Posts

Video: Why Layered Security Matters

Understanding the benefits of certain security technology is always important. But hearing innovation explained by two cybersecurity industry icons provides the context to appreciate how it works and the importance of implementing sound defenses to survive in an ever-changing cyber war.

In this exclusive video, SonicWall President and CEO Bill Conner and CTO John Gmuender walk you through the current cyber threat landscape, explore the importance of automated real-time breach detection and prevention, and address how to mitigate today’s most modern cyberattacks. The video provides:

  • Exclusive cyberattack data for ransomware, malware, encrypted threats, web app attacks, malware attacks on non-standard ports and more
  • In-depth view into the key security layers that power automated real-time detection and prevention
  • Real-world use cases, including remote and mobile security, web application protection, traditional network security, cloud sandboxing and more
  • Detailed breakdown of the SonicWall Capture Cloud Platform

3 Ways to Prevent Cryptominers from Stealing Your Processing Power

Visiting a website is no longer what it used to be.

Despite this hilarious Imgur post, there is a different trend you may not have noticed: cryptomining via the browser. Many news and procrastination (e.g., BuzzFeed) websites add dozens of trackers to monetize the experience.

However, some sites may also use your browser to mine cryptocurrencies (e.g., bitcoin, Ethereum or Monero) for their own financial gain. The mining stops once you leave, but there is a popular new form of malware that attempts to turn your device into a full-time cryptocurrency mining bot called a cryptojacker. Cryptojacking’s threat to your endpoint or business is based on three things:

  • The energy it consumes or wastes
  • The damage it can do to a system
  • The loss to productivity due to limited resources.

Unlike ransomware that wants to be found (to ask for payment), a cryptojacker’s job is to run invisibly in the background although your CPU performance graph or device’s fan may indicate something is not normal.

Despite our vigilance and knowledge of the warning signs, a report from the Ponemon Institute stated the average length of time for an organization to discover malware or a data breach in 2017 was 191 days.

Ransomware authors have switched gears over the past two years to use cryptojacking more, because a ransomware strain’s effectiveness and ROI diminish as soon as it ends up on public feeds like VirusTotal. Like anyone else running a highly profitable business, cybercriminals need to constantly find new ways to fulfill their financial targets. Cryptojacking may solve that.

For example, the Apple App Store briefly carried a version of a free app called ‘Calendar 2’ that mined Monero cryptocurrency while open. It reportedly made $2,000 in two days before it was pulled from the App Store.

The Lure of Cryptomining

Cryptomining operations have become increasingly popular, now consuming almost half a percent of the world’s electricity consumption. Despite the wild swings in price, roughly 60 percent of the cost of legitimately mining bitcoin is the energy consumption. In fact, at the time of writing, the price of a bitcoin is worth less than the cost of mining it legitimately.

With such costs and zero risk as compared to buying and maintaining equipment, cybercriminals have strong incentives to generate cryptocurrency with someone else’s resources. Infecting 10 machines with a cryptominer could net up to $100/day, so the challenge for cryptojackers is three-fold:

  1. Find targets, namely organizations with a lot of devices on the same network, especially schools or universities.
  2. Infect as many machines as possible.
  3. Unlike ransomware, and more akin to traditional malware, stay hidden for as long as possible.

Cryptojackers use similar techniques as malware to sneak on to an endpoint: drive-by downloads, phishing campaigns, in-browser vulnerabilities and browser plugins, to name a few. And, of course, they rely on the weakest link — the people — via social engineering techniques.

How to Know if You are Infected by Cryptominers

Cryptominers are interested in your

processing power, and cryptojackers have to trade off stealth against profit. How much of your CPU resources they take depends on their objectives.

Siphoning less power makes it harder for unsuspecting users to notice. Stealing more increases their profits. In either case, there will be a performance impact, but if the threshold is low enough it could be a challenge to distinguish the miner from legitimate software.

Enterprise administrators may look for unknown processes in their environment, and end users on Windows should spawn a Sysinternals Process Explorer to see what they are running. Linux and macOS users should investigate using System Monitor and Activity Monitor, respectively, for the same reason.

How to Defend Against Cryptominers

The first step in defending against cryptominers is to stop this type of malware at the gateway, either through firewalls or email security (perimeter security), which is one of the best ways to scrub out known file-based threats. Since people like to reuse old code, catching cryptojackers like CoinHive can be a simple first step.

If the malware strain is unknown (new or updated), then it will bypass static filters in perimeter security. If a file is unknown, it will be routed to a sandbox to inspect the nature of the file.

In the case of SonicWall Capture ATP, the multi-engine sandbox environment is designed to identify and stop evasive malware that may evade one engine but not the others.

If you have an endpoint not behind this typical set up (e.g., it’s roaming at the airport or hotel), you need to deploy an endpoint security product that includes behavioral detection.

Cryptominers can operate in the browser or be delivered through a fileless attack, so the legacy solutions you get free with a computer are blind to it.

