Posts

How MSSPs & Artificial Intelligence Can Mitigate Zero-Day Threats

So, here’s the problem: unknown zero-day threats are just that — unknown. You have no way (besides historical experience) to predict the next vulnerability avenue that will be exploited. You, therefore, don’t know what will need patching or what extra security layer needs injecting. This ultimately leads to a forecast-costing dilemma as you cannot predict the man hours involved.

The other quandary faced when tackling complex targeted zero days is the skills gap. Staffing a security operations center (SOC) with highly skilled cybersecurity professionals comes at a cost and only becomes profitable with economies of scale that a large customer base brings.

Coupled with the shortage of skilled cybersecurity professionals in the open market, how can you get your SOC off the ground? Could artificial intelligence (AI) level the playing field?

Machine Learning Reality Check

Machine learning and behavioral analytics continue to grow and become synonymous with zero-day threat protection. Is this all hype or is it the new reality? The truth is, it is both.

There is a lot of hype, but for good reason: AI works. Big data is needed to see the behaviors and therein the anomalies or outright nefarious activities that human oversight would mostly fail to catch. Delivered as a layered security approach, AI is the only way to truly protect against modern cyber warfare, but not all AI is deterministic and herein lies the hidden cost to your bottom line.

AI-based analysis tools that provide forensics are very powerful, but the horse has bolted by the time they are used. This approach is akin to intrusion detection systems (IDS) versus intrusion prevention systems (IPS). The former are great for retrospective audits, but what is the cleanup cost? This usage of behavioral analysis AI solely for detection is not MSSP-friendly. What you need is automated, real-time breach detection and prevention. Prevention is key.

So, how do you create an effective prevention technology? You need security layers that filter the malware noise, so each can be more efficient at its detection and prevention function than the last. That means signature-based solutions are still necessary. In fact, they are as important as ever as one of the first layers of defense in your arsenal (content filtering comes in at the top spot).

By SonicWall metrics, the ever-growing bombardment of attacks the average network faces stands at 1,200-plus per day (check out the mid-year update to the 2018 SonicWall Cyber Threat Report for more details).

When you do the math, it’s easy to see that with millions of active firewalls, it’s not practical to perform deep analysis on every payload. For the best results, you must efficiently fingerprint and filter everything that has gone before.

Aren’t All Sandboxes Basically the Same?

Only by understanding the behavior of the application and watching what it’s attempting to do, can you uncover malicious intent and criminal action. The best environment to do this is a sandbox, but no SOC manpower in the world could accomplish this with humans at scale. In order to be effective, you must turn to AI.

AI understands the big data coming from behavioral analysis. It can adapt the discovery approach to uncover threats that try to hide and, once determined as malicious, can fingerprint the payload via signature, turning a zero day into a known threat. It is the speed of propagation of this new, known signature to the protection appliances participating in the mesh protection network that drives the efficiencies to discover more threats.

Also, it’s the size of the mesh network catchment area that allows you the largest overall service area of attaches, which helps your AI quickly learn from the largest sample data set.

Luckily, SonicWall has you covered on all these fronts. With more than 1 million sensors deployed across 215 territories and countries, SonicWall has one of the largest global footprint of active firewalls. Plus, the cloud-based, multi-engine SonicWall Capture Advanced Threat Protection (ATP) sandbox service discovers and stops unknown, zero-day attacks, such as ransomware, at the gateway with automated remediation.

Our recent introduction of the patent-pending Real-Time Deep Memory Inspection (RTDMITM) technology, which inspects memory in real time, can detect and prevent chip vulnerability attaches such as Spectre, Meltdown and Foreshadow. It’s included with every Capture ATP activation.

At SonicWall, the mantra of automated, real-time breach detection and prevention is fundamental to our security portfolio. It is how our partners drive predictable operational expenditures in the most challenging security environments. Only via connected solutions, utilizing shared intelligence, can you protect against all cyber threat vectors.


A version of this story originally appeared on MSSP Alert and was republished with permission.

New NIST Cybersecurity Policy Provides Guidance, Opportunities for SMBs

Small- and medium-sized business (SMB) are often one of the segments most targeted by cybercriminals. Now, SMBs are backed by legislation signed by U.S. President Trump and unanimously supported by Congress.

