Posts

6 Reasons to Switch to SonicWall Capture Client from Sophos Intercept X

While Sophos claims to be a leading next-generation antivirus solution, are they really able to protect your organization’s endpoints — not to mention the rest of your network ­— in today’s threat landscape?

SonicWall Capture Client, powered by SentinelOne, was designed to deliver stronger security with better functionality against ransomware and other advanced cyberattacks. Explore these six key reasons to switch to SonicWall Capture Client:

  1. Certified for business.
    Although Sophos Intercept X is recommended by NSS Labs, it is not certified by OPSWAT and AV-Test. SentinelOne, the core engine within Capture Client, is also recommended by NSS Labs and has certifications for OPSWAT and has AV-Test certifications for corporate use. Capture Client is also compliant with HIPAA and PCI mandates.
  2. True machine learning.
    Sophos only leverages machine learning as code executes on a system. In contrast, Capture Client applies machine learning before, during and after execution to reduce the risk of compromise to your endpoints, thereby better protecting your business.
  3. Real remediation.
    Sophos Intercept X relies on the Sophos Cleaner to restore potentially encrypted files. Not only can it be bypassed, but it is limited to using 60 MB of cache to save up to 70 “business” file types. Capture Client creates shadow copies of your data, which does not discriminate on size or file type. Capture Client rollback capabilities revert the impact of a malware attack, leaving the device clean and allowing the user to continue working — all without any risk of further damage.
  4. Firewall synergies.
    Although Sophos Endpoint Protection is closely linked to their next-generation firewall, this integration is lacking on Intercept X. Capture Client goes beyond the endpoint and has built-in synergies with SonicWall next-generation firewalls (NGFW). Although not required, when combined with a SonicWall next-generation firewall, it can enforce use of the client and redirect non-Capture Client users to a download page to update the endpoint.
  5. Easy digital certificate management.
    With more than 5 percent of malware using SSL/TLS encryption today, the inspection of encrypted traffic is vital. Sophos firewalls have limited SSL/TLS decryption capabilities, nor do they offer automated re-signing certificate distribution. Capture Client makes it easy to install and manage re-signing digital certificates required for SSL/TLS decryption, inspection and re-encryption.
  6. Better roadmap.
    In September 2018, SonicWall will add network sandboxing. Capture Client will be able to route suspicious files to the award-winning, multi-engine Capture Advanced Threat Protection (ATP) cloud sandbox service to more forcibly examine code in ways an endpoint can’t (e.g., fast- forward malware into the future). Administrators will be able to query known verdicts for the hashes of their suspicious files without having to upload them for analysis.

If you’d like to see for yourself the difference Capture Client makes over a limited and aging endpoint solution, contact us or ask your SonicWall partner representative for a one-month trial. Existing customers can log in to MySonicWall to begin the trial today.

Ready to ditch Sophos?

Strengthen your security posture today. Switch now and receive up to 30 percent* off of SonicWall Capture Client endpoint protection. It’s the smart, cost-effective approach for extending security to endpoints that exist outside of the network.

LEARN MORE

Next-Generation Firewalls Designed for Mid-Tier Enterprises & Service Providers

Mid-tier enterprises, data centers and large service provides have security, performance and high-availability demands much greater than the average organization.

These organizations must support an exploding number of smartphones, computers and IoT devices. Each generates a huge number of web connections. Just take a look at your browser and count the number of tabs you have open. Each is a connection that likely goes through the firewall.

More devices means more web sessions a firewall has to support. Now, imagine how many connections mid-tier enterprises and services providers must support, manage and secure.

What’s more, it’s likely that the website is using encryption to protect the transmission of data. Reported in the 2018 SonicWall Cyber Threat Report, almost 70 percent of web traffic now uses the HTTPS protocol to secure the session.

Core to an expanding focus to serve mid-tier enterprises and larger service providers — and to better empower organizations to decrypt, inspect and mitigate cyberattacks in encrypted traffic — SonicWall is introducing six new next-generation firewalls.

New NSa Next-Generation Firewalls

The Network Security appliance (NSa) series 6650, 9250, 9450 and 9650 scale high security efficacy and extensive feature sets to larger mid-tier enterprises, including distributed enterprises, school districts and data centers.