A behavioral-based antivirus like SonicWall Capture Client would detect that the system wants to mine coins and then shut down the operation. An administrator can easily quarantine and delete the malware or, in the case of something that does damage to system files, roll the system back to the last known good state before the malware executed.

By combining a mixture of perimeter defenses and behavioral analysis, organizations can fight the newest forms of malware no matter what the trend or intent is.

To learn more about how you can defend your organization from these threats I recommend reading this white paper, “Best Practices for Protection Against Phishing, Ransomware and Email Fraud.”

Historic Black Friday, Cyber Monday Threat Data Prepares Businesses, Shoppers for Holiday Cyberattacks

It’s officially Thanksgiving week in the U.S. In addition to gathering with family and friends for the traditional turkey meal, many of us get excited about the holiday shopping season, which kicks off with Black Friday, goes virtual on Cyber Monday and extends through New Year’s Day.

If you’re looking to get a great deal on just about anything, this is the best time of the year to make that purchase. Everyone knows this, including cyber criminals. And that’s a problem for many organizations.

Perhaps as ominous foreshadowing, Amazon announced that a “technical error” exposed customer names and email addresses — days before Black Friday and Cyber Monday even got started.

Employees Will Make Personal Online Purchases on Corporate Time, Machines

Online shopping is a popular activity, both at home and in the office. It’s even more prevalent during the holiday shopping season. In a recent survey from Robert Half Technology, almost 65 percent of respondents said they will spend at least some of their work time making holiday purchases online.

While no one wants to be a Scrooge during the holidays, every organization needs to have safeguards in place to protect against the inevitable increase in the number of cyberattacks that are coming.

2017 Holiday Cyberattacks Paint Picture for 2018 Shopping Season

To help organizations, retailers, and small- and medium-sized businesses (SMB) prepare, the SonicWall Capture Labs threat research team analyzed cyber threat data from the second half of 2017. Unsurprisingly, there was an enormous spike in the number of malware attacks last year on Cyber Monday, the biggest online shopping day of the year. Here are some of the official data points from 2017:

  • Cybercriminals launched more than 113 million malware attacks on Cyber Monday last year, a 4.4x increase over the yearly average
  • Malware attacks jumped 27 percent on Black Friday
  • Ransomware attacks spiked 127 percent on Cyber Monday

So, what does this mean for 2018? Expect your organization to see more of the same. But there are proven methods to stop the surge in holiday cyberattacks.

6 Security Layers Organizations Can Use to Mitigate Holiday Cyberattacks

We know employees will be spending time online at work surfing for deals and customers will make purchases at point-of-sale (POS) terminals, so there is some inevitable risk. And while the data does show a worrisome trend, there are things you can do to protect your network, endpoints and data from cyberattacks during the holiday shopping season.

The key is to have a layered, defense-in-depth approach, something SonicWall can help with through our automated real-time breach detection and prevention platform. From the outside in, here are the six layers we recommend:

  1. Next-Generation Firewall – The first line of defense, a next-generation firewall (NGFW) should have high security efficacy and use machine learning to identify and block malware, ransomware and other attacks at the gateway.
  2. Deep Packet Inspection of TLS/SSL-encrypted Traffic – The use of encryption to hide cyberattacks continues to grow at a fast pace, so it’s essential any NGFW is able to scan encrypted traffic for threats.
  3. Email Security – Email is a common threat vector for delivering attacks, often through attachments, making it critical that any solution be able to scan inbound and outbound email for phishing attacks and infected attachments.
  4. Multi-engine Sandboxing – While one engine is good, several is better when it comes to identifying and blocking never-before-seen cyberattacks. SonicWall Capture ATP is a multi-engine sandbox that features block-until-verdict safeguards.
  5. Real-Time Deep Memory Inspection – SonicWall’s patent-pending RTDMITM technology, included with Capture ATP, identifies and stops difficult-to-find threats hidden in memory where malware’s weaponry is exposed for less than 100 nanoseconds.
  6. Capture Client – Endpoint devices used beyond the firewall perimeter are more susceptible to attacks. Capture Client provides multiple advanced endpoint protection capabilities in addition to the ability to roll back to a previous point before malware entered or was activated on the device.

Next week, SonicWall Capture Labs threat researchers will publish their analysis on three key shopping dates in 2018: Black Friday, Small Business Saturday and Cyber Monday.

Until then, explore the Capture Security Center, which provides a graphical view of the worldwide attacks over the last 24 hours, countries being attacked and geographic attack origins, and monthly trends by attack type.

October 2018 Cyber Threat Data: Web App Attacks, Ransomware Continue Upward Trend

Throughout 2018, we’ve been sharing monthly updates on the cyber threat data recorded and analyzed by SonicWall Capture Labs, highlighting cyberattack trends and tying it back to the overall cyber threat landscape.

Now, cyber threat intelligence from the SonicWall Capture Security Center is even deeper. The tool now provides empirical data on cyberattacks against web applications. In an increasingly virtual and cloud-connected world, protecting web apps is just as critical as defending more traditional networks.