On Aug. 14, President Trump signed into law the new NIST Small Business Cybersecurity Act. The new policy “requires the Commerce Department’s National Institute of Standards and Technology (NIST) to develop and disseminate resources for small businesses to help reduce their cybersecurity risks.”

The legislation was proposed by U.S. Senators Brian Schatz (D-Hawai‘i) and James Risch (R-Idaho). This new policy is a follow-on effort to the Cybersecurity Enhancement Act of 2014, which was the catalyst for the NIST Cybersecurity Framework.

“As businesses rely more and more on the internet to run efficiently and reach more customers, they will continue to be vulnerable to cyberattacks. But while big businesses have the resources to protect themselves, small businesses do not, and that’s exactly what makes them an easy target for hackers,” said Senator Schatz, lead Democrat on the Commerce Subcommittee on Communications, Technology, Innovation, and the Internet, in an official statement. “With this bill set to become law, small businesses will now have the tools to firm up their cybersecurity infrastructure and fight online attacks.”

Per the NIST Small Business Cybersecurity Act (S. 770), within the next year the acting director of NIST, collaborating with the leaders of appropriate federal agencies, must provide cybersecurity “guidelines, tools, best practices, standards, and methodologies” to SMBs that are:

  • Technology-neutral
  • Based on international standards to the extent possible
  • Able to vary with the nature and size of the implementing small business and the sensitivity of the data collected or stored on the information systems
  • Consistent with the national cybersecurity awareness and education program under the Cybersecurity Enhancement Act of 2014
  • Deployed in practical applications and proven via real-world use cases

The law follows the structure presented by U.S. Rep. Dan Webster (R-Florida) and passed by the House of Representatives. He originally presented the bill to the U.S. House Science, Space, and Technology Committee in March 2017.

SonicWall President and CEO Bill Conner also was instrumental in helping form the groundwork for U.S. cybersecurity laws. In 2009, Conner worked with U.S. Senator Jay Rockefeller (D-West Virginia) and other security-conscious leaders on the Cybersecurity Act of 2010 (S.773). And while the proposal was not enacted by Congress in March 2010, it served as a critical framework to today’s modern policies. Rockefeller was eventually the sponsor of the aforementioned Cybersecurity Enhancement Act of 2014 (S.1353), which became law in December 2014.

SMBs Highly Targeted by Cybercriminals, Threat Actors

According to a recent SMB study by ESG, 46 percent of SMB decision-makers said security incidents resulted in lost productivity in their small- or medium-sized business. Some 37 percent were affected by disruption of a business process or processes.

“Criminals target SMBs to extort money or steal valuable data, while nation states use small businesses as a beachhead for attacking connected partners,” wrote ESG senior principal analyst Jon Oltsik for CSO.

In fact, in July 2018 alone, the average SonicWall customer faced escalated volumes of ransomware attacks, encrypted threats and new malware variants.

  • 2,164 malware attacks (28 percent increase from July 2017)
  • 81 ransomware attacks (43 percent increase)
  • 143 encrypted threats
  • 13 phishing attacks each day
  • 1,413 new malware variants discovered by Capture Advanced Threat Protection (ATP) service with RTDMI each day

“Criminals target SMBs to extort money or steal valuable data, while nation states use small businesses as a beachhead for attacking connected partners,” wrote ESG senior principal analyst Jon Oltsik for CSO.

Leverage NIST Policy, Frameworks

While SMBs await guidance from the new NIST Small Business Cybersecurity Act, they can leverage best practices from the NIST Cybersecurity Framework, which helps organizations of all sizes leverage best practices to better safeguard their networks, data and applications from cyberattacks.

At a high level, the framework is broken down into three components — Implementation Tiers, Framework Core and Profiles — that each include additional subcategories and objectives. Use these key NIST resources to familiarize your organization to the framework:

Applying Cybersecurity Designed for SMBs

The NIST framework provides a solid foundation to improve an SMB’s security posture. But the technology behind it is critically important to achieving a safe outcome. SonicWall, for instance, is the No. 2 cybersecurity vendor in the SMB space, according to Gartner’s Market Share: Unified Threat Management (SMB Multifunction Firewalls), Worldwide, 2017 report.

