Posts

What the 2023 MITRE ATT&CK Evaluation Results Mean for SonicWall Users

Note: Previously, we explained the MITRE ATT&CK framework and how security products are evaluated for detection efficacy and efficiency. Check out these blogs (Part 1 and Part 2) if you haven’t already.

The 2023 MITRE ATT&CK® Evaluations focused on the adversary Turla, a Russia-based threat group active since at least the early 2000s. Turla is known for deploying sophisticated proprietary tools and malware. It has targeted victims in over 45 countries, spanning a range of critical industries and infrastructure such as government agencies, diplomatic missions, military groups, research and education facilities, and media organizations.

But while Turla is unquestionably a formidable adversary, it proved no match for the SentinelOne-powered SonicWall Capture Client, as we’ll explore below.

Understanding MITRE ATT&CK and SonicWall Capture Client

Before we dive in, however, a bit of background on the MITRE ATT&CK evaluations and SonicWall Capture Client is likely to be helpful:

MITRE ATT&CK Evaluations: ATT&CK stands for “Adversarial Tactics, Techniques & Common Knowledge.” It’s designed to be a common language, the components of which are used in endless combinations to describe how threat actors operate. The MITRE Engenuity ATT&CK Evaluations are based on the MITRE ATT&CK knowledge base, a globally accessible repository of threat actor behaviors and techniques observed in real-world cyberattacks. The evaluations provide transparency and insight into how well different cybersecurity solutions can detect and prevent these tactics, as well as how they present relevant information to end users.

SonicWall Capture Client Endpoint Security: SonicWall Capture Client is a cutting-edge endpoint security solution powered by the SentinelOne Singularity platform. It leverages multiple layers of security – including real-time behavior monitoring, anti-ransomware technology and malware prevention – to automatically detect and prevent malicious activity in real time, without relying on signatures, rules or human intervention.

To reduce alert fatigue, Capture Client automatically stitches together related alerts, providing analysts with a full view of detections across all covered attack vectors correlated into several incidents.

Capture Client’s built-in, autonomous EDR provides automation and orchestration capabilities for rapid response and remediation actions. What’s more, Capture Client’s synergy with the rest of the SonicWall platform allows for increased visibility and protection both on and off the network.

The 2023 MITRE ATT&CK Evaluations

The 2023 MITRE ATT&CK Evaluations emulated Turla to test 30 cybersecurity vendors on their ability to detect and respond to an advanced real-world threat. Evaluation results are available on the official website, where you can view and compare the test data of each vendor across 143 sub-steps that represent the attack sequence of Turla. You can also filter the results by different criteria, such as detection type, telemetry type, platform or technique.

The test data consists of three main categories:

  • Visibility: Evaluates whether the vendor was able to detect a specific sub-step of the attack sequence and what type of telemetry (e.g., process, file, registry, network) was used to provide that detection. The higher the visibility score, the more sub-steps were detected by the vendor.
  • Analytic Quality: Evaluates the quality of the detection analytics (e.g., rules, signatures, models) used to identify a specific sub-step of the attack sequence. The analytic quality score ranges from 1 (lowest) to 5 (highest) based on criteria such as specificity, relevance, timeliness, accuracy and completeness. The higher the analytic quality score, the better the detection analytics were at capturing the adversary’s behavior.
  • Configuration Change: Evaluates whether the vendor required any configuration changes (e.g., enabling or disabling features, modifying settings) to achieve a specific detection. The configuration change score ranges from 0 (no change) to 2 (major change) based on criteria such as complexity, impact and documentation. The lower the configuration change score, the fewer changes were needed by the vendor.

SentinelOne: Once Again at the Front of the Pack

SonicWall customers trust our SentinelOne-powered Capture Client to protect them from the most advanced threats. In this year’s Evaluations, the exact agent, platform and features used to safeguard SonicWall users every day detected and blocked every phase of the Turla attack with zero delays and no unrealistic reconfigurations or bolt-on features.

It outperformed all other vendors in terms of detection and prevention capabilities, as well as analytic quality and configuration changes.

Figure 1 shows exactly what Capture Client (SentinelOne) achieved:

Figure 1: SentinelOne MITRE ATT&CK Evaluation results

These results highlight how the SentinelOne Singularity platform maps directly to the MITRE ATT&CK framework to deliver unparalleled detection and prevention of advanced threat actor tactics, techniques and procedures (TTPs). SentinelOne Singularity XDR also provides real-world information to defenders without any configuration changes4 – because there are no re-tests in the real world.

Figure 2: A closer look at SentinelOne evaluation results.

By choosing Capture Client (SentinelOne) for your organization, your organization can benefit from:

  • Autonomous Protection: Automatically detect and prevent malicious activity in real time across all attack surfaces.
  • High-Quality Analytics: Leverage high-quality analytics of threat behavior with specificity, relevance, timeliness, accuracy and completeness.
  • Zero Configuration Changes: Enjoy optimal performance without any configuration changes, reducing complexity and overhead
  • Real-Time Visibility: Gain comprehensive visibility into the attack sequence and timeline, as well as threat intelligence, indicators of compromise (IOCs), root cause analysis and remediation steps.
  • Automation and Orchestration: Automate and orchestrate response and remediation actions with protection that integrates with other security tools and platforms.