In October, the overall number of web application attacks continued to rise sharply. We tracked over 1.8 million web app attacks, more than double the volume of attacks for the same time period in 2017.

One factor influencing this is the continued growth explosion of the Internet of Things (IoT), which has added billions of connected devices online, each bringing new and unique potential for vulnerabilities and weaknesses.

While the headline-grabbing news often focuses on processor attacks like Spectre or Meltdown, companies that aren’t using security measures, like SonicWall Capture Advanced Threat Protection with Real-Time Deep Memory Inspection (RTDMI), can leave their standard applications exposed and vulnerable to cybercriminals who are always looking for a weakness.

The volume of ransomware attacks also continued its global upward trend in October. So far in 2018 we’ve seen over 286 million worldwide attacks, up 117 percent from 132 million this time last year. On an individual customer level, that’s 57 attacks per day per customer, an increase from only 14 in October last year.

The growing frequency and complexities of cyberattacks paint a dire picture for global businesses of all sizes. The good news is that by assessing your business’s cybersecurity risk, improving overall security behavior, and ensuring that you are utilizing the right cybersecurity solutions for your business, it’s possible to protect your business from most data breaches.

October Attack Data

Globally, the SonicWall Capture Threat Network, which includes more than 1 million sensors across the world, recorded the following 2018 year-to-date attack data through October 2018:

  • 9.2 billion malware attacks (44 percent increase from 2017)
  • 3.2 trillion intrusion attempts (45 percent increase)
  • 286.2 million ransomware attacks (117 percent increase)
  • 23.9 million web app attacks (113 percent increase)
  • 2.3 million encrypted threats (62 percent increase)

In October 2018 alone, the average SonicWall customer faced:

  • 1,756 malware attacks (19 percent decrease from October 2017)
  • 819,947 intrusion attempts (17 percent increase)
  • 57 ransomware attacks (311 percent increase)
  • 8,742 web app attacks (185 percent increase)
  • 152 encrypted threats (12 percent increase)
  • 12 phishing attacks each day (19 percent decrease)

SonicWall Capture Security Center

SonicWall cyber threat intelligence is available in the SonicWall Security Center, which provides a graphical view of the worldwide attacks over the last 24 hours, countries being attacked and geographic attack origins. This view illustrates the pace and speed of the cyber arms race.

The resource provides actionable cyber threat intelligence to help organizations identify the types of attacks they need to be concerned about so they can design and test their security posture ensure their networks, data, applications and customers are properly protected.

Monitor & Optimize Your Cybersecurity Posture with Real-Time Risk Metering

Modern organizations understand the criticality of having the best possible cyber defense to defend against malicious actions of skillful cybercriminals. Most firms today employ various cybersecurity tools designed to help prevent inevitable attacks from wreaking havoc and causing data loss.

“The increase in internet-connected devices and cloud application usage exacerbates the situation as threat vectors expand beyond the traditional corporate perimeter.”

Yet, why do CIOs and CISOs, and their security teams, still caution about the state of their organization’s security posture?

Simply, it’s because new scams, vulnerabilities, exploits, malware and hacking techniques used in cyberattacks represent an ongoing risk. The increase in internet-connected devices and cloud application usage exacerbates the situation as threat vectors expand beyond the traditional corporate perimeter.

Typical threat vectors include the network, web, cloud, applications, endpoints, mobile devices, databases and even the Internet of Everything (IoE) — all are possible defenseless launch pads bad actors use to attack their victims.

Thus, the pressing concerns we often hear from our customers, with regards to their security operations, are about understanding their risk profile and responding to risks. However, the lack of visibility and awareness of daily security situations makes it nearly impossible to determine the proper responses.

A data breach happens quickly. During such a security incident, figuring out where risks exist, the current reality of their security posture and, ultimately, what security actions are necessary are top security priorities. Security-conscious organizations need an easy and reliable way to:

  • Analyze and measure their security posture in real time
  • Perform ‘what-if’ analysis on various defense layers
  • Identify defensive actions needed to remove present risks

Manage Cyber Risks via SonicWall Risk Meters

To solve these three core security challenges, SonicWall introduces Risk Meters, a powerful risk management service that provides personalized threat information and risk scoring adapted to individual situations.

A new capability of the Capture Security Center, Risk Meters help reveal weaknesses in current defensive layers and guides immediate and necessary defensive actions for a specific environment.

Risk Meters provides real-time display of live attacks, coupled with detailed graphs and charts, that capture malicious activities at the specific defense layer that could result in compromised networks, systems and data residing on-premises or in the cloud.