With more than 26 years of defending SMBs from cyberattacks, SonicWall has polished and refined cost-effective, end-to-end cybersecurity solutions. These solutions are tailored specifically for small- and medium-sized businesses and can be further customized to meet the needs of specific security or business objectives. A sound, end-to-end SMB cybersecurity should include:

For example, the SonicWall TZ series of NGFWs is the perfect balance of performance, value and security efficacy for SMBs, and delivers access to the SonicWall Capture ATP sandbox services and Real-Time Deep Memory Inspection.TM This integrated combo protects your organization from zero-day attacks, malicious PDFs and Microsoft Office files, and even chip-based Spectre, Foreshadow and Meltdown exploits.

For organizations that want to take it a step further, the SonicWall NSa series of firewall appliances were given a ‘Recommended’ rating by NSS Labs in a 2018 group test. SonicWall topped offerings from Barracuda Networks, Check Point, Cisco, Forcepoint, Palo Alto Networks, Sophos and WatchGuard in both security efficacy and total cost of ownership.

Contact SonicWall to build or enhance your cybersecurity posture for true end-to-end protection from today’s most malicious cyberattacks, online threats and even the latest Foreshadow exploits.

SonicWall solutions are available to SMBs through our vast channel of local security solution providers, many of which are SMBs themselves. In fact, many SonicWall SecureFirst Partners even provide security-as-a-service (SECaaS) offerings to ensure it’s easy and cost-effective for SMBs to protect their business from advanced cyberattacks.

 

Upgrade Your Firewall for Free

Are you a SonicWall customer who needs to stop the latest attacks? Take advantage of our ‘3 & Free’ program to get the latest in SonicWall next-generation firewall technology — for free. To upgrade, contact your dedicated SecureFirst Partner or begin your upgrade process via the button below.

Catching Cerber Ransomware

Since the release of SonicWall Capture Advanced Threat Protection (Capture ATP) in August 2016 on SonicWall firewalls, we have seen a lot of unique behavior from authors of malicious code, namely ransomware.

Up until Christmas 2016, Locky received a lot of attention from security firms but then took a backseat during the holiday season. One thing I noticed around that time was that a ransomware variant called Cerber would actually be one of the more persistent pups in the litter.  I started seeing Cerber show up on Capture ATP’s daily reports and wanted to understand why we were still catching this on the sandbox instead of the firewall.

In short, we were catching this on the firewall because SonicWall’s Capture Labs research team was creating a large amount of signatures for Cerber, but what I was seeing were “updated” versions of Cerber being caught in the wild; as many as two versions a day.  This was done to get around Cerber signatures created to stop older versions of itself. To make things more interesting, these Cerber variants were utilizing seven different tactics to evade detection.

The image above is a snippet of a very long report that partly shows what Cerber wants to do. Did you notice the seven different evasion tactics?  Malware did not do this in the past; at least one that I remember fondly. In that past, the security industry was really trying to get the upper hand with the “explosive growth” of malicious code that was being authored and wanted to use virtual environments to run and test code.  About five years ago, the industry introduced the network sandbox to the market and it was a hit, because we now had a tool where we could run potentially malicious code in an isolated environment to see if we could white or blacklist it.

So, do you think that attackers folded up their laptops and found real jobs? Nope, they learned how to evade them, the real essence of what a hacker truly is. If you read third-party reports on network sandboxing, you will read skeptical and bearish reports about its effectiveness and ability to evade a sandbox at a medium difficulty. When you see the image above, you have to believe that the reports are real and Cerber’s evasion tactics rank up there with some of the best I have seen recently; truly an advanced persistent threat. So why am I able to show this to you? Although it is evading other sandboxes, it is not able to get past ours. But how?

In short, we leverage Capture ATP, a multi-engine sandbox that first runs suspicious code through a set of pre-filters that analyzes the code and compares it against a real-time list to see if anyone we collaborate with knows about it.  This step eliminates a lot of newly minted malware within milliseconds; almost at the same speed as lightning strikes the Earth.

After that, the code will go through a parallel set of engines that will help us determine what a new batch of code wants to do from the application, to the OS, to the software that resides on the hardware. We run it through real-time deep memory inspection, virtualized sandboxing, hypervisor level analysis and full-system emulation. Naturally, when we get to this point it does take a little time but it’s worth it.