Figure 3: Capture Client provides real-time visibility with Attack Storyline, which displays an attack in its entirety and combines alerts and individual events into a single, comprehensive view.

Conclusion

The MITRE ATT&CK Evaluation provides transparent and objective data, which allows vendors and users the ability to compare different cybersecurity solutions based on their ability to detect and prevent real-world threats. For those looking to purchase a reliable and effective cybersecurity solution, these results can help determine which one best suits their needs and goals.

For four consecutive years, SonicWall Capture Client has proven its industry-leading detection and protection capabilities in the MITRE ATT&CK Enterprise Evaluations. You can request a demo or a free trial of Capture Client, or compare SonicWall Capture Client (SentinelOne) with other vendors on MITRE Engenuity’s website.

Advanced Endpoint Detection & Response (EDR) Comes to Capture Client 2.0

Endpoint protection has evolved well past simple antivirus (AV) monitoring. Today’s endpoints require consistent and proactive investigation and mitigation of suspicious files or behavior.

With the release of SonicWall Capture Client 2.0, organizations gain active control of endpoint health with advanced Endpoint Detection and Response (EDR) capabilities.

With EDR capabilities in place, SonicWall Capture Client empowers administrators to track threat origins and intended destinations, kill or quarantine as necessary, and “roll back” endpoints to a last-known good state in cases of infection or compromise.

Capture Client now also enables organizations to mitigate malware and clean endpoints without manually pulling them offline to conduct forensic analysis and/or reimage the device — as is typically required with legacy AV solutions.

Protect Endpoints from Employee Mishaps with Web Threat Protection

For years, SonicWall’s Content Filtering options have been used by schools, small and medium businesses, and enterprises to either block people from malicious web content (e.g., phishing sites) or productivity-killing sites (e.g., social media), as well as manage the bandwidth an application receives.

A portion of this technology, called Web Threat Protection, is now in Capture Client 2.0. This feature utilizes the Content Filtering Service to block access to millions of known malicious URLs, domains and IP addresses. This helps prevent phishing email attacks, malicious downloads (e.g., ransomware) or other online threats.

Web Threat Protection gives admins another layer of security and helps avoid the cleanup of infections and/or the need to “roll back” the PC to a last known healthy state.

Shrink Attack Surface Area with Endpoint Device Control

Did you know in a recent Google social experiment that 45 percent of “lost” USB keys were plugged into devices by the people who found them?

Dropping infected USB drives in a work area (e.g., coffee shop, company parking lot, lobby) has always been respected as a very effective attack on companies. In fact, many retail outlets have point-of-sale (POS) systems with exposed USB ports that make it easier to infect networks from many locations.

To better prevent infected devices like USBs from connecting to endpoints, Capture Client Device Control can lock out unknown or suspicious devices. Admins have the ability to block endpoint access to unknown devices until they are approved, or whitelist clean devices, like printers and removable storage, to narrow the threat plane.

Endpoint Protection Licensing Better for Partners, Customers

SonicWall has done more than just improve the stability and functionality of the client. We’ve also spent the past year working with a global network of partners and customers to create better business practices behind the client.

Due to increased demand, we are proud to announce that our competitive conversion SKUs will live as an indefinite program that certified SonicWall Partners can use. This will enable customers to get three years of coverage for the price of two when switching from a competitive product.

SonicWall is also doing away with pack SKUs that people formerly ordered (and still supported) in favor of banded SKUs coming in March 2019. These ordering bands allow a partner to order the exact number of licenses required, at the appropriate discount, for their volume. These bands start at five seats and offer eight sets of volume discounts that go up to 10,000 or more seats.

Tech Brief: Roll Back the Impact of Ransomware

Capture Client Advanced enables quick, automated recovery without having to manually restore from backups or create new system images. Download the full tech brief to explore how Capture Client rollback helps optimize business continuity, reduce financial impact and shorten the mean time to repair.

Bypassing Government Security Controls with Customized Malware

For a moment, think from the perspective of someone who wants to hack a government organization. Think of what they want to do. Seize critical records, encrypt the drive and hold it for ransom? Convert part of a resource into a cryptocurrency mining operation? Or, worse yet, attempt to disrupt or take down critical infrastructure (e.g., utilities, transportation systems, defense)?

As we explore the final theme of National Cybersecurity Awareness Month, “Safeguarding the Nation’s Critical Infrastructure,” I thought it would be valuable to go to a reliable source.

To get a better perspective of threats to critical infrastructure I interviewed a skilled hacker. This is his plan.

Recon & Recode

First, he said he would do reconnaissance on the organization to look for potential vulnerabilities. Makes sense.

But his next step is concerning. He’d take a form of malware he’d used before — or another they find for sale in an exploit kit designed to abuse a vulnerability — and customize it for that specific organization. Customization can be as simple as making a few cosmetic changes to the code or changing the programing to do something slightly different based on previous failed attempts.

This step is important. The new batch of code hasn’t been registered with any firewall vendor, antivirus vendor, security researcher, etc. The targeted organization can’t stop it if their security controls don’t have the ability to conduct behavioral code analysis with zero-day code detonation.

Furthermore, if someone wants to take it to the next level, this code should arrive via an encrypted channel in the hopes they don’t do Man-in-the-Middle (MITM) inspection of HTTPS traffic.  This can be delivered simply over social media or webmail.

