser content delivery and presentation, as well as users’ advanced manipulation of the web and its content, it’s necessary for SonicWall to address the forever increasing demand in the number of connections to satisfy the customer need and provide them with a better user experience. In the recently released SonicOS 6.2.9 for SonicWall next-gen firewalls, our engineering team has increased the number of stateful packet inspection (SPI) and deep packet inspection (DPI) connections to better serve this need.

Below is the new connection count  for Stateful Packet Inspection connections for SonicWall Gen6 Network Security Appliance  (NSA) and SuperMassive Series firewalls in the new SonicOS 6.2.9 when compared to the same count in the previous 6.2.7.1:

SPI Connection Chart

In addition, the number of DPI connections has increased up to 150 percent on some platforms. Below is a comparison of the new connection count in SonicOS 6.2.9 against SonicOS 6.2.7.1.
DPI Connection Chart

Finally, for security-savvy network administrators we have provided a lever to increase the maximum number of DPI-SSL connections by foregoing a number of DPI connections. Below is a comparison of the default and maximum number of DPI-SSL connection by taking advantage of this lever.

Increase Max DPI SSL Connections Chart

We also enhanced our award winning Capture ATP, a cloud sandbox service by improving the user experience of the“Block Until Verdict” feature, which prevents suspicious files from entering the network until the sandboxing technology finishes evaluation.

In addition, SonicOS 6.2.9 enables Active/Active clustering (on NSA 3600 and NSA 4600 firewalls), as well as enhanced HTTP/HTTPS redirection.

Whether your organization is a startup of 50 users or an enterprise of few thousand employees, SonicWall is always considering its customers’ needs and strives to better serve you by constantly improving our feature set and offerings.

For all of the feature updates in SonicOS 6.2.9, please see the latest SonicOS 6.2.9 data sheet (s). Upgrade today.

View DPI SSL eBook

Ransomware-as-a-Service RaaS is the New Normal

/0 Comments/in /by

Business models always have to tackle the method of distribution, will they sell directly or through a channel of distributors or a mix of both. The same is with ransomware developers. Many are electing to take their successful code and sell it as a kit, which eliminates many risks and the hard work of distribution all the while collecting a cut of the prize.

Throughout the past year, and even until the large-scale WannaCry attacks, floating between the peaks of the infamous events are small focused attacks en masse from rebranded exploit kits. In the past quarter, we have discovered a mix of developer hobby/chaos-malware, rebranded ransomware, and repackaged RaaS ransomware.

  • Trumplocker
  • AlmaLocker
  • Jigsaw
  • Lambda
  • Derialock
  • Shade
  • Popcorn

Recently, one author showed how easy it is to launch a ransomware attack within an hour… with zero hacking skills. So what does this mean to an organization like yours? Should this scare you? Simply put, attacks from more sources equals more attacks but SonicWall has your back.

First off, organizations can have the front-line protection of our award-winning multi-engine network sandbox, SonicWall Capture Advanced Threat Protection (ATP) Service. Capture ATP automatically takes suspicious code at the gateway of your network, and runs it in three parallel engines (and counting) to see what it wants to do from the application, to the OS, to the software that resides on the hardware. We find the newest ransomware families and updates this way.

Secondly, our Capture Labs research team catches many new variants of ransomware and malware in multiple ways as well as from a multitude of external sources. Once new ransomware families are found (either from Capture ATP, a honeypot, or another Capture Labs source), the intelligence is cross-pollinated to the rest of the SonicWall portfolio of security products.

Lastly, organizations can expect to be hit by a wide range of ransomware attacks and should ensure they have a good backup policy and focus on awareness training.

To learn more, watch this video to see how SonicWall stops ransomware:

Don’t Be Fooled by the Calm After the WannaCry Chaos: Continuously Toughen Your Security

/0 Comments/in /by

Some consider WannaCry to be the first-ever, self-propagating ransomware attack to wreak havoc across the globe. The chaos that followed is yet another harsh wake-up for many, in a situation far too familiar.  Only this time, the victims are new, the infection spreads more rapidly, the effects are far-reaching and the headlines are bigger.  I am sure you may be feeling overwhelmed with the ongoing news coverage of the EternalBlue exploit, WannaCry ransomware and Adylkuzz malware this past week.   Let us recap a few important observations to help us avoid a replay of history.