Capture Security Center Risk Meters
Restrict the focus on incoming attacks in a specific environment
Display live attacks in real-time
Categorize attackers’ malicious actions at the specific defense layer
Update computed risk score and threat level based on live threat data relative to existing defense capabilities
Underscore current security gaps where preventable threats get through due to missing defenses
Promote immediate defensive actions in response to prevent all incoming threats

How Risk Meters Work

Available in January 2019, the Risk Meters service categorizes attackers’ actions, underscores current security gaps where preventable threats get through due to missing defenses, and presents appropriate responses to neutralize incoming threats. The solution can be tailored to a specific environment by compiling and accurately parsing threat information exclusive to an environment.

Additionally, Risk Meters continuously update computed risk score and threat level based on live threat data relative to existing defense capabilities. These logical scores may be used to guide security planning, policy and budgeting decisions.

Risk Meters enable precise defensive measures that optimize network, cloud, web and endpoint defenses, and shrinks the threat surface and susceptibility to cyberattacks.

Such measures include turning on SSL/TLS inspection, application visibility, sandboxing services, processor and memory scanning, and/or next-generation antivirus (NGAV). These, in turn, enable organizations to catch the most evasive malware hiding inside encrypted traffic, ransomware and never-before-seen malware variants.

With actionable threat data at your fingertips, Risk Meters empowers you to shrink the threat surface and susceptibility to cyberattacks, guide security planning, policy and budgeting decisions, and bolster your security posture.

Measure Your Organization’s Cyber Risk Score

The SonicWall Capture Security Center Risk Meters service will be available in January 2019 to deliver personalized threat information and risk-scoring that reveals gaps in defensive layers, fosters decisive security planning and facilitates actions needed for an optimal cyber defense.

Bypassing Government Security Controls with Customized Malware

For a moment, think from the perspective of someone who wants to hack a government organization. Think of what they want to do. Seize critical records, encrypt the drive and hold it for ransom? Convert part of a resource into a cryptocurrency mining operation? Or, worse yet, attempt to disrupt or take down critical infrastructure (e.g., utilities, transportation systems, defense)?

As we explore the final theme of National Cybersecurity Awareness Month, “Safeguarding the Nation’s Critical Infrastructure,” I thought it would be valuable to go to a reliable source.

To get a better perspective of threats to critical infrastructure I interviewed a skilled hacker. This is his plan.

Recon & Recode

First, he said he would do reconnaissance on the organization to look for potential vulnerabilities. Makes sense.

But his next step is concerning. He’d take a form of malware he’d used before — or another they find for sale in an exploit kit designed to abuse a vulnerability — and customize it for that specific organization. Customization can be as simple as making a few cosmetic changes to the code or changing the programing to do something slightly different based on previous failed attempts.

This step is important. The new batch of code hasn’t been registered with any firewall vendor, antivirus vendor, security researcher, etc. The targeted organization can’t stop it if their security controls don’t have the ability to conduct behavioral code analysis with zero-day code detonation.

Furthermore, if someone wants to take it to the next level, this code should arrive via an encrypted channel in the hopes they don’t do Man-in-the-Middle (MITM) inspection of HTTPS traffic.  This can be delivered simply over social media or webmail.

Payload Delivery

Now it’s time for everyone’s favorite part: payload delivery. At the time of writing, I am looking at a publicly accessible online sales lead-generation database. At anyone’s fingertips are millions of names and email addresses for contacts at airlines, retailers to higher education. The malicious hacker can easily download 5,886 contacts from a state transportation department or 4,142 from a previously attacked Canadian agency.

If he wants, he could send an infected attachment asking some 526 contacts from a Singapore government agency to open it, or bait 2,839 faceless people at an unnamed health department to click on his malicious link.

Despite awareness training and efforts to keep systems up to date and patched, 11 percent of people will open the attachment according to a Verizon study. Within this population, there will be systems that he can infect and use as a launching point to get his malware to a target system — or at least give him backdoor access or a harvested credential to start working manually.

A hacker selects contacts for a phishing scam against an American county department of education.

How to Defend Against Customized Malware

This method is very similar to what we are seeing happen every day. Customized malware is the main reason why SonicWall discovered and stopped over 56 million new forms of malware in 2017.

In a government organization equipped with SonicWall technology, the email may first be stopped by email security based on the domain or other structures of the message, but you can’t take it for granted.

If the malware is delivered via attachment, SonicWall secure email technology can test the file in the Capture ATP cloud sandbox to understand what the file wants to do. SonicWall Email Security can also leverage Capture ATP to scan malicious URLs embedded in phishing attacks.

To learn more about this technology, read “Inside the Cloud Sandbox: How Capture Advanced Threat Protection (ATP) Works” and review the graphic below.

Protecting Endpoints Beyond the Firewall

But what about employees not behind the firewall? What if the malware is encrypted and the administrator did not activate the ability to inspect encrypted traffic (DPI-SSL)? What about an infected domain that servers fileless malware through an infected ad?

The answer to that is SonicWall Capture Client, a behavior-based endpoint security solution. The traditional antivirus (AV) that comes free with computers (e.g., Norton, TrendMicro, McAfee, etc.) is still around, but they only check files that are known to be malicious.