Payload Delivery

Now it’s time for everyone’s favorite part: payload delivery. At the time of writing, I am looking at a publicly accessible online sales lead-generation database. At anyone’s fingertips are millions of names and email addresses for contacts at airlines, retailers to higher education. The malicious hacker can easily download 5,886 contacts from a state transportation department or 4,142 from a previously attacked Canadian agency.

If he wants, he could send an infected attachment asking some 526 contacts from a Singapore government agency to open it, or bait 2,839 faceless people at an unnamed health department to click on his malicious link.

Despite awareness training and efforts to keep systems up to date and patched, 11 percent of people will open the attachment according to a Verizon study. Within this population, there will be systems that he can infect and use as a launching point to get his malware to a target system — or at least give him backdoor access or a harvested credential to start working manually.

A hacker selects contacts for a phishing scam against an American county department of education.

How to Defend Against Customized Malware

This method is very similar to what we are seeing happen every day. Customized malware is the main reason why SonicWall discovered and stopped over 56 million new forms of malware in 2017.

In a government organization equipped with SonicWall technology, the email may first be stopped by email security based on the domain or other structures of the message, but you can’t take it for granted.

If the malware is delivered via attachment, SonicWall secure email technology can test the file in the Capture ATP cloud sandbox to understand what the file wants to do. SonicWall Email Security can also leverage Capture ATP to scan malicious URLs embedded in phishing attacks.

To learn more about this technology, read “Inside the Cloud Sandbox: How Capture Advanced Threat Protection (ATP) Works” and review the graphic below.

Protecting Endpoints Beyond the Firewall

But what about employees not behind the firewall? What if the malware is encrypted and the administrator did not activate the ability to inspect encrypted traffic (DPI-SSL)? What about an infected domain that servers fileless malware through an infected ad?

The answer to that is SonicWall Capture Client, a behavior-based endpoint security solution. The traditional antivirus (AV) that comes free with computers (e.g., Norton, TrendMicro, McAfee, etc.) is still around, but they only check files that are known to be malicious.

In an era of customized malware and creative distribution techniques, it is nearly obsolete. This is why government organizations in all countries favor using behavior-based antivirus called a number of things like Endpoint Protection Platforms (EPP) or Next-Generation Antivirus (NGAV).

These forms of AV look at what is happening on the system for malicious behavior, which is great against customized malware, fileless malware and infected USB sticks. NGAV solutions don’t require frequent signature updates and know how to look for bad activity and can shut it down, in many cases, before it executes.

In the case of SonicWall Capture Client, it can not only stop things before they happen, but also roll back Windows systems to a known good state if the endpoint is compromised. This is extremely helpful with ransomware since you can restore encrypted files and continue on as if the infection never happened. Also, like I mentioned above, Capture Client also makes use of Capture ATP in order to find and eliminate malware that is waiting to execute.

Ultimately, by using the SonicWall Capture Cloud Platform, government agencies and offices around the world are protected against the onslaught of new malware, which is often designed to penetrate their systems. For more information on what we do and or conduct a risk-free proof of concept in your environment, please contact us at sales@SonicWall.com or read this solution brief.


About Cybersecurity Awareness Month

The 15th annual National Cybersecurity Awareness Month (NCSAM) highlights user awareness among consumers, students/academia and business. NCSAM 2018 addresses specific challenges and identifies opportunities for behavioral change. It aims to remind everyone that protecting the internet is “Our Shared Responsibility.”

In addition, NCSAM 2018 will shine a spotlight on the critical need to build a strong, cyber secure workforce to help ensure families, communities, businesses and the country’s infrastructure are better protected through four key themes:

  • Oct. 1-5: Make Your Home a Haven for Online Safety
  • Oct. 8-12: Millions of Rewarding Jobs: Educating for a Career in Cybersecurity
  • Oct. 15-19: It’s Everyone’s Job to Ensure Online Safety at Work
  • Oct. 22-26: Safeguarding the Nation’s Critical Infrastructure

Learn more at StaySafeOnline.org.

Protecting Your MSSP Reputation with Behavior-Based Security

You’ve been here before. Your customer gets hit by a cyberattack and they ask, “Why did this happen? Shouldn’t your managed security service have protected us?”

Unless you give them a satisfactory answer, they may be shopping for a new partner. Over the past few years, I’ve heard several MSSPs having to explain to their customers that the malware or ransomware attack could not be stopped because they didn’t possess the technology that could mitigate new attacks.

Don’t put yourself in a situation where you can’t properly safeguard your customers — even against new or unknown attacks. To protect both your customers and your reputation against the latest threats, you need to deploy behavior-based security solutions that can better future-proof your customer environment.

The Logistics of Threat Prevention

When talking with people about threat prevention I ask, “How many new forms of malware do you think SonicWall detected last year?”

I usually hear answers in the thousands. The real answer? 56 million new forms or variants of malware in a single year. That’s more than 150,000 a day. Every day, security companies like SonicWall have teams of people creating signatures to help build in protections, but this takes time. Despite the industry’s best effort, static forms of threat elimination are limited.

Layering Security Across Customer Environments

MSSPs understand the importance of selling perimeter security, such as firewalls and email security, to scrub out most threats. These solutions will cover roughly 94-98 percent of threats. But for the smaller percentage of threats that are no less devastating, this is where behavior-based solutions come into play.