The WannaCry crisis was unlike any previous zero-day vulnerabilities and exploits that caused massive cyber-attacks in previous years. The major difference in this event is that there were early warning signs portending this sort of cyber-attacks through a series of leaks by the Shadow Broker, an unidentified hacking entity responsible for putting stolen U.S. National Security Agency (NSA) hacking secrets in the hands of nefarious actors, both foreign and domestic, looking to do us harm. Since the forthcoming threat was public knowledge and organization had ample time to mitigate the risk, why was WannaCry still able to achieve the level of success that it did? The reasons are quite simple and common with most organizations today.

1. Take care of the basics

Winston Churchill once remarked, “We live in the most thoughtless of ages. Every day headlines and short views.” Although the wisdom in these words was uttered many years ago, it seems as though we have yet to change our ways with respect to repeating poor cyber hygiene patterns. There are data security experts who have suggested that poor cyber-hygiene has caused as much as 80% of security incidents. Whether this figure is accurate or not, it is certain that the WannaCry and Adylkuzz attacks are the latest examples to support this statistic. Because of unpatched Microsoft’s Windows systems, victim organizations have allowed a broadly publicized and easily preventable exploit and ransomware to move into their environments simply because some of the most basic security measures were either not established or followed.

To avoid repeating this sort of mistake, organizations must understand that taking care of the basics means standing between being likely breached and likely avoiding one. Therefore, instituting a zero-tolerance policy to patch every system and device in the environment must never be an option. Putting in place auditable workflows and technology that can programmatically check and perform security updates without the need for manual intervention will help organizations move towards a more proactive defense posture.

2. Security staffing an unsolved problem

What we are seeing right now is a serious talent shortage in the security employment industry. Hiring good, affordable security professionals is a huge concern for many organizations across all industries. When organizations do not have adequate security staff or are unable to fill positions, they do not have the capacity necessary to proactively identify and remediate risk areas at the speed needed to avoid a security event like WannaCry. This common, unsolved problem manifests itself with most organizations, especially during major cyber events.

Many of the most significant issues organizations have in common today include the lack of understanding and visibility of:

  • What and where are the at-risk assets
  • Who and where are the at-risk users
  • What and where are the at-risk systems and devices
  • What are the risks and threats to focus on
  • What a proper security response plan looks like are

3. Lack the right tools in place

We have a situation today where exploit kits and ransomware are leveraging SSL/TLS encrypted traffic predominately for evading detection. A recent Ponemon Institute study reported that 62% of respondents say their organizations do not currently decrypt and inspect web traffic. However, the real concern is the fact that half of those respondents, who disclosed they were victims of a cyberattack in the preceding 12 months, claimed attacks leveraged SSL traffic to evade detection. So why is that?

The reasons provided in the same Ponemon study revealed that for those organizations that are not inspecting encrypted traffic:

  • 47% of the respondents said lack of enabling security tools was the top reason
  • 45% divulged that they do not have sufficient resources
  • 45% said they have overwhelming concerns about performance degradation.

Encrypted attacks threatening mobile devices, endpoint systems and data center resources and applications are on the rise. As we move towards an all-encrypted internet, organizations no longer have a choice whether to establish a security model that can decrypt and inspect encrypted traffic to stop hidden threats.

To learn more, here are two relevant informational pieces written by my colleagues on the WannaCry ransomware event that I highly recommend you to read. They offer additional perspectives and insights that can help you solve these security issues and be readily prepared for the next wave of cyber-attacks.

  1. WannaCry Ransomware Attack – It’s a Tragedy: What’s Next for Your Network? by Rob Krug, Solution Architect, Security
  2. SonicWall Protects Customers from the Latest Massive WannaCry Ransomware Attack by Brook Chelmo, Sr. Product Marketing Manager

When the chaos over WannaCry calms, the big question becomes, will you move on from this historic event with the lessons we’ve learned? Your answer is crucial since it will determine if the next major incident yields a more readied response from your organization.