These new NSa models offer a high availability (HA) solution that pairs a second, similar firewall with the primary. In the event the primary fails, the secondary HA unit takes over until the primary is up and running again. The two can also share the deep packet inspection (DPI) load.

Many competitors require a full-price purchase of the failover unit, as well as full subscription services after the first year. In comparison, SonicWall is ensuring network security is available via bundles designed with the requirements of mid-tier enterprises in mind.

Features & Performance

  • Enterprise-grade 10-GbE and 2.5-GbE firewalls
  • Available in HA bundle
  • Up to 1.5 times higher performance than predecessors
  • Up to 10 times more encrypted connections than predecessors
  • Real-time TLS/SSL decryption and inspection
  • Redundant power supplies and fans
  • Built-in modular storage
  • Powered by new SonicOS 6.5.2

“This new range of NSa firewalls delivers the performance, value and security our mid-tier enterprise customers can’t get from traditional security vendors,” said Boris Wetzel, CEO choin! GmbH, a SecureFirst partner and NSa beta customer. “Coupled with SonicWall’s cost-effective HA offering, the new NSa series will help disrupt a segment of the market that has been forced into antiquated pricing structures for far too long.”

The NSa 6650, 9250, 9450 and 9650 include 10-GbE and 2.5-GbE interfaces to enable more devices to connect directly to the firewall without requiring a switch.

The new NSa firewalls also enable more connections than its predecessors, including nearly five times the number of stateful packet inspection (SPI) connections and 25 times the number of SSL/TLS deep packet inspection (DPI) connections.

“This new range of NSa firewalls delivers the performance, value and security our mid-tier enterprise customers can’t get from traditional security vendors.”

New NSsp Next-Generation Firewalls

Complementing the new NSa series, we are also launching our new Network Security services platform (NSsp) 12000 series, which includes new NSsp 12400 and NSsp 12800 firewalls.

Built specifically for large, distributed enterprises, data centers, universities and service providers, these scalable, 4U next-generation firewalls build upon our extensive NSa feature set and are capable of scanning millions of connections for the latest cyberattacks.

Features & Performance

  • High port density featuring 40-GbE and 10-GbE interfaces
  • Cloud-based and on-box threat prevention
  • Real-time TLS/SSL decryption and inspection
  • Built-in modular storage
  • Redundant power supplies and fans
  • 4U rackmount chassis
  • Built-in redundancy features
  • Powered by new SonicOS 6.5.2

“The volume and sophistication of today’s cyberattacks continues to grow and we require reliable, high-performance security solutions that can keep pace,” said Antonio Cisternino CIO University of Pisa, a SonicWall NSsp beta customer. “Because of the number of end users we service in a highly complex and dynamic environment, we depend on networking capabilities that can simultaneously support millions of connections and mitigate cyberattacks hiding within encrypted traffic without compromising the research needs.

“The new SonicWall NSsp 12000 series firewalls combine the best of both worlds: high security efficacy and high performance.”
With multiple 40-GbE interfaces, the NSsp series enables the high-speed throughput large organizations need into today’s fast-paced networked environment.


To learn more about SonicWall’s new NSa and NSsp next-generation firewalls, please visit sonicwall.com.

Encrypted Cyber Attacks: Real Data Unveils Hidden Danger within SSL, TLS Traffic

Since the shocking announcement of serious Meltdown and Spectre vulnerabilities in early 2018, we have yet to hear of a mega-breach that would signal the start of another vicious hacking year.

Has it been luck? Are our network security defenses stronger? Or are current hacks hiding their efforts? Whatever the situation, the expectations from lessons learned in historical security events are that hacking tools will evolve and new threat vectors will emerge — year after year.

To help organizations gain confidence to make informed decisions and take calculated security actions against the latest cyber attacks, SonicWall shares its threat findings in the recently published 2018 Cyber Threat Report.

The report focuses on the ongoing battle of innovations and advancements between cybercriminals and security industries. The detailed threat information was gathered, recorded, researched and analyzed by the SonicWall Capture Labs research team so you can easily follow what’s happening in the threat landscape.