In an era of customized malware and creative distribution techniques, it is nearly obsolete. This is why government organizations in all countries favor using behavior-based antivirus called a number of things like Endpoint Protection Platforms (EPP) or Next-Generation Antivirus (NGAV).

These forms of AV look at what is happening on the system for malicious behavior, which is great against customized malware, fileless malware and infected USB sticks. NGAV solutions don’t require frequent signature updates and know how to look for bad activity and can shut it down, in many cases, before it executes.

In the case of SonicWall Capture Client, it can not only stop things before they happen, but also roll back Windows systems to a known good state if the endpoint is compromised. This is extremely helpful with ransomware since you can restore encrypted files and continue on as if the infection never happened. Also, like I mentioned above, Capture Client also makes use of Capture ATP in order to find and eliminate malware that is waiting to execute.

Ultimately, by using the SonicWall Capture Cloud Platform, government agencies and offices around the world are protected against the onslaught of new malware, which is often designed to penetrate their systems. For more information on what we do and or conduct a risk-free proof of concept in your environment, please contact us at sales@SonicWall.com or read this solution brief.


About Cybersecurity Awareness Month

The 15th annual National Cybersecurity Awareness Month (NCSAM) highlights user awareness among consumers, students/academia and business. NCSAM 2018 addresses specific challenges and identifies opportunities for behavioral change. It aims to remind everyone that protecting the internet is “Our Shared Responsibility.”

In addition, NCSAM 2018 will shine a spotlight on the critical need to build a strong, cyber secure workforce to help ensure families, communities, businesses and the country’s infrastructure are better protected through four key themes:

  • Oct. 1-5: Make Your Home a Haven for Online Safety
  • Oct. 8-12: Millions of Rewarding Jobs: Educating for a Career in Cybersecurity
  • Oct. 15-19: It’s Everyone’s Job to Ensure Online Safety at Work
  • Oct. 22-26: Safeguarding the Nation’s Critical Infrastructure

Learn more at StaySafeOnline.org.

How to Secure Your Website & Protect Your Brand Online

A study by the SMB Group in 2017 showed that more than 85 percent of small- and medium-sized (SMB) businesses and mid-tier enterprises are adopting digital transformation. This is changing the role of the traditional website from a “static set of HTML pages” to a highly dynamic online experience platform. The website is now the custodian of the organization’s digital brand.

But, as once said by Ben Parker (yes, Spiderman’s late uncle), “With great power comes great responsibility.”

IT executives now have to protect users — and their data used by the website — from a larger spectrum of web application threats. The recent Whitehat Security’s 2018 Application Security Report highlighted these concerns:

  • About 50 percent of vulnerabilities discovered on a website are Serious; remediation rates are less than 50 percent
  • The average time to fix a vulnerability ranges from 139 to 216 days
  • More than 30 percent of websites are still showing poor developer cybersecurity skills (e.g., information leakage, cross-site scripting and SQL injection)
  • SSL/TLS is not adopted well enough; 23 percent of those are weak and riddled with vulnerabilities

SonicWall WAF 2.0 was launched in April 2018 as a standalone virtual appliance deployable in public and private cloud environments. SonicWall WAF delivers an award-winning web application firewall technology that works alongside SonicWall next-generational firewalls (NGFW) to protect businesses and their digital brands.

The SonicWall WAF is backed by threat research from SonicWall Capture Labs for virtual patching of exploits, reducing the window of exposure significantly.

In fact, when the attacks associated with British Airways and Drupalgeddon came out, the SonicWall WAF was able to protect customers without any updates. With the SonicWall WAF, administrators can protect their websites from the wide spectrum of web threats including those targeting the vulnerabilities called out in the OWASP Top 10.

Five New Enhancements to SonicWall WAF 2.2

The next evolution of the product, SonicWall WAF 2.2 gains five significant new features and enhancements, including a new licensing model.

Real-Time Website Malware Prevention with Capture ATP Integration

With the increasing threat of malware, many websites are also at risk of advanced malware attacks like cryptojacking and the famous CTB-locker malware that targeted WordPress websites.

Malware is injected into websites through the use of vulnerable plugins or by using file-upload facilities available with many websites. SonicWall WAF now integrates with the Capture Advanced Threat Protection (ATP) sandbox service. It detects malware embedded in traffic streams by leveraging the industry-leading, multi-engine malware analysis platform, including Real-Time Deep Memory Inspection (RTDMI). Any attempts to inject or upload malicious files to a website would be inspected in-line (as opposed to after the fact) while maintaining an optimal user experience.

Simplifying Transport Layer Security, SSL Certificate Management with ‘Let’s Encrypt’

The biggest challenge for securing website communication is the need for legitimate SSL/TLS certificates for encryption and decryption. Legitimate certificates are expensive to purchase, manager, monitor and renew.

But with SonicWall WAF 2.2, organizations can take advantage of the Let’s Encrypt service through a built-in integration that not only offers free certificates, but will also automatically monitor and renew digital certificates.