Download a Tech Brief
Footnote: Ponemon Study,  Uncovering Hidden Threats within Encrypted Traffic, 2016

Are You Seeing This? Uncovering Encrypted Threats

/0 Comments/in /by

Night vision goggles. Airport x-ray machines. Secret decoder rings. What do they all have in common? Each helps you find something that is hidden, whether it’s an object or code that someone may not want you to discover. Your organization’s security solution needs to perform in a similar manner by inspecting encrypted traffic. Here’s why.

Over time, HTTPS has replaced HTTP as the means to secure web traffic. Along the way there have been some inflection points that have spurred on this transition such as when Google announced it would enable HTTPS search for all logged-in users who visit google.com. More recently, Google began using HTTPS as a ranking signal. Other vendors including YouTube, Twitter and Facebook have also made the switch. If you read articles on the use of Secure Sockets Layer/Transport Layer Security (SSL/TLS) encryption the latest numbers typically indicate that a little over 50% of all web traffic is now encrypted and that percentage is expected to continue growing. At SonicWall, data gathered by our Global Response Intelligence Defense (GRID) Threat Network shows the percentage to be a little higher, around 62%. We found that as web traffic grew throughout 2016, so did SSL/TLS encryption, from 5.3 trillion web connections in 2015 to 7.3 trillion in 2016. Like others, we also expect the use of HTTPS to increase.

On one hand, this is good news for everyone. Securing web sessions, whether the user is making a financial transaction, sending/receiving email or simply surfing the Internet, is a good thing. It’s also good business for organizations such as online retailers who receive sensitive personal and financial information from their customers and need to secure it from hackers. On the other hand, cyber criminals are now hiding their attacks in encrypted web traffic. Threats such as malware, intrusions, and ransomware are able to pass through the network undetected if they’re hidden using encryption. Cyber criminals are also using encryption to receive communications back from infected systems.

Given organizations’ growing trend toward HTTPS and its use by hackers to steal information, it makes sense to have a security solution in place that can decrypt and scan SSL/TLS-encrypted traffic for threats. Not everyone does, however, especially smaller organizations. According to Gartner’s Magic Quadrant for Unified Threat Management (UTM) from August 2016, the research and advisory company estimates that “Less than 10% of SMB organizations decrypt HTTPS on their UTM firewall. This means that 90% of the SMB organizations relying on UTM for web security are blind to the more advanced threats that use HTTPS for transport.”

Let’s add a little more fuel to this. By now most people have heard of the “Internet of Things.” The idea is that we have all manner of devices available that can connect to the Internet and send/receive data. No longer is it just our PC, laptop, smartphone and tablet. It’s our TV, car, refrigerator, watch, security camera. Essentially anything that’s Internet-enabled. The number of connected devices is growing rapidly. Gartner forecasts there will be 8.4 billion connected “things” in use in 2017 and by 2020 that number will grow to 20.4 billion. That’s a lot of things that can be potentially taken over by malware delivered through encrypted traffic.

Here’s the big question every organization needs to ask. “Does our security solution (typically a firewall) have the ability to decrypt SSL/TLS-encrypted web traffic, scan it for threats, use deep packet inspection technology to stop malware, and do it all with little or no performance hit?” If your firewall is three years old or more, the answer is likely no. Legacy firewalls may decrypt the traffic and do some threat detection, but not prevention. Or, it may do everything that’s required, just very slowly which isn’t good either. The firewall shouldn’t be a bottleneck.

In his blog titled, “DPI-SSL: What Keeps You Up at Night?” my colleague Paul Leets states, “We must look into encrypted packets to mitigate those threats.” And he’s right. We need to be able to “see” into encrypted traffic in order to identify threats and eliminate them before they get into the network. And it needs to be done in real time. We call this automated breach prevention and it’s what our lineup of next-generation firewalls delivers. To learn more about automated breach prevention and how SonicWall next-generation firewalls decrypt SSL/TLS-encrypted traffic and scan for and eliminate threats without latency, visit the “Encrypted Threats” page on our website. Secret decoder ring not required.

Download Encrypted Threats Best Practices

The Seven Habits of Highly Effective Ransomware Attacks

/0 Comments/in /by

In 2016, SonicWall detected a 600% growth in ransomware families. We saw a wide range of ransomware forms and attack vectors in the 2017 Annual Threat Report; some successful, others not so much.  So, what is at the core of any successful attack? If you understand the seven components of a ransomware campaign strategy, you can better defend yourself from one of the most pernicious forms of malware in history.