On each edge-facing firewall and email security service you need to have a network sandbox, which is an isolated environment where files can be tested to understand their intended purpose or motive. For example, the SonicWall Capture Advanced Threat Protection (ATP) sandbox is an isolated environment that is designed to run suspicious files in parallel through multiple engines to resist evasive malware. With the ability to block a file until a verdict has been reached, you can ensure that you will deliver highly vetted and clean traffic to end users.

Endpoints require a form of security that continuously monitor the system for malicious behavior because they roam outside the network perimeter and encounter fileless threats that come from vectors like malvertising.

SonicWall’s endpoint security solution (called Capture Client) only uses roughly 1 percent of the CPU’s processing power on a standard laptop. It can stop attacks before they happen as well as halt attacks as they execute. MSSPs love the ability to prevent dynamic attacks but also roll them back (on Windows only) in case they do initiate.

Behavior-based Security in Action

The power of behavior-based security was clear with the initial WannaCry attack in 2017. It was made famous when 16 NHS hospitals in the UK were shut down due to this viral ransomware attack. These sites were protected by a competitor whose CEO had to explain himself and apologize on national television.

The sites protected by SonicWall were up and running and helped pick up the slack when the others went down. Three weeks before the attack, SonicWall put protections in place that prevented Version 1 of WannaCry and its SMB vulnerability exploit from working.

But it was the behavior-based security controls that helped to identify and stop all the subsequent versions that came after. This same pattern emerged again with the NotPetya and SamSam ransomware attacks; static defenses followed by proactive dynamic defenses.

Furthermore, SonicWall’s reporting enables MSSPs to be alerted when something has been stopped. SonicWall Capture Client attack visualization gives administrators a view of where the threat came from and what it wanted to do on the endpoint.

This approach gives our customers — and MSSPs powered by SonicWall — the ability to protect against threats detected by SonicWall. But this strategy also protects against attacks that shift and change to bypass safeguards. By doing our best to build protections in a timely manner, as well as providing technology that detects and stops unknown attacks, we protect your customer as well as your reputation.


This story originally appeared on MSSP Alert and was republished with permission.

The Evolution of Next-Generation Antivirus for Stronger Malware Defense

Threat detection has evolved from static to dynamic behavioral analysis to detect-threatening behavior. Comprehensive layers of defense, properly placed within the network and the endpoint, provide the best and most efficient detection and response capabilities to match today’s evolving threats.

For years, SonicWall offered endpoint protection utilizing traditional antivirus (AV) capabilities. It relied on what is known as static analysis. The word “static” is just like it sounds. Traditional antivirus used static lists of hashes, signatures, behavioral rules and heuristics to discover viruses, malware and potentially unwanted programs (PUPs). It scanned these static artifacts across the entire operating system and mounted filesystems for retroactive detection of malicious artifacts through scheduled scanning.

Traditional antivirus focuses on pre-process execution prevention. Meaning, all the scanning mechanisms are primarily designed to prevent the execution of malicious binaries. If we go back 20 years, this approach was very effective at blocking the majority of malware, and many antivirus companies capitalized on their execution prevention approaches.

As that technology waned, the provider we had for traditional antivirus discontinued their legacy antivirus solution and SonicWall sought new and more effective alternatives.

Traditional Defenses Fail to Match the Threat

In the past, attackers, determined to beat antivirus engines, focused much of their attention on hiding their activities. At first, the goal of the attacker was to package their executables into archive formats.

Some threat actors utilized multi-layer packaging (for example, placing an executable into a zip then placing the zip into another compression archive such as arj or rar formats). Traditional antivirus engines responded to this by leveraging file analysis and unpacking functions to scan binaries included within them.

Threat actors then figured out ways to leverage documents and spreadsheets, especially Microsoft Word or Excel, which allowed embedded macros which gave way to the “macro virus.”

Antivirus vendors had to become document macro experts, and Microsoft got wise and disabled macros by default in their documents (requiring user enablement). But cybercriminals didn’t stop there. They continued to evolve the way they used content to infect systems.

Fast forward to today. Threat actors now utilize so many varieties of techniques to hide themselves from static analysis engines, the advent of the sandbox detection engine became popular.

I often use an analogy to explain a malware sandbox. It’s akin to a petri dish in biology where a lab technician or doctor examines a germ in a dish and watches its growth and behavior using a microscope.

Behavioral Sandbox Analysis

Sandbox technologies allow for detection by monitoring malware behavior within virtual or emulated operating systems. The sandboxes run and extract malware behavior within these monitored operating system to investigate their motives. As sandboxing became more prevalent, threat actors redesigned their malware to hide themselves through sandbox evasion techniques.

This led SonicWall to develop advanced real-time memory monitoring to detect malware designed to evade sandbox technology. Today, SonicWall uses a multitude of capabilities — coupled with patent-pending Real-Time Deep Memory Inspection (RTDMITM) — to identify and mitigate malware more effectively than competing solutions.

SonicWall Automated Real-Time Breach Prevention & Detection

The Endpoint Evolves, Shares Intelligence

Next comes the endpoint. As we know, most enterprises and small businesses are mobile today. Therefore, a comprehensive defense against malware and compliance must protect remote users and devices as they mobilize beyond an organization’s safe perimeter. This places an emphasis in combining both network security and endpoint security.