This eliminates the administrative effort to enable SSL/TLS required on the website to turn on support for SSL/TLS.

By combining Let’s Encrypt integration, Perfect Forward Secrecy (PFS) and HTTP Strict Transport Security (HSTS), the SonicWall WAF ensures that websites are only accessible via a secured and encrypted channel, which also improves search engine visibility and ranking.

Seamless Multifactor Authentication Controls Access to Sensitive Content, Workflows

The most common cause of information leakage from websites stems from improper access control on websites, sometimes via unauthenticated pages and others because of the lack of strong authentication controls (remember the Equifax attack?).

With SonicWall WAF 2.2, administrators can redirect users to an authentication page for any part of the web application by leveraging an existing authentication page or with a WAF-delivered login page.

Administrators can also enforce second-factor authentication using client certificates or one-time passwords (OTPs) to validate users trying to log in to the web application are, indeed, genuine users.

API Support for Managed Cloud Service Providers

Cloud service providers often manage and host websites for their customers. In many cases, they leverage DevOps and programmable infrastructure using APIs to launch hosting environments, web application platforms and ready-to-use infrastructure. But if security is not embedded into these DevOps workflows, they leave gaping holes and become liable for website security.

With SonicWall WAF 2.2, administrators can automatically launch WAF virtual appliances and programmatically provision security for websites using scripts in DevOps workflows. This includes creating a web application to be protected, enabling exploit prevention, enabling Let’s Encrypt Integration for free SSL/TLS support and enabling Capture ATP integration for malware prevention.

New Utility-based Licensing Model, An innovation for WAF Virtual Appliances

With SonicWall WAF 2.2, organizations may purchase protection on a per-website basis. This helps reduce the total cost of ownership (TCO) by purchasing only what they need. Four types of websites are currently supported based on the amount of data that is transferred to/from the website per month.

Size Data Volume
Pro Website 10 GB per Month
Small Website 50 GB per Month
Medium Website 200 GB per Month
Large Website 500 GB per Month

A sizing calculator will recommend the compute requirements for the WAF virtual appliance and will provide guidance to website administrators on what type of license they need to buy based on a variety of metrics like sustained/peak throughput, average visits per day etc.

SonicWall WAF helps administrators secure their websites and their digital environment, thereby establishing trust in their digital brand.

Get to Know SonicWall WAF

The SonicWall Web Application Firewall (WAF) now integrates with the award-wining SonicWall Capture Advanced Threat Protection (ATP) sandbox service and Real-Time Deep Memory Inspection (RTDMI) technology. Explore how this innovative product can defend your websites and applications from both known and unknown cyber threats.

How to Stop Malware-Created Backdoors

Hackers have been placing backdoors into systems for years for a variety of purposes. We have all read the stories about backdoors being installed in retailers to siphon payment card information; a PSI DSS and reputation nightmare.

Backdoors also have been deployed in government and higher education institutions to gather intellectual property, such and defense and trade secrets. Medical institutions pay out settlements due to HIPAA violations caused by these forms of malware every year.

A perfect example of a backdoor-creating malware is Calisto. This backdoor trojan is designed for macOS (many executives use Macs) and attempts to install itself in different folders until it finds a home and then enable accessibility authorization.

If this can be accomplished, it will open a backdoor to the hacker to control the entire system. In most cases, this malware fails (due to protections placed on new Macs) but can leave behind system vulnerabilities.

So, how do you stop such an aggressive form of malware? It’s important to know that not all trojans are alike.

Some will create a customized payload every time it lands on a new system to avoid future attacks being blocked by signatures. SonicWall stops known backdoors on our next-generation firewalls (NGFW) and can test and find new versions of backdoor malware with the Capture Advanced Threat Protection (ATP) sandbox service.

But for threats that land on the endpoint, the key is using advanced artificial intelligence (AI) that can detect the malware’s presence on the endpoint. Does it try to bypass antivirus? Does it embed itself in a directory it shouldn’t? Does it attempt to download something from a command and control (C&C) server? These are just some of the ways Calisto can be identified.

To properly stop Calisto and other backdoor-building malware, download the exclusive tech brief: Protecting macOS Endpoints from Calisto. The brief will explore:

  • Origin of Calisto
  • Why SIP enablement is not enough
  • How the malware delivers its payload
  • Secondary steps the malware will take to ensure execution
  • Proven solutions for stopping Calisto

 

The Evolution of Next-Generation Antivirus for Stronger Malware Defense

Threat detection has evolved from static to dynamic behavioral analysis to detect-threatening behavior. Comprehensive layers of defense, properly placed within the network and the endpoint, provide the best and most efficient detection and response capabilities to match today’s evolving threats.

For years, SonicWall offered endpoint protection utilizing traditional antivirus (AV) capabilities. It relied on what is known as static analysis. The word “static” is just like it sounds. Traditional antivirus used static lists of hashes, signatures, behavioral rules and heuristics to discover viruses, malware and potentially unwanted programs (PUPs). It scanned these static artifacts across the entire operating system and mounted filesystems for retroactive detection of malicious artifacts through scheduled scanning.

