Posts

How MSSPs & Artificial Intelligence Can Mitigate Zero-Day Threats

So, here’s the problem: unknown zero-day threats are just that — unknown. You have no way (besides historical experience) to predict the next vulnerability avenue that will be exploited. You, therefore, don’t know what will need patching or what extra security layer needs injecting. This ultimately leads to a forecast-costing dilemma as you cannot predict the man hours involved.

The other quandary faced when tackling complex targeted zero days is the skills gap. Staffing a security operations center (SOC) with highly skilled cybersecurity professionals comes at a cost and only becomes profitable with economies of scale that a large customer base brings.

Coupled with the shortage of skilled cybersecurity professionals in the open market, how can you get your SOC off the ground? Could artificial intelligence (AI) level the playing field?

Machine Learning Reality Check

Machine learning and behavioral analytics continue to grow and become synonymous with zero-day threat protection. Is this all hype or is it the new reality? The truth is, it is both.

There is a lot of hype, but for good reason: AI works. Big data is needed to see the behaviors and therein the anomalies or outright nefarious activities that human oversight would mostly fail to catch. Delivered as a layered security approach, AI is the only way to truly protect against modern cyber warfare, but not all AI is deterministic and herein lies the hidden cost to your bottom line.

AI-based analysis tools that provide forensics are very powerful, but the horse has bolted by the time they are used. This approach is akin to intrusion detection systems (IDS) versus intrusion prevention systems (IPS). The former are great for retrospective audits, but what is the cleanup cost? This usage of behavioral analysis AI solely for detection is not MSSP-friendly. What you need is automated, real-time breach detection and prevention. Prevention is key.

So, how do you create an effective prevention technology? You need security layers that filter the malware noise, so each can be more efficient at its detection and prevention function than the last. That means signature-based solutions are still necessary. In fact, they are as important as ever as one of the first layers of defense in your arsenal (content filtering comes in at the top spot).

By SonicWall metrics, the ever-growing bombardment of attacks the average network faces stands at 1,200-plus per day (check out the mid-year update to the 2018 SonicWall Cyber Threat Report for more details).

When you do the math, it’s easy to see that with millions of active firewalls, it’s not practical to perform deep analysis on every payload. For the best results, you must efficiently fingerprint and filter everything that has gone before.

Aren’t All Sandboxes Basically the Same?

Only by understanding the behavior of the application and watching what it’s attempting to do, can you uncover malicious intent and criminal action. The best environment to do this is a sandbox, but no SOC manpower in the world could accomplish this with humans at scale. In order to be effective, you must turn to AI.

AI understands the big data coming from behavioral analysis. It can adapt the discovery approach to uncover threats that try to hide and, once determined as malicious, can fingerprint the payload via signature, turning a zero day into a known threat. It is the speed of propagation of this new, known signature to the protection appliances participating in the mesh protection network that drives the efficiencies to discover more threats.

Also, it’s the size of the mesh network catchment area that allows you the largest overall service area of attaches, which helps your AI quickly learn from the largest sample data set.

Luckily, SonicWall has you covered on all these fronts. With more than 1 million sensors deployed across 215 territories and countries, SonicWall has one of the largest global footprint of active firewalls. Plus, the cloud-based, multi-engine SonicWall Capture Advanced Threat Protection (ATP) sandbox service discovers and stops unknown, zero-day attacks, such as ransomware, at the gateway with automated remediation.

Our recent introduction of the patent-pending Real-Time Deep Memory Inspection (RTDMITM) technology, which inspects memory in real time, can detect and prevent chip vulnerability attaches such as Spectre, Meltdown and Foreshadow. It’s included with every Capture ATP activation.

At SonicWall, the mantra of automated, real-time breach detection and prevention is fundamental to our security portfolio. It is how our partners drive predictable operational expenditures in the most challenging security environments. Only via connected solutions, utilizing shared intelligence, can you protect against all cyber threat vectors.


A version of this story originally appeared on MSSP Alert and was republished with permission.

New NIST Cybersecurity Policy Provides Guidance, Opportunities for SMBs

Small- and medium-sized business (SMB) are often one of the segments most targeted by cybercriminals. Now, SMBs are backed by legislation signed by U.S. President Trump and unanimously supported by Congress.

On Aug. 14, President Trump signed into law the new NIST Small Business Cybersecurity Act. The new policy “requires the Commerce Department’s National Institute of Standards and Technology (NIST) to develop and disseminate resources for small businesses to help reduce their cybersecurity risks.”