Today, we’ll underscore our observations on the good and bad of SSL/TLS-encrypted web traffic and respective encrypted threats.

The cyber battle inside encrypted traffic

For five straight years of monitoring and reporting on encrypted traffic trends, SonicWall continues to record strong growth in SSL/TLS-encrypted web connections, with a 24 percent increase over 2016. This increase accounted for 68 percent of overall web connections in 2017.

We believe the rise was attributed to the growing use of secured cloud applications and websites. Again, use of SSL/TLS encryption continues to be trending in the right direction. Companies securing websites and cloud services, to create safer web interactions, is a win for internet users and security teams.

SSL/TLS Use Increased

Despite the security advantages provided by SSL/TLS encryption, SonicWall collected real-world empirical evidence on cyber attacks executed inside of SSL/TLS-encrypted web sessions.

Using full-year data samples from a subset of SonicWall firewalls with active Deep Packet Inspection of SSL (DPI-SSL) service in 2017, we observed that an average of nearly 5 percent of all file-based malware propagation attempts used SSL/TLS encryption to avoid detection.

SonicWall Capture Labs also found, on average, 60 file-based malware propagation attempts per SonicWall firewall each day. Without the ability to inspect encrypted traffic, the typical organization would have missed over 900 file-based attacks per year hidden by SSL/TLS encryption. Remember, it takes only a single miss to create severe damage to an organization.

How to stop encrypted cyber attacks

Organizations can easily block attacks within SSL/TLS web connections. However, many have not activated existing security features — like DPI-SSL — to do so.

If you choose not to inspect encrypted traffic — or if your firewall is limited in its ability to do so — you are truly missing a critical value of your firewall.

It is possible for organizations to enjoy the security benefits of SSL/TLS encryption without providing a hidden tunnel for attackers. Here are some helpful guidelines:

  1. Understand what’s at risk. If you haven’t conducted a security audit recently, complete a comprehensive analysis to identify your risks and needs.
  2. Build a defense. Upgrade to a capable, extensible next-generation firewall (NGFW) with integrated IPS security services and DPI-SSL design that can scale performance to support future growth.
  3. Evaluate and improve. Update your security policies to defend against a broader array of threat vectors and establish multiple security defense methods to respond to both HTTP and HTTPS attacks.
  4. Create awareness. Train your staff continually to be aware of the dangers of social media, social engineering and suspicious websites and downloads, as well as various spam and phishing scams in personal and business email accounts. Start with this Phishing IQ test.
  5. Inspect digital certificates. Inform users never to accept a self-signed, non-valid certificate from unknown applications.
  6. Keep it current. Make sure all your software is up to date. This will help protect your organization from older SSL exploits that have already been neutralized.

The growth of SSL/TLS encryption can and will be a positive security trend for the global community, but it will remain a channel for malicious activity until companies recognize and address the risks.

By investing in updated solutions, and enabling SSL/TLS inspection capabilities, organizations can have the best of security and performance at the same time.

Download the 2018 SonicWall Cyber Threat Report

The cyber arms race is a challenge we face together. And it’s the core reason we’re committed to passing our findings, intelligence, analysis and research to the global public via the SonicWall 2018 Cyber Threat Report.

8 Cyber Security Predictions for 2018

In preparation for the upcoming publication of the 2018 Annual SonicWall Threat Report, we’re busy reviewing and analyzing data trends identified by SonicWall Capture Labs over the course of 2017.

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from more than 1 million sensors around the world, performs rigorous testing and evaluation, establishes reputation scores for email senders and content, and identifies new threats in real-time.

With the New Year, it’s appropriate to recap last year’s trends, and offer a few preliminary insights into noteworthy trends we expect to see in 2018.

Ransomware will persist, evolve

Ransomware will continue to be the malware of choice. It has never been easier to make your own ransomware. With the rise of ransomware-as-a-service, even the most novice developer can create their own ransomware. As long as cybercriminals see the potential to make enough in ransom to cover the costs of development, we will continue to see an increase in variants.

However, an increase in variants does not mean an increase in successful attacks, which we will explore in detail in the 2018 Annual Cyber Threat Report.