1. Intelligent target research

Any good scammer knows how to find the right people in an organization to target with the right message.  Hackers know that municipal and healthcare  are a ripe choice. Even though organizations are providing awareness education, people still click on cleverly created social media posts and emails. In addition to this, hackers can go to any public lead generation database and find the right set of victims for a phishing campaign.

2. Effective delivery

Since 65 percent of ransomware attacks happen through email, a scammer can easily send that infected attachment to someone in accounts payable claiming it is an unpaid invoice.  A similar attack brought BWL of Lansing, Michigan to its knees for two weeks and cost the utility provider around $2.4M USD. Secondly, developing sensationally titled social media posts with a farfetched photo are great at funneling people to infected web destinations, which make up roughly 35 percent of successful attacks.

3. Good code

Because companies are bolstering their security strategy, attackers should focus on ways of circumventing this.  First, aggressive hackers update their code frequently to get past signature-based counter-measures.  Second, the code should have several built-in evasion tactics to sneak past advanced defenses such as network sandboxes.  Cerber’s code provides a great example for other attackers to model. Malicious code authors are hoping the target does not deploy a multi-engine sandbox like SonicWall Capture Advanced Threat Protection, which is much more difficult to evade. Third, the code should worm from system to system to create as much havoc as possible and therefore increase the potential payoff.

4. Great understanding for infected systems

Any good hacker will know what he/she has infected and thereby ask for an appropriate ransom.  Endpoints such as a laptop are worth $1K, servers $5K and critical infrastructure as high as hundreds of thousands of dollars.  Hackers hope that their targets do not have segmented networks so they can infect multiple systems within a single attack. They also rely on inconsistent backups for a higher customer conversion rate.

5. Patience & persistence

In order for organizations to stay safe from an effective attack, they have to be right all the time.  For the attackers, they have to be right just once.  Although awareness, security, and consistent backups are the essential ingredients to ransomware defense, they are not perfect.  This is why good hackers keep trying, repackaging code into different delivery mechanisms and exploit kits.

6. Good customer support

The best ransomware variants have good customer support channels. Attackers use them to negotiate with victims and assure them that they will get their data back if they pay.

7. Good payment management

Although other ransomware variants have used other forms of payment, bitcoin is still the best choice. Bitcoin is easier to obtain and exchange, so ransomware attacks have a higher payout ratio against consumers with infected endpoints. To mitigate bitcoin wallet compromise, hackers will rotate the associated email address with a specific wallet, which also pressures victims to pay quicker.

I hope that you will be able to read these notes to understand what is in the mind of an attacker possibly targeting your industry or organization.  Use these tips to develop a good anti-ransomware and malware strategy.  For more information, please watch this webcast How To Protect Your Organization From Ransomware.

On Demand Webcast

SonicOS 6.2.7 Delivers More Breach Prevention and Easier Management to Next-Gen Firewalls

/in /by

There is no end to the danger of cyber-criminal activities, as long as there is an underground marketplace that makes it almost impossible for authorities to intervene and enforce law and order.  We continue to see our adversaries relentlessly going after money by developing and experimenting with different methods and tools against new and existing vulnerabilities, in preparation for the next phase of their business model. To deal with this cybercriminal activity and have greater network security, I am excited to announce SonicOS 6.2.7, which provides enhanced breach prevention, a new threat API, improved scalability and connectivity while simplifying management to ensure small businesses and large distributed enterprises receive a high quality-of-service level, increased on-demand capacity and connectivity and better security.

Here are some of the historical cyber attacks that require deeper network security:

  1. CVE logged nearly 4,000 new vulnerabilities with more than two-thirds of them associated with network attacks.
  2. Ransomware was spotted as far back as 2005, but rarely seen until its recent return to the world stage as the most popular payload for spam, phishing and exploit campaigns, collecting an estimated of $200 million in ransom payout globally so far. The fear of infections and subsequent business disruptions has forced institutions to begin augmenting their existing defense model to address this threat.
  3. According to NSS Labs, the malicious use of encryption is rapidly growing and allowing criminals to use it as an effective evasion technique. When encrypted connections are improperly managed and go uninspected, they become defenseless tunnels for concealing malware downloads and command and control (C&C) communication, spreading infections and most serious of all, extracting massive amounts of data.
  4. In November, the Mirai botnet management framework launched the largest mass-scale distributed denial of service (DDoS) attacks on record, using hundreds of thousands of Linux-based IoT devices that took down a major DNS service provider. IoT-based attack is anticipated to be one of the fastest growing and most prevalent attack vectors in 2017.
  5. A new breed of exploit kits surfaced leveraging cryptographic algorithms to encrypt and obfuscate landing pages and malicious payloads to spread ransomware at scale more effectively.