Years ago, I wrote research at Gartner about the gaps in the market. There was a critical need to bridge network, endpoint and other adjacent devices together into a shared intelligence and orchestrated fabric. I called it “Intelligence Aware Security Controls (IASC).”

The core concept of IASC is that an orchestration fabric must exist between different security technology controls. This ensures that each control is aware of a detection event and other shared telemetry so that every security control can take that information and automatically respond to threats that emerge across the fabric.

So, for example, a botnet threat detection at the edge of the network can inform firewalls that are deployed deeper in the datacenter to adjust policies according to the threat emerging in the environment.

As Tomer Weingarten, CEO of SentinelOne said, “Legacy antivirus is simply no match for today’s sophisticated file-based malware, which proliferates much faster than new signatures can be created.”

Limitations of Legacy Antivirus (AV) Technology

To better understand the difference between legacy antivirus (AV) and next-generation antivirus (NGAV), we should know the advantages and unique features of NGAV over legacy signature-based AV solutions. Below are four primary limitations of legacy offerings.

  • Frequent updates. Traditional AV solutions require frequent (i.e., daily or weekly) updates of their signature databases to protect against the latest threats. This approach doesn’t scale well. In 2017 alone, SonicWall collected more than 56 million unique malware samples.
  • Invasive disk scans. Traditional AV solutions recommend recurring disk scans to ensure threats did not get in. These recurring scans are a big source of frustration for end users, as productivity is impacted during lengthy scans.
  • Cloud dependency. Traditional AV solutions are reliant on cloud connectivity for best protection. Signature databases have grown so large that it is no longer possible to push the entire database to the device. So, they keep the vast majority of signatures in the cloud and only push the most prevalent signatures to the agent.
  • Remote risk. In cases where end-users work in cafés, airports, hotels and other commercial facilities, the Wi-Fi provider is supported by ad revenues and encourage users to download the host’s tools (i.e., adware) for free connectivity. These tools or the Wi-Fi access point can easily block access to the AV cloud, which poses a huge security risk.

Switching to Real-time, Behavior-focused Endpoint Protection

Considering these limitations, there is a need for viable replacement of legacy AV solutions. For this reason, SonicWall partnered with SentinelOne to deliver a best-in-class NGAV and malware protection solution: SonicWall Capture Client.

SonicWall Capture Client is a unified endpoint offering with multiple protection capabilities. With a next-generation malware protection engine powered by SentinelOne, Capture Client applies advanced threat protection techniques, such as machine learning, network sandbox integration and system rollback. Capture Client uses automated intelligence to adapt and detect new strains of malware through advanced behavior analytics.

SonicWall Capture Client was a direct response to multiple market trends.

  • First, there has been a detection and response focus, which is why SentinelOne offers our customers the ability to detect and then select the response in workflows (along with a malware storyline).
  • Second, devices going mobile and outside the perimeter meant that backhauling traffic to a network device was not satisfying customers who wanted low latency network traffic for their mobile users (and, frankly, the extra bandwidth costs that go along with it).
  • Third, because of all the evasion techniques that attackers use, a real-time behavioral engine is preferred over a static analysis engine to detect advanced attacks.
  • Fourth, the Capture Client SentinelOne threat detection module’s deep file inspection engine sometimes detects low confidence or “suspicious” files or activities. In these low confidence scenarios, Capture Client engages the advanced sandbox analysis of RTDMI to deliver a much deeper analysis and verdict about the suspicious file/activity.

One crucial feature of the latest Capture Client solution is the ability to record all the behaviors of an attack and the processes involved on an endpoint into an attack storyline — essential for security operations detection, triage and response efforts.

By listening to the market and focusing on the four key points above, SonicWall delivered best-in-class protection for endpoints, and another important milestone in SonicWall’s mission to provide automated, real-time breach detection and prevention.

SonicWall Capture Client combines multiple technologies to provide the most efficient and effective defense against threat actors. The solution should be paired with a defense-in-depth security strategy across all the key layers of transport, including email, network and endpoints.

How Everyone Can Implement SSL Decryption & Inspection

Since 2011, when Google announced it was switching to Hypertext Transfer Protocol Secure (HTTPS) by default, there has been a rapid increase in Secure Sockets Layer (SSL) sessions.

Initially, SSL sessions were reserved for only important traffic, where personal, financial or sensitive data was transferred. Now, it seems we can’t receive news or perform a simple search without an encrypted session.

In 2014 and 2015, SSL sessions accounted for about 52 percent of internet traffic. As cloud adoption grew, so did the SSL sessions. By 2017, SSL accounted for 68 percent of all internet traffic. Currently, SonicWall has seen encrypted traffic at almost 70 percent of the total traffic on the internet.

Secure sessions demonstrate that internet users are understanding and embracing session security and privacy. Unfortunately, as SSL sessions have increased, so have encrypted attacks. So far in 2018, SonicWall has seen a 275 percent increase of encrypted attacks since 2017. You find more numbers in the mid-year update of the 2018 SonicWall Cyber Threat Report.

What is DPI-SSL?

The modern cyber threat landscape requires a defense-in-depth posture, which includes SSL decryption capabilities to help organizations proactively use deep packet inspection of SSL (DPI-SSL) to block encrypted attacks.