SSL, TLS encryption will hide more attacks

For the first time, Capture Labs will publish real metrics on the volume of attacks uncovered inside encrypted web traffic. At the same time, the percentage of organizations that have deployed deep-packet inspection of encrypted threats (DPI-SSL/TLS) remains alarmingly low.

In the year ahead, we expect there will be more encrypted traffic being served online, but unencrypted traffic will remain for most public services. More sophisticated malware using encrypted traffic will be seen in cyberattacks.

In response, we expect more organizations will enable traffic decryption and inspection methods into their network security infrastructure. This expanded deployment of DPI-SSL/TLS will rely in part on the success of solution providers reducing deployment complexity and cost to lower operating expense.

Cryptocurrency cybercrime expected to be on the rise

Due to rapid rise in cryptocurrency valuations, more cryptocurrency mining and related cybercrime is expected in the near future. Attackers will be exploring more avenues to utilize victim’s CPUs for cryptocurrency mining and cryptocurrency exchanges and mining operations will remain the targets for cyber theft.

UPDATE: On Jan. 8, SonicWall Capture Labs discovered a new malware that leverages Android devices to maliciously mine for cryptocurrency.

IoT will grow as a threat vector

As more devices connect to the internet, we expect to see more compromises of IoT devices. DDoS attacks via compromised IoT devices will continue to be a main threat for IoT attacks. We also expect to see an increase in information and intellectual property theft leveraging IoT, as capability of IoT devices have been largely improved, making IoT a richer target (e.g., video data, financial data, health data, etc.). The threat of botnets will also loom high with so many devices being publically exposed and connected to one another, including infrastructure systems, home devices and vehicles.

Android is still a primary target on mobile devices

Android attacks are both increasing and evolving, such as with recently discovered malware. Earlier ransomware threats used to simply cover the entire screen with a custom message, but now more are completely encrypting the device — some even resetting the lock screen security PIN. Overlay malware is very stealthy. It shows an overlay on top of the screen with contents designed to steal victim’s data like user credentials or credit card data. We expect more of these attacks in 2018.

Apple is on the cybercrime radar

While rarely making headlines, Apple operating systems are not immune to attack. While the platform may see a fewer number of attacks relative to other operating systems, it is still being targeted. We have seen increases in attacks on Apple platforms, including Apple TV. In the year ahead, macOS and iOS users may increasingly become victims of their own unwarranted complacency.

Adobe isn’t out of the woods

Adobe Flash vulnerability attacks will continue to decrease with wider implementation of HTML5. However, trends indicate an increase in attacks targeting other Adobe applications, such as Acrobat. There are signs that hackers will more widely leverage Adobe PDF files (as well as Microsoft Office file formats) in their attacks.

Defense-in-depth will continue to matter

Make no mistake: Layered defenses will continue to be important. While malware evolves, much of it often leverages traditional attack methods.

For example, WannaCry may be relatively new, but it leverages traditional exploit technology, making patching as important as ever. Traditional email-based threats, such as spear-phishing, will continue to become more sophisticated to evade human and security system detection. Cloud security will continue to grow in relevance, as more business data becomes stored in the data centers and both profit-driven cybercriminals and nation-states increasingly focus on theft of sensitive intellectual property.

Conclusion

When gazing into our crystal ball, we’re reminded that the only thing certain is change. Look for more detailed data in our soon-to-be-published 2018 SonicWall Annual Threat Report.

Why GDPR Makes it Urgent to Scan Encrypted Traffic for Data Loss

“Inspect every packet, every time.”

This has been my advice to any network admin or business owner for many years.  This is equally important in regards to encrypted traffic.  Much of the Internet has become encrypted, meaning that it can only be perused and accessed over HTTPS.  While this rightly includes traffic such as online banking and financial sites, it also now includes webmail, social media, online streaming video, music and even search engines.

While encryption of the Internet enables online privacy, it has also opened a new threat vector for hackers and criminals to hide malicious content.  If you encrypt the whole Internet, you encrypt all the threats traversing it.

The painful truth is that the vast majority of networks (including governments, international enterprises, educational, medical and consumer networks) have yet to implement a security solution capable of inspecting the encrypted traffic.  If you cannot inspect it, you can not protect it.  With over 80 percent of Internet traffic now encrypted, this has become an open pipeline for attacks.  More than 67 percent of all malware attacks are still delivered via email.  Guess what? That email is most often encrypted via HTTPS.