Traditional antivirus focuses on pre-process execution prevention. Meaning, all the scanning mechanisms are primarily designed to prevent the execution of malicious binaries. If we go back 20 years, this approach was very effective at blocking the majority of malware, and many antivirus companies capitalized on their execution prevention approaches.

As that technology waned, the provider we had for traditional antivirus discontinued their legacy antivirus solution and SonicWall sought new and more effective alternatives.

Traditional Defenses Fail to Match the Threat

In the past, attackers, determined to beat antivirus engines, focused much of their attention on hiding their activities. At first, the goal of the attacker was to package their executables into archive formats.

Some threat actors utilized multi-layer packaging (for example, placing an executable into a zip then placing the zip into another compression archive such as arj or rar formats). Traditional antivirus engines responded to this by leveraging file analysis and unpacking functions to scan binaries included within them.

Threat actors then figured out ways to leverage documents and spreadsheets, especially Microsoft Word or Excel, which allowed embedded macros which gave way to the “macro virus.”

Antivirus vendors had to become document macro experts, and Microsoft got wise and disabled macros by default in their documents (requiring user enablement). But cybercriminals didn’t stop there. They continued to evolve the way they used content to infect systems.

Fast forward to today. Threat actors now utilize so many varieties of techniques to hide themselves from static analysis engines, the advent of the sandbox detection engine became popular.

I often use an analogy to explain a malware sandbox. It’s akin to a petri dish in biology where a lab technician or doctor examines a germ in a dish and watches its growth and behavior using a microscope.

Behavioral Sandbox Analysis

Sandbox technologies allow for detection by monitoring malware behavior within virtual or emulated operating systems. The sandboxes run and extract malware behavior within these monitored operating system to investigate their motives. As sandboxing became more prevalent, threat actors redesigned their malware to hide themselves through sandbox evasion techniques.

This led SonicWall to develop advanced real-time memory monitoring to detect malware designed to evade sandbox technology. Today, SonicWall uses a multitude of capabilities — coupled with patent-pending Real-Time Deep Memory Inspection (RTDMITM) — to identify and mitigate malware more effectively than competing solutions.

SonicWall Automated Real-Time Breach Prevention & Detection

The Endpoint Evolves, Shares Intelligence

Next comes the endpoint. As we know, most enterprises and small businesses are mobile today. Therefore, a comprehensive defense against malware and compliance must protect remote users and devices as they mobilize beyond an organization’s safe perimeter. This places an emphasis in combining both network security and endpoint security.

Years ago, I wrote research at Gartner about the gaps in the market. There was a critical need to bridge network, endpoint and other adjacent devices together into a shared intelligence and orchestrated fabric. I called it “Intelligence Aware Security Controls (IASC).”

The core concept of IASC is that an orchestration fabric must exist between different security technology controls. This ensures that each control is aware of a detection event and other shared telemetry so that every security control can take that information and automatically respond to threats that emerge across the fabric.

So, for example, a botnet threat detection at the edge of the network can inform firewalls that are deployed deeper in the datacenter to adjust policies according to the threat emerging in the environment.

As Tomer Weingarten, CEO of SentinelOne said, “Legacy antivirus is simply no match for today’s sophisticated file-based malware, which proliferates much faster than new signatures can be created.”

Limitations of Legacy Antivirus (AV) Technology

To better understand the difference between legacy antivirus (AV) and next-generation antivirus (NGAV), we should know the advantages and unique features of NGAV over legacy signature-based AV solutions. Below are four primary limitations of legacy offerings.

  • Frequent updates. Traditional AV solutions require frequent (i.e., daily or weekly) updates of their signature databases to protect against the latest threats. This approach doesn’t scale well. In 2017 alone, SonicWall collected more than 56 million unique malware samples.
  • Invasive disk scans. Traditional AV solutions recommend recurring disk scans to ensure threats did not get in. These recurring scans are a big source of frustration for end users, as productivity is impacted during lengthy scans.
  • Cloud dependency. Traditional AV solutions are reliant on cloud connectivity for best protection. Signature databases have grown so large that it is no longer possible to push the entire database to the device. So, they keep the vast majority of signatures in the cloud and only push the most prevalent signatures to the agent.
  • Remote risk. In cases where end-users work in cafés, airports, hotels and other commercial facilities, the Wi-Fi provider is supported by ad revenues and encourage users to download the host’s tools (i.e., adware) for free connectivity. These tools or the Wi-Fi access point can easily block access to the AV cloud, which poses a huge security risk.

Switching to Real-time, Behavior-focused Endpoint Protection

Considering these limitations, there is a need for viable replacement of legacy AV solutions. For this reason, SonicWall partnered with SentinelOne to deliver a best-in-class NGAV and malware protection solution: SonicWall Capture Client.