However, even firewall vendors that claim to offer SSL decryption and inspection may not have the processing power to handle the volume of SSL traffic moving across a network today.

DPI-SSL extends SonicWall’s Deep Packet Inspection technology to inspect encrypted HTTPS and SSL/TLS traffic. The traffic is decrypted transparently, scanned for threats, re-encrypted and sent along to its destination if no threats or vulnerabilities are found.

Available on all SonicWall next-generation firewalls (Generation 6 or newer), DPI-SSL technology provides additional security, application control, and data leakage prevention for analyzing encrypted HTTPS and other SSL-based traffic.

It is important to have a secure and simple setup that minimizes configuration overhead and complexity. There are two primary paths for implementing DPI-SSL.

Option 1: Remote Implementation

Enabling DPI-SSL can sometimes be complex. Diverse sites and programs use certificates differently, some of which may be affected by DPI-SSL capabilities.

To confirm you have DPI-SSL implemented properly, leverage the SonicWall DPI-SSL Remote Implementation Service to ensure seamless and effective implementation of SonicWall DPI-SSL services.

The Remote Implementation Service for SonicWall DPI-SSL deploys and integrates the product into your environment within 10 business days. This service is delivered by Advanced Services Partners who have completed training and demonstrated expertise in DPI-SSL implementation and configuration.

Option 2: Leverage Easy-to-Use Guidance

For those considering in-house implementation, SonicWall also provides a number of knowledge base (KB) articles and resources that walk you through the DPI-SSL implementation process. Some of the most popular include:

These KBs, and others found within SonicWall’s support section or through the DPI-SSL Remote Implementation Service, ensure every type of user or organization has the resources  to properly activate DPI-SSL within their infrastructure to mitigate encrypted cyberattacks.

For additional guidance, watch “Initial DPI-SSL Configuration,” a popular SonicWall Firewall Series Tutorial.

DPI-SSL Adoption

Thankfully, SonicWall is witnessing gradual adoption of DPI-SSL add-on services. To best protect your environment, pair DPI-SSL capabilities with the Capture Advanced Threat Protection (ATP) cloud sandbox, Gateway Antivirus, Content Filtering and Intrusion Protection Services (IPS). All available in the SonicWall Advanced Gateway Security Suite, which delivers everything you need to protect your network from advanced cyberattacks.

Combine these services with a trusted and secure end-point protection software, such as SonicWall Capture Client, and you can provide a robust security posture that can protect devices — even when they are not behind your firewall.

Infographic: Ransomware’s Devastating Impact on Real-World Businesses

Still relatively new to the cyber threat landscape, ransomware continues to be one of the high-profile malware types that grab headlines. It’s one part Hollywood-style drama mixed with the “mystery” of cryptocurrencies and the seemingly personal nature of ransomware attacks.

But it’s not hyperbole. Ransomware remains one of the most malicious cyberattacks that can cripple a business. SonicWall’s new infographic highlights composite data that demonstrates how ransomware impacts businesses’ ability to operate.

So, how do you prevent your organization from being severely disrupted by ransomware? The best approach is to use multiple layers that deliver automated, real-time breach detection and prevention. While this isn’t an exhaustive list of all security options, these cornerstone tactics will mitigate most of today’s most malicious cyberattacks, including ransomware.

How to Block Ransomware

Businesses have no choice but to proactively mitigate ransomware attacks. But is there a proven approach that can cost-effectively scale across networks and endpoints? Four key security capabilities make full ransomware protection possible.

  1. Next-Generation Firewall

    Detect and prevent cyberattacks with power, speed and precision.
    Next-generation firewalls (NGFW) are one of your first lines of defense against hackers, cybercriminals and threat actors.

    For example, SonicWall firewalls deliver real-time, cloud-based threat prevention, while augmenting the security from on-box deep packet inspection of SSL traffic (DPI-SSL). And all new SonicWall firewalls integrate with our award-winning network sandbox for advanced threat protection.

  2. Network Sandbox

    Identify and stop unknown attacks in real time.
    A network sandbox is an isolated environment on the firewallthat runs files to monitor their behavior. SonicWall Capture Advanced Threat Protection (ATP) is a multi-engine sandbox service that holds suspicious files at the gateway until a verdict can be achieved.

    Capture ATP also features Real-Time Deep Memory InspectionTM (RTDMI). RTDMI is a memory-based malware analysis engine that catches more malware, and faster, than behavior-based sandboxing methods. It also delivers a lower false-positive rate to improve security and the end-user experience.

  3. Email Security

    Filter email-borne attacks before they hit your network.
    Secure email solutions deliver comprehensive inbound and outbound protection from advanced cyberattacks, including ransomware, phishing, business email compromise (BEC), spoofing, spam and viruses. Proven solutions will be available in on-premise email security appliances and hosted secure email.

    SonicWall Email Security also integrates with Capture ATP to protect email from advanced threats, such as ransomware and zero-day malware.

  4. Advanced Endpoint Client Security

    Block ransomware before it compromises user devices.
    Traditional antivirus (AV) has been trusted for years to protect computers. This was a sound approach when the total number of signatures required numbered in the hundreds of thousands. Today, millions of new forms of malware are discovered each month.

    To protect endpoints from this endless onslaught of malware attacks, SonicWall recommends using a next-generation antivirus (NGAV) solution that can monitor the behavior of a system to look for malicious activities, such as the unauthorized encryption of your files.