Inspecting encrypted traffic is paramount in preventing threats such as viruses, exploits, spyware and ransomware. Numerous articles, findings, testimonials and forensic analyses of recent breaches (such as at the IRS, OPM, JPMorgan Chase, Home Depot, Target and Equifax) focused on threat prevention. They reported that varying degrees of security had not been deployed or utilized, alerts were missed, traffic went uninspected, or updates and patches were not applied.  In some breaches, there were financial penalties for failing to protect end-user data, such as providing credit monitoring services for consumers, refunds for past services, or government-levied fines.

However, another critical reason to inspect encrypted traffic was rarely discussed. Yet, in six months, that reason will have incredible legal and financial implications that many are underestimating.  That reason is data loss.  And while organizations have sought to increase their threat prevention, only minor attention has been applied to data loss prevention (DLP).  Well, that is about to change drastically.

On May 25, 2018, the European Union General Data Protection Regulation (GDPR) goes into effect.  While this is an EU regulation, it will play a tremendous role in the ways data protection is controlled worldwide.  The following is an excerpt from the GDPR:

Organizations can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million. This is the maximum fine that can be imposed for the most serious infringements e.g. […] violating the core of Privacy by Design concepts[….] It is important to note that these rules apply to both controllers and processors — meaning ‘clouds’ will not be exempt from GDPR enforcement.

Pay close attention to that last line, especially if you are a cloud provider or consumer.  Any organization that hosts or processes data for citizens of an EU member country will be held accountable to this regulation. Make no mistake, countries outside of the EU, including the USA, are in the process of enacting similar legislations.

While threat prevention should always be a cornerstone in any network security architecture, data loss prevention will now be as well.  For example, one may have a decent anti-malware client and other solutions for threat prevention, but what is in place to prevent a staff member unwillingly or willingly executing an application that uploads confidential end user data like credit card numbers, address, phone numbers, or other personally identifiable information?  What is in place today to stop someone from accidentally or willingly “dragging and dropping” a PDF containing personally identifiable information (PII) to a public FTP Server, or uploading it to their personal webmail?  Remember: all of these connections are now encrypted.

Fortunately, you can easily apply data loss prevention rules on all SonicWall firewalls to inspect encrypted traffic and prevent data loss.  By leveraging incredibly powerful Deep Packet Inspection of SSL/TLS Encrypted Traffic (DPI-SSL), and applying keywords or phrases defined using Regular Express (RegEx), SonicWall firewalls are able to inspect all encrypted communications for PII in real time. Should an application, system, or employee attempt to upload PII, the SonicWall firewall can detect it, block the upload, and provide incident reporting of the event. That is how you can inspect every packet, every time. That is how you prevent the breach.

Download our “Best Practices for Stopping Encrypted Threats” to help you prevent that breach.

State of Encrypted Traffic – New Cyber Attacks Spreading via Use of Encryption

The earliest schemes of cryptography, such as substituting one symbol or character for another or changing the order of characters instead of changing the characters themselves, began thousands of years ago.  Since then, various encoding and decoding systems were developed, based on more complex versions of these techniques, for the fundamental purpose of securing messages sent and received in written or electronic forms for all sorts of real world applications.  Although the progress we have made in modern cryptography has its advantages, we are seeing that it creates many security risks too dangerous to be ignored.  This blog reviews what this means to your organization and helps your security teams stay alert and be ready for the new threats and attack vectors that spread from the criminal use of encryptions.

The momentum in information and communication technology innovations have significantly changed the way we function in both the public and private sectors.  How we store, share, communicate and transact information over the web, for personal use, for work or to run businesses, agencies and institutions, require that we adopt strong information security in everything that we do digitally. As the result, the majority of today’s web traffic are encrypted using the latest Transport Layer Security (TLS), formerly known as Secure Socket Layer (SSL), encryption protocol to establish a private connection between two computer networks for securing data transmission and web traffic and interactions.