The legislation was proposed by U.S. Senators Brian Schatz (D-Hawai‘i) and James Risch (R-Idaho). This new policy is a follow-on effort to the Cybersecurity Enhancement Act of 2014, which was the catalyst for the NIST Cybersecurity Framework.

“As businesses rely more and more on the internet to run efficiently and reach more customers, they will continue to be vulnerable to cyberattacks. But while big businesses have the resources to protect themselves, small businesses do not, and that’s exactly what makes them an easy target for hackers,” said Senator Schatz, lead Democrat on the Commerce Subcommittee on Communications, Technology, Innovation, and the Internet, in an official statement. “With this bill set to become law, small businesses will now have the tools to firm up their cybersecurity infrastructure and fight online attacks.”

Per the NIST Small Business Cybersecurity Act (S. 770), within the next year the acting director of NIST, collaborating with the leaders of appropriate federal agencies, must provide cybersecurity “guidelines, tools, best practices, standards, and methodologies” to SMBs that are:

  • Technology-neutral
  • Based on international standards to the extent possible
  • Able to vary with the nature and size of the implementing small business and the sensitivity of the data collected or stored on the information systems
  • Consistent with the national cybersecurity awareness and education program under the Cybersecurity Enhancement Act of 2014
  • Deployed in practical applications and proven via real-world use cases

The law follows the structure presented by U.S. Rep. Dan Webster (R-Florida) and passed by the House of Representatives. He originally presented the bill to the U.S. House Science, Space, and Technology Committee in March 2017.

SonicWall President and CEO Bill Conner also was instrumental in helping form the groundwork for U.S. cybersecurity laws. In 2009, Conner worked with U.S. Senator Jay Rockefeller (D-West Virginia) and other security-conscious leaders on the Cybersecurity Act of 2010 (S.773). And while the proposal was not enacted by Congress in March 2010, it served as a critical framework to today’s modern policies. Rockefeller was eventually the sponsor of the aforementioned Cybersecurity Enhancement Act of 2014 (S.1353), which became law in December 2014.

SMBs Highly Targeted by Cybercriminals, Threat Actors

According to a recent SMB study by ESG, 46 percent of SMB decision-makers said security incidents resulted in lost productivity in their small- or medium-sized business. Some 37 percent were affected by disruption of a business process or processes.

“Criminals target SMBs to extort money or steal valuable data, while nation states use small businesses as a beachhead for attacking connected partners,” wrote ESG senior principal analyst Jon Oltsik for CSO.

In fact, in July 2018 alone, the average SonicWall customer faced escalated volumes of ransomware attacks, encrypted threats and new malware variants.

  • 2,164 malware attacks (28 percent increase from July 2017)
  • 81 ransomware attacks (43 percent increase)
  • 143 encrypted threats
  • 13 phishing attacks each day
  • 1,413 new malware variants discovered by Capture Advanced Threat Protection (ATP) service with RTDMI each day

“Criminals target SMBs to extort money or steal valuable data, while nation states use small businesses as a beachhead for attacking connected partners,” wrote ESG senior principal analyst Jon Oltsik for CSO.

Leverage NIST Policy, Frameworks

While SMBs await guidance from the new NIST Small Business Cybersecurity Act, they can leverage best practices from the NIST Cybersecurity Framework, which helps organizations of all sizes leverage best practices to better safeguard their networks, data and applications from cyberattacks.

At a high level, the framework is broken down into three components — Implementation Tiers, Framework Core and Profiles — that each include additional subcategories and objectives. Use these key NIST resources to familiarize your organization to the framework:

Applying Cybersecurity Designed for SMBs

The NIST framework provides a solid foundation to improve an SMB’s security posture. But the technology behind it is critically important to achieving a safe outcome. SonicWall, for instance, is the No. 2 cybersecurity vendor in the SMB space, according to Gartner’s Market Share: Unified Threat Management (SMB Multifunction Firewalls), Worldwide, 2017 report.

With more than 26 years of defending SMBs from cyberattacks, SonicWall has polished and refined cost-effective, end-to-end cybersecurity solutions. These solutions are tailored specifically for small- and medium-sized businesses and can be further customized to meet the needs of specific security or business objectives. A sound, end-to-end SMB cybersecurity should include:

For example, the SonicWall TZ series of NGFWs is the perfect balance of performance, value and security efficacy for SMBs, and delivers access to the SonicWall Capture ATP sandbox services and Real-Time Deep Memory Inspection.TM This integrated combo protects your organization from zero-day attacks, malicious PDFs and Microsoft Office files, and even chip-based Spectre, Foreshadow and Meltdown exploits.