Moreover, organizations are quickly embracing new technologies such as cloud and virtualization to advance their digital business ambition.  As they embrace these new technology platforms, they find themselves needing to augment their network architecture to meet new data, capacity and connectivity demands.

The biggest question now is what we can do differently in our cyberdefense model to scale performance, secure us from advanced threats and help enable organizations to grow and move securely forward. SonicWall introduces the latest update to its next-generation firewall SonicOS operating system, version 6.2.7.0.  Many of new features in the release are focused on three primary outcomes of the firewall system.

  1. Enhancing breach prevention capabilities
  • Deep packet inspection of SSH (DPI-SSH) to detect and prevent advanced encrypted attacks that leverage SSH, block encrypted malware downloads, cease the spread of infections, and thwart command and control (C&C) communications and data exfiltration
  • Threat API platform designed to receive any and all proprietary, OEM and third-party threat intelligence feeds to combat a wide variety of advanced threats such as zero-day, malicious insiders, compromised credentials, ransomware and APTs
  • Biometric authentication technology on the user mobile device such as fingerprints that cannot be easily duplicated or shared to securely authenticate the user identity for network access.
  • Additional security extensions include granular SSL controls and DPI-SSL of IPv6 encrypted traffic, DNS Proxy to securely control both incoming and outgoing DNS traffic to eliminate any potential DNS cache poisoning, DNS spoofing, and buffer overflow attacks transmitted through DNS commands and more
  1. Improving ease of use and management
  • Auto-provisioning VPN simplify and reduce complex distributed firewall deployments down to a trivial effort by automating the initial site-to-site VPN gateway provisioning while security and connectivity occurs instantly and automatically.  As an added advantage, policy changes are centrally managed and automatically updated on every VPN peer across the WAN environment.
  1. Increasing scalability and connectivity
  • Dell X-Series Switch extensibility enhanced network security flexibility and scalability that adapts to service-level increases and ensures network services and resources are continuously available and protected when capacity grows without having to upgrade the firewall system.

Download the SonicOS 6.2.7 today.

DOWNLOAD DATA SHEET

CAPTURE MORE. FEAR LESS: SonicWall Capture ATP for Ransomware Prevention

/0 Comments/in /by

If you pictured a specific technology exemplified as an animal what would it be?  Cars have been visualized as horses and bulls and the names like Mustang, Pinto, and Taurus all ring a bell with us. We see this in cyber security as well.  We have worms, bugs, and Trojan [horses] (I know that’s a stretch).  If you picture ransomware viruses as malicious bugs then you would see Capture Advanced Threat Protection (ATP) as a spider.

Spiders are the perfect foe of bugs. They sit in wait within perfectly designed traps and focus their energy on processing their prey.  SonicWall Capture ATP, multi-engine cloud-based sandbox, does just that; as a network sandbox it awaits suspicious code in order to process it to see what it wants to do from the application, to the OS, to the software residing on the hardware. If you read up on Cerber ransomware, you will see one of the most advanced persistent threats known today.  You will see how it evades traditional security and employs evasion tactics to get around network sandboxes. Thanks to Capture ATP’s parallel processing multi-engine sandbox, catching Cerber is easily done.

Capture ATP is not only successful versus Cerber and other nasty forms of ransomware, but it also finds many other forms of malware too.  Last year, SonicWall detected over 60 million new and updated malware; that’s roughly two per second.  With that volume of malware being processed on a daily basis, it’s important to have a network sandbox in place to catch yet-to-be-discovered malware before it can make itself known by locking your desktops and encrypting your files.

Watch the video below to see how Solutions Granted, Inc., a Platinum Partner, CEO, Michael Crean, sees the benefits of using Capture ATP.