According to the Google Transparency Report, encrypted connections, displayed as HTTPS on the browser address bar, account for approximately 87 percent (Figure 1) of web requests sent to Google’s data centers from around the world, as of June 17, 2017. Moreover, the report reveals that Windows, Mac, Linux and Chrome users spend more than three-quarter of their time on HTTPS pages (Figure 2).  With these facts, we can reasonably generalize that the majority of the web traffic traversing our networks are encrypted today.

Figure 1: Percentage of page requests that used encrypted connections

Percentage of page requests that used encrypted connections

Figure 2: Percentage of browsing time spent on HTTPS websites

Percentage of browsing time spent on HTTPS websites

Now imagine from a security standpoint, what is the likely scenario if your network security such as a firewall or intrusion detection/prevention system (IDS/IPS) is not examining the encrypted traffic?  Obviously, the security system would have zero visibility of any malicious activities. Therefore, attacks carried out inside the encrypted session will go unnoticed and likely lead to a data breach event.  This method of attack is among the top security issue facing many organizations right now.  A recent survey1 of over 1000 security professionals from various industries in North America and Europe conducted by the Ponemon Institute on behalf of A10 Networks reveals:

  1. Of eighty percent of respondents who were victims of cyber-attacks, forty-one percent of those attacks hid in SSL encrypted traffic to evade detection.
  2. Only one-third of respondents believe their organization can properly decrypt and inspect SSL encrypted traffic, even though an overwhelming 89 percent of them agree it is an essential procedure required for the performance and safety of their business.
  3. Use of SSL encryption to mask malicious activity will parallel the growth of encryption of inbound and outbound web traffic.

So what must you do to address the security risks associated with encrypted threats?  Watch the informative webcast, “Defeat Encrypted Threats,” presented by a SonicWall Security Solution Engineer, to learn how you can defeat it.  This presentation provides detail analysis of the latest trends and tactics of the cyber threat landscape as seen from the eyes of a practicing security professional. Once you have seen what your adversaries have been up to today, you will receive a crash course in security policy management and network security architecture design that will help prevent the breach of tomorrow.

1 2016 Ponemon Study, Uncovering Hidden Threats within Encrypted Traffic

Locky, Then WannaCry, Now Petya. Is This The New Normal in Cyber Security?

Updated June 28, 2017

As I type this, news reports continue to roll in about yet the latest massive global ransomware attack. This time, the payload appears to be a ransomware called Petya. SonicWall Capture Labs identified the original Petya variants in 2016. However, this time it appears to be delivered by Eternal Blue, one of the exploits that was leaked from the NSA back in April. This is the same exploit that was used in the WannaCry attack.

Infected systems will initially display a flashing skull, followed by a lock screen:

Once again, the cyber arms race continues to evolve. If I were to boil this down to its essence, what we are now seeing is that cyber criminals are combining exploits and attacks in creative ways that are not necessarily new, but still quite effective. Like mixing cocktails, the ingredients are all well known, but the exact mix can be completely new.

Attack details: SonicWall customers are protected

Today, June 27, SonicWall Capture Labs began tracking a high number of Petya ransomware attacks against SonicWall customers. Petya as a malware payload is not new. In fact, we reported in the 2017 Annual SonicWall Threat Report that it was second only to Locky in the number of infections we noted last year. The good news for SonicWall customers that are using our security services is that we have had signatures for certain variants of Petya since March 2016. Then, in April 2017 Capture Labs analyzed and released protection for the Eternal Blue exploit that Shadow Brokers leaked from the NSA. Also, on June 27, the Capture Labs Threat Research Team issued a new alert with multiple signatures protecting customers from the new Petya Ransomware Family.

Recommendations for SonicWall customers

As a SonicWall customer, ensure that your next-generation firewall has a current active Gateway Security subscription, in order to receive automatic real-time protection from known ransomware attacks such as Petya. Gateway Security includes Gateway Anti-virus (GAV), Intrusion Prevention (IPS), Botnet Filtering, and Application Control. This set of technology:

  • Includes signatures against Petya (part of GAV)
  • Protects against vulnerabilities outlined in Microsoft’s security bulletin MS17-010 (part of IPS)

Since SonicWall Email Security uses the same signatures and definitions as Gateway Security, we can block the emails that deliver the initial route to infection. To block malicious emails, ensure all Email Security services are up to date. Since 65% of all ransomware attacks happen through phishing emails, this also needs to be a major focus when giving security awareness training. Additionally, customers with SonicWall Content Filtering Service should activate it to block communication with malicious URLs and domains, which work similar to the way botnet filtering disrupts C&C communication.