    For example, SonicWall Capture Client delivers advanced malware protection and additional security capabilities for SonicWall firewall

Ransomware remains one of the most damaging cyberattacks to businesses. Follow these four ransomware protection best practices to help ensure ransomware does not impact your ability to operate.

6 Reasons to Switch to SonicWall Capture Client from Sophos Intercept X

While Sophos claims to be a leading next-generation antivirus solution, are they really able to protect your organization’s endpoints — not to mention the rest of your network ­— in today’s threat landscape?

SonicWall Capture Client, powered by SentinelOne, was designed to deliver stronger security with better functionality against ransomware and other advanced cyberattacks. Explore these six key reasons to switch to SonicWall Capture Client:

  1. Certified for business.
    Although Sophos Intercept X is recommended by NSS Labs, it is not certified by OPSWAT and AV-Test. SentinelOne, the core engine within Capture Client, is also recommended by NSS Labs and has certifications for OPSWAT and has AV-Test certifications for corporate use. Capture Client is also compliant with HIPAA and PCI mandates.
  2. True machine learning.
    Sophos only leverages machine learning as code executes on a system. In contrast, Capture Client applies machine learning before, during and after execution to reduce the risk of compromise to your endpoints, thereby better protecting your business.
  3. Real remediation.
    Sophos Intercept X relies on the Sophos Cleaner to restore potentially encrypted files. Not only can it be bypassed, but it is limited to using 60 MB of cache to save up to 70 “business” file types. Capture Client creates shadow copies of your data, which does not discriminate on size or file type. Capture Client rollback capabilities revert the impact of a malware attack, leaving the device clean and allowing the user to continue working — all without any risk of further damage.
  4. Firewall synergies.
    Although Sophos Endpoint Protection is closely linked to their next-generation firewall, this integration is lacking on Intercept X. Capture Client goes beyond the endpoint and has built-in synergies with SonicWall next-generation firewalls (NGFW). Although not required, when combined with a SonicWall next-generation firewall, it can enforce use of the client and redirect non-Capture Client users to a download page to update the endpoint.
  5. Easy digital certificate management.
    With more than 5 percent of malware using SSL/TLS encryption today, the inspection of encrypted traffic is vital. Sophos firewalls have limited SSL/TLS decryption capabilities, nor do they offer automated re-signing certificate distribution. Capture Client makes it easy to install and manage re-signing digital certificates required for SSL/TLS decryption, inspection and re-encryption.
  6. Better roadmap.
    In September 2018, SonicWall will add network sandboxing. Capture Client will be able to route suspicious files to the award-winning, multi-engine Capture Advanced Threat Protection (ATP) cloud sandbox service to more forcibly examine code in ways an endpoint can’t (e.g., fast- forward malware into the future). Administrators will be able to query known verdicts for the hashes of their suspicious files without having to upload them for analysis.

If you’d like to see for yourself the difference Capture Client makes over a limited and aging endpoint solution, contact us or ask your SonicWall partner representative for a one-month trial. Existing customers can log in to MySonicWall to begin the trial today.

 

Ready to ditch Sophos?

Strengthen your security posture today. Switch now and receive up to 30 percent* off of SonicWall Capture Client endpoint protection. It’s the smart, cost-effective approach for extending security to endpoints that exist outside of the network.

12 New Products Usher in SonicWall’s Expansion into Mid-Tier Enterprise Market

It’s been just 20 months.

And in that short time as an independent company, SonicWall employees, customers and partners have accomplished so much together. Our short-term mission was to rebuild the SonicWall brand, launch new and advanced cyber security solutions and services in the SMB space, and bring our global partner community back home.

SonicWall, it’s good to have you back.

Now that our heart, soul and technology are deeply rooted in protecting organizations in the SMB space, we feel it’s time to focus on another segment we serve: the mid-tier enterprise market, where we are the No. 5 player, according to Gartner.

That’s why today we announced a focused technology, security and partner mission to deliver network security solutions that align with the performance, security efficacy and high availability required by the modern mid-tier enterprise.

But we’re also focusing on disrupting the market with our Capture Cloud Platform, which brings together network, endpoint and application security with management, reporting, analytics and visual cyber threat intelligence.

“SonicWall is ensuring network security is available via bundles designed with the requirements of mid-tier enterprises in mind.”

This will usher in a new cost structure with an assertive total cost of ownership (TCO) offering via our Capture Security Center, Capture Client endpoint protection and our new NSa series high availability (HA) offerings.

In fact, most of our competitors still require a full-price purchase of the failover firewall unit, as well as full subscription services after the first year. We don’t think that’s right. And it certainly doesn’t make much business sense.

So, SonicWall wants to ensure two things:

  • Network security is available via bundles designed with the requirements of mid-tier enterprises in mind.
  • It’s easy for mid-tier enterprises to do business with our SecureFirst partners.

What’s New from SonicWall

All told, this platform announcement includes 12 new products, updates or enhancements. And we couldn’t be more excited to share this innovation with you. Please explore each in detail. We will have detailed blogs on many of the new and updated products in the coming days.