Sandbox Security; Nothing to Play With

Ransomware has forced organizations to rethink their security architecture.  Organizations are increasingly investing in security solutions that provide additional protection of sensitive data, as well as better visibility over network traffic and endpoint activity. According to IDC research, 60% of organizations surveyed indicated that modern endpoint and network security products such as network sandboxes were either a high priority or an extremely high priority over the next 12 months.

Network sandboxes are isolated environments where suspicious code can be examined and detonated to see what unidentified code wants to do on a potential system.  Over the past few years, sandboxing has become an integral part of the network security game plan but hackers have identified ways of evading detection which is something to consider in the evaluation process. In the video below, IDC’s Sean Pike, program vice president of IDC Security Products,  discusses network sandboxing and gives you key questions to ask when looking at this part of the network security equation.

Six Tips for Selecting a Firewall Sandbox

Network firewalls have evolved from 1st generation simple packet filters to advanced devices that evolve so fast that labeling them as “next-generation (NG)” is the best way to classify them. They are often defined by the services that are attached to them and one of the greatest and newest internet security technologies to service today’s firewall is the sandbox. A sandbox is an isolated environment where suspicious files or applications can be run, examined and probed before they can be passed through a firewall and into a network. Applications, such as anti-virus, are best known for detecting and stopping known threats, but a sandbox is designed to detect unknown attacks designed to circumvent network security measures. Think of it as a bomb squad opening packages in a secluded open-air environment instead of a crowded stadium.

So, if you want to try this technology, how do you get started? With numerous vendors in this space, each with their promises and bold announcements, how do you cut through the noise? When you are shopping for a firewall and/or a sandbox, please consider these six tips:

  1. Look for a sandbox that has multi-engine support. First generation sandboxes use a siloed approach to examining files but malware authors are designing their code to detect and evade this technology. Leverage a multi-engine sandbox to cover analytical gaps and mitigate the need to deploy multiple vendor’s solutions. Simply put, using a single-engine sandbox is akin to trying to catch insects with a fishing line instead of a net.
  2. Before making a decision, look for any file type and size limits. Organizations use a broad range of operating systems that support everything from network systems to mobile devices. A sandbox needs to be able to examine a very broad range of file types without any limits to the size of the file.
  3. Files need to be held at the gateway before they are allowed to enter the perimeter of the network. Beware of any sandbox that delivers files before a verdict, otherwise it would be better to invest your budget into vulnerability assessment tools because you could be allowing havoc to ensue without proper management.
  4. With nearly one million pieces of malware being created every day, the threat landscape changes on a daily basis. Network and security administrators can’t stay on top of manual patches. Look to a sandbox that can rapidly deploys remediation signatures on a global scale. SonicWall’s sandbox, Capture ATP, quickly sends these signatures to all SonicWall Network Security Appliances within your network.
  5. Single point solutions issued by one-hit-wonder security vendors are often good at what they do, but do they interface with other network security appliances? If they can, it is often due to the manipulation of fickle and poorly supported APIs. Look for a next generation firewall that can communicate and update threat intelligence dynamically throughout your network security infrastructure for ease of management and improved security.
  6. The use of SSL/TLS encryption (AKA HTTPS) is on the rise by not only website and security administrators but by hackers as well. To evade detection, threats are often hidden within encrypted traffic. Evaluate sandboxes based on how they can inspect encrypted traffic.

Keep these tips in mind when evaluating a next-generation firewall and/or a sandbox feature. It is for these reasons that I recommend  SonicWall Capture Advanced Threat Protection Service. Patrick Sweeney, vice president of Marketing and Product Management of SonicWall Security, authored a blog detailing our  SonicWall Capture ATP Service. Currently in beta, this service will give you great protection against advanced persistent threats (APTs) and zero-day attacks. This multi-engine sandbox platform includes virtualized sandboxing, full system emulation, and hypervisor-level analysis technology all while resisting evasion tactics that hobble other sandboxing solutions. I also recommend reading SonicWall Security’s executive brief titled 5 Ways Your Firewall Sandboxes Can Fail.

Hear from Dmitriy Ayrapetov, SonicWall Security’s director of Product Management, on how you can maximize zero-day threat protection with SonicWall Capture Advanced Threat Protection (ATP), a cloud-based multi-engine solution that stops unknown attacks at the gateway.