Because more than 50% of malware is encrypted, as a best practice, always deploy SonicWall Deep Packet Inspection of all SSL/TLS (DPI SSL) traffic. This will enable your SonicWall security services to identify and block all known ransomware attacks. Enabling DPI SSL also allows the firewall to examine and send unknown files to the SonicWall Capture Advanced Threat Protection (ATP) service for multi-engine sandbox analysis. We recommend that you deploy Capture ATP in order to discover and stop unknown ransomware variants. Because of the rapid proliferation of malware variants, SonicWall leverages deep learning algorithms to provide automated protection against both known and zero-day threats. The combination of the SonicWall Capture Threat Network and SonicWall Capture ATP sandboxing provides the best defense against newly emerging hybrid attacks such as Petya. As always, we strongly recommend that you also apply the Windows patch provided by Microsoft to protect against the Shadow Brokers leaked exploits as well.  And it is always a good idea to maintain current backups of all critical data to allow recovery in the event of a ransomware event.

The Problem with Breach Detection

According to ITC (http://www.idtheftcenter.org) data breaches in the US increased 40% in 2016, and through the first four months of 2017 are up an additional 42% over the same period last year.  Just over half of all breaches are caused by cyber attacks, defined by ITC as hacking, credit card skimming and phishing.  And the breaches are distributed across most if not all industries, hitting education, government, health and financial organizations alike. So, this is a big problem in 2017 that is threatening to explode into a huge problem.  You need to be aware that if you hold sensitive customer data, there is a very real possibility that you will be targeted.

What are your options for protecting yourself from data breaches?

In the past, organizations have focused the majority of efforts on breach detection and remediation.  In effect, they had given up on trying to prevent an attack and focused instead on cleanup.  Historically, this was more of a necessity since dedicated breach detection systems (BDS) from vendors like FireEye were the only type of solution available for detecting zero-day attacks that often are used in successful breaches.

The challenges with this approach are many:

  1. The standalone products used to detect breaches are expensive and take a sophisticated dedicated security team to manage.
  2. According to SonicWall GRID Threat Network, in 2016 over half of internet traffic was encrypted using SSL/TLS, so traditional breach detection systems can’t even see the threats coming into the organization. This is an issue because most modern malware is being created with the ability to download to unsuspecting victims using the same encryption technology.  SSL/TLS is being used to cloak or hide zero-day malware, making it very difficult for traditional breach detection solutions to be effective.
  3. Finally, most organizations just don’t have the cyber security skills to deal effectively with remediation.  It is estimated that, at the end of 2016, there was a one million person gap between the number of cyber security professionals available and the number the industry needs to effectively fight cyber crime.

What is breach prevention?

Fortunately, the security community now has more options at their disposal.  The best next-generation firewalls have integrated either on-board or cloud-based network sandboxes that are designed to detect zero-days much like the dedicated breach detection solutions available in the past.  And because a firewall sits at the Internet gateway, it is possible to block zero-day attacks before they ever make it into the network.  Here are five keys to finding the best breach prevention solution:

  1. The first requirement for breach prevention is decrypting the large component of your internet traffic that is using SSL/TLS.  Your next-generation firewall needs to be able to do this without impacting the network performance, so look for a scalable high performance solution.
  2. Look for a firewall that has high security effectiveness to ensure that the maximum number of “known” threats are detected and blocked before they get into your organization.
  3. For unknown threats, make sure the firewall can not only detect zero-day threats but automatically block them in near real-time.  This element is key to a breach prevention strategy.
  4. We recommend multiple sandbox engines running in parallel, which makes it much more difficult for an attacker to execute an evasion designed to target a specific vendor or engine type.
  5. Make sure the TCO of the solution fits within your budget, not only the upfront capital but also the resources needed to manage the solution and the ability to effectively scale capacity in the future to accommodate growth.