  • Capture Cloud Platform — Expanded for mid-tier enterprises and now delivers integrated cloud-scale management and true end-to-end security that protects networks, email, endpoints, mobile and remote users. This all-in-one approach enables our complete portfolio of high-performance hardware, virtual appliances and clients to harness the power, agility and scalability of the cloud.
  • Capture Security Center — Fully enhanced to deliver a unified security governance, compliance and risk management strategy. Improve security outcomes from the firewall to the endpoint with integrated threat intelligence between the SonicWall Capture Advanced Threat Protection (ATP) sandbox service, Capture Client endpoint protection and SentinelOne threat databases.
  • Capture Client 1.5 — Now integrated with the SonicWall Capture ATP sandbox service. Suspicious files that Capture Client gives a moderate threat score (but not high enough to merit an alert), may be automatically uploaded for analysis.
  • New NSa Next-Generation Firewalls — Replacing the SuperMassive 9200, 9400 and 9600 models, our new NSa 6650, 9250, 9450 and 9650 series deliver elite levels of performance, security efficacy and high availability for mid-tier enterprises — all with industry-low TCO.
  • New NSsp 12000 Next-Generation Firewalls — A brand new product line, the new NSsp 12400 and 12800 series next-generation firewalls align with advanced requirements of service providers and data centers and are capable of scanning millions of connections for the latest cyber threats.
  • Cloud App Security — Cloud-based security service that enables organizations to secure SaaS application usage and reduce risk of shadow IT. The solution provides functionality similar to Cloud Access Security Broker (CASB) offerings to deliver real-time visibility and control of applications being used by employees.
  • Analytics — Available in cloud-hosted or on-premise options, SonicWall Analytics provides network analysts, security operations engineers and incident responders deeper visibility into network traffic, threat information and cross-product insights to perform network forensics, security analysis and threat hunting for businesses, organizations and managed service providers (MSP) of all sizes.
  • SonicOS 6.5.2 — Adds 40 new security features to better secure wired, wireless and mobile network environments. It offers more dynamic defenses against modern zero-day threats, including attacks hidden within encrypted traffic, absolute control of application traffic without compromising performance and availability, and optimal wireless user experiences regardless of location.
  • Secure Mobile Access (SMA) 1000 Series 12.2 — Delivers consolidated access management and eliminates bad password habits with federated SSO to cloud and on-premise applications. Adds Always-On VPN for Windows devices for seamless and secure access from any location.
  • SMA 100 Series 9.0 — Integrates with Capture ATP to block malicious file uploads from remote users. Adds Always-On VPN for Windows devices for seamless and secure access from any location.
  • Email Security 9.2 — Blocks and quarantines messages with malicious URLs before they reach the inbox. Integrates with Google’s G Suite to provide advanced threat protection, strong data loss prevention and compliance engine, and email continuity.
  • Global Management System (GMS) 8.6 — Upgrades authentication measures with strict enforcement of password complexity and account lockout policies before granting access to its management platform. This protects against automated brute-force attacks (e.g., password spray campaigns). Update also adds management and provisioning support for the new NSa series firewalls running the latest SonicOS 6.5.2 and the “Firewall Sandwich” solution.

Enhancing our Go-to-Market Strategy

Fundamental to the release of these new enterprise-focused products and services is the strengthening of SonicWall go-to-market focus and resources. SonicWall will engage with organizations in key verticals, including retail, K12 and higher education, and state, local and federal government. SonicWall will also continue to focus on its partnership with Dell while building and expanding relationships with MSSPs.

To our existing customers, vendors and partners, thank you for making SonicWall what it is today. We can’t wait to see what we do next together.

To our future customers, trust us to protect what’s most important to you: your business, data and livelihood. Contact one of our cybersecurity experts to learn how our automated, real-time breach detection and prevention platform can protect your organization from both known and unknown cyberattacks in the fast-moving cyber arms race.

How to Evaluate & Compare Antivirus Solutions

When evaluating a change in how you secure your network, you need to look beyond the upper-right quadrant.

It is easy to run to analyst graphs and pick a few cyber security solutions that etch closest to the top right. But is that the right path of exploration for your organization? Did these evaluations consider the factors most important to you and your security objectives?

Comparing endpoint protection platforms (EPP), commonly referred to as antivirus (AV) solutions, is no different. For example, SonicWall Capture Client features an antivirus engine (powered by SentinelOne) that scores very high in NSS Labs 2018 results. But there is always more to consider.

So, how do you decide who and what to evaluate? Outside of a good balance between detection versus false positives, organizations should consider:

  • Costs
  • Built-in synergies with other security services and appliances
  • Ability to stop cyberattacks before the execute
  • Inspection of encrypted traffic
  • Ease of remediation

To complement NSS Labs research, SonicWall is providing exclusive access to the Gartner paper, “Understand the Relative Importance of AV Testing in EPP Product Selection.” This resource will help guide your organization as you sift through the benefits, capabilities and performance of top endpoint protection and antivirus solutions.

Within the paper, Gartner breaks down the concepts of advanced endpoint protection into four core components:

  1. Prevention
  2. Detection
  3. Response
  4. Prediction

To learn more, download the full Gartner report, “Understand the Relative Importance of AV Testing in EPP Product Selection.”

Get the Complete Gartner Paper

Deciding on the endpoint solution that’s right for your organization is a complex undertaking. To help guide your path, download the exclusive Gartner paper, “Understand the Relative Importance of AV Testing in EPP Product Selection,” compliments of SonicWall.

Get the Report