SonicWall Capture Client is a unified endpoint offering with multiple protection capabilities. With a next-generation malware protection engine powered by SentinelOne, Capture Client applies advanced threat protection techniques, such as machine learning, network sandbox integration and system rollback. Capture Client uses automated intelligence to adapt and detect new strains of malware through advanced behavior analytics.

SonicWall Capture Client was a direct response to multiple market trends.

  • First, there has been a detection and response focus, which is why SentinelOne offers our customers the ability to detect and then select the response in workflows (along with a malware storyline).
  • Second, devices going mobile and outside the perimeter meant that backhauling traffic to a network device was not satisfying customers who wanted low latency network traffic for their mobile users (and, frankly, the extra bandwidth costs that go along with it).
  • Third, because of all the evasion techniques that attackers use, a real-time behavioral engine is preferred over a static analysis engine to detect advanced attacks.
  • Fourth, the Capture Client SentinelOne threat detection module’s deep file inspection engine sometimes detects low confidence or “suspicious” files or activities. In these low confidence scenarios, Capture Client engages the advanced sandbox analysis of RTDMI to deliver a much deeper analysis and verdict about the suspicious file/activity.

One crucial feature of the latest Capture Client solution is the ability to record all the behaviors of an attack and the processes involved on an endpoint into an attack storyline — essential for security operations detection, triage and response efforts.

By listening to the market and focusing on the four key points above, SonicWall delivered best-in-class protection for endpoints, and another important milestone in SonicWall’s mission to provide automated, real-time breach detection and prevention.

SonicWall Capture Client combines multiple technologies to provide the most efficient and effective defense against threat actors. The solution should be paired with a defense-in-depth security strategy across all the key layers of transport, including email, network and endpoints.

Importance of Resiliency in Network Security

In life we hear stories about people who are able to recover from difficult situations. They’re often referred to as being “resilient.” Resiliency can also be applied to network security, albeit in a slightly different context. In both cases it’s a good thing to be.

As noted in our mid-year 2018 SonicWall Cyber Threat Report, network threats, such as malware and ransomware attacks, are on the rise compared to 2017. Cybercriminals are persistent in their efforts to find new methods to launch their attacks.

But it’s not just the quantity of attacks that are on the rise. New threats are increasing as well. Some of these are variants spawned from earlier malware or ransomware code, such as WannaCry and Locky. Others are malware cocktails that combined pieces of code from several different variants.

Absorb, Reorganize and Refocus

One of the best and often under-valued ways to protect against these threats is to have a network security solution that is extremely resilient. This doesn’t mean that your firewall is good at picking itself back up off the ground after it’s been defeated by an attack.

According to NSS Labs, a third-party source known for its independent, fact-based cybersecurity guidance, “The resiliency of a system can be defined as its ability to absorb an attack and reorganize around a threat. A resilient device will be able to detect and prevent against different variations of the exploit.”

A key component of this definition is the device’s ability to identify attacks that use evasion techniques to avoid being detected and stopped. Another is protection over time. Some attacks are launched and then quickly disappear. Others, however, are reintroduced over the years, whether in their original form or as a variant.

A resilient firewall will continue to block a threat that was launched previously in addition to current and future variants. Failure to be resilient increases the chance your network is open to an attack. The odds may be small, but it’s still possible. Remember, not every hacker is writing the latest code. Some are new to the game and stick to older, established attacks.

Blocking Never-before-seen Variants

NSS Labs released the 2018 Next-Generation Firewall Group Test results with 10 network security vendors participating in the testing. SonicWall submitted the NSa 2650 next-generation firewall (NGFW), which performed very well in both security effectiveness and value (TCO per protected Mbps), earning the “Recommended” rating for a fifth time.

One particular area in the security effectiveness testing where the NSa 2650 shined was its resiliency to a range of never-before-seen exploit variants. The NSa 2650 achieved a block rate of over 90 percent, outperforming every other firewall except one. In many cases, the difference was significant, with over half of the firewalls scoring only in the 65-75 percent range.

Exploit Block Rate by Year – Recommended Policies
2018 NSS Labs Next-Generation Firewall Comparative Report: Security

So, is having a firewall with high resiliency really that important? Research from both SonicWall and NSS Labs indicates that there are quite a few aging attacks still out there in circulation. They may not be as sophisticated as today’s threats, but they remain active. You need to be protected against them.

What’s more, some threat actors launch multi-pronged attacks comprised of the core malware plus a series of variants. The idea is that your firewall may stop one, but not all.

To counter attacks, some security vendors create signatures that are specific to a particular exploit. These signatures typically don’t account for variants, however. And, over time, the signatures may be removed, leaving the firewall open to attack. Ideally, security vendors will create signatures that focus on the vulnerability and block the threat plus its variants — now and in the future.

If you’re not sure whether your firewall is resilient, or how it rates in security effectiveness and value, SonicWall can help. Visit SonicWall.com to download and read NSS Labs test reports, including the Security Value MapTM.