For organizations that want to take it a step further, the SonicWall NSa series of firewall appliances were given a ‘Recommended’ rating by NSS Labs in a 2018 group test. SonicWall topped offerings from Barracuda Networks, Check Point, Cisco, Forcepoint, Palo Alto Networks, Sophos and WatchGuard in both security efficacy and total cost of ownership.

Contact SonicWall to build or enhance your cybersecurity posture for true end-to-end protection from today’s most malicious cyberattacks, online threats and even the latest Foreshadow exploits.

SonicWall solutions are available to SMBs through our vast channel of local security solution providers, many of which are SMBs themselves. In fact, many SonicWall SecureFirst Partners even provide security-as-a-service (SECaaS) offerings to ensure it’s easy and cost-effective for SMBs to protect their business from advanced cyberattacks.

 

Upgrade Your Firewall for Free

Are you a SonicWall customer who needs to stop the latest attacks? Take advantage of our ‘3 & Free’ program to get the latest in SonicWall next-generation firewall technology — for free. To upgrade, contact your dedicated SecureFirst Partner or begin your upgrade process via the button below.

Six Tips for Selecting a Firewall Sandbox

Network firewalls have evolved from 1st generation simple packet filters to advanced devices that evolve so fast that labeling them as “next-generation (NG)” is the best way to classify them. They are often defined by the services that are attached to them and one of the greatest and newest internet security technologies to service today’s firewall is the sandbox. A sandbox is an isolated environment where suspicious files or applications can be run, examined and probed before they can be passed through a firewall and into a network. Applications, such as anti-virus, are best known for detecting and stopping known threats, but a sandbox is designed to detect unknown attacks designed to circumvent network security measures. Think of it as a bomb squad opening packages in a secluded open-air environment instead of a crowded stadium.

So, if you want to try this technology, how do you get started? With numerous vendors in this space, each with their promises and bold announcements, how do you cut through the noise? When you are shopping for a firewall and/or a sandbox, please consider these six tips:

  1. Look for a sandbox that has multi-engine support. First generation sandboxes use a siloed approach to examining files but malware authors are designing their code to detect and evade this technology. Leverage a multi-engine sandbox to cover analytical gaps and mitigate the need to deploy multiple vendor’s solutions. Simply put, using a single-engine sandbox is akin to trying to catch insects with a fishing line instead of a net.
  2. Before making a decision, look for any file type and size limits. Organizations use a broad range of operating systems that support everything from network systems to mobile devices. A sandbox needs to be able to examine a very broad range of file types without any limits to the size of the file.
  3. Files need to be held at the gateway before they are allowed to enter the perimeter of the network. Beware of any sandbox that delivers files before a verdict, otherwise it would be better to invest your budget into vulnerability assessment tools because you could be allowing havoc to ensue without proper management.
  4. With nearly one million pieces of malware being created every day, the threat landscape changes on a daily basis. Network and security administrators can’t stay on top of manual patches. Look to a sandbox that can rapidly deploys remediation signatures on a global scale. SonicWall’s sandbox, Capture ATP, quickly sends these signatures to all SonicWall Network Security Appliances within your network.
  5. Single point solutions issued by one-hit-wonder security vendors are often good at what they do, but do they interface with other network security appliances? If they can, it is often due to the manipulation of fickle and poorly supported APIs. Look for a next generation firewall that can communicate and update threat intelligence dynamically throughout your network security infrastructure for ease of management and improved security.
  6. The use of SSL/TLS encryption (AKA HTTPS) is on the rise by not only website and security administrators but by hackers as well. To evade detection, threats are often hidden within encrypted traffic. Evaluate sandboxes based on how they can inspect encrypted traffic.

Keep these tips in mind when evaluating a next-generation firewall and/or a sandbox feature. It is for these reasons that I recommend  SonicWall Capture Advanced Threat Protection Service. Patrick Sweeney, vice president of Marketing and Product Management of SonicWall Security, authored a blog detailing our  SonicWall Capture ATP Service. Currently in beta, this service will give you great protection against advanced persistent threats (APTs) and zero-day attacks. This multi-engine sandbox platform includes virtualized sandboxing, full system emulation, and hypervisor-level analysis technology all while resisting evasion tactics that hobble other sandboxing solutions. I also recommend reading SonicWall Security’s executive brief titled 5 Ways Your Firewall Sandboxes Can Fail.

Hear from Dmitriy Ayrapetov, SonicWall Security’s director of Product Management, on how you can maximize zero-day threat protection with SonicWall Capture Advanced Threat Protection (ATP), a cloud-based multi-engine solution that stops unknown attacks at the gateway.