Can you afford five months without protection for your network? In a recent blog post, Avanan wrote that after five months of using a malware sample in their demos to show how malware can bypass traditional security solutions the malware was finally detected by a major enterprise email solution provider. The sample, a Cerber variant, was originally caught by the SandBlast Zero-Day Protection solution.
Cerber is a vicious ransomware-as-a-service operation, which we recently exposed in an in-depth report, CerberRing: An In-Depth Exposé on Cerber Ransomware-as-a-Service. It spreads through phishing emails and exploit kits, targeting thousands of users worldwide. Once it infiltrates, Cerber encrypts users’ files with the AES-265 and RC4 encryption methods and then demands a ransom of 1.24 bitcoins or ~$500 USD be paid in order to regain access of the user’s documents, photos and files.
There are two major points from Avanan’s blog which are worth further discussion:
- First, it takes a VERY LONG time to get protection using traditional, signature-based technologies, such as antivirus software. In this case, users who do not implement advanced security measures were exposed to a threat for five whole months before signature-based detections were able to catch up with it. In cyber security time, five months is far too long given the breakneck speed at which malware variants change. To effectively protect themselves in real-time, enterprises should use advanced sandboxing security measures, capable of detecting and blocking threats based on dynamic analysis, rather than signatures.
- Second, it took Avanan only five seconds to find a new sample of the same malware, which managed to bypass all but one protection. The only security solution, including other sandboxes, which managed to block the new sample of malware was Check Point’s SandBlast. Signature-based protection will never manage to match malware’s evolutionary pace, since creating a new sample takes less than a second while creating a signature can take months. For enterprises to keep their networks safe, they must implement an advanced security solution capable of stopping zero-day malware based on advanced analysis.
As seen in Avanan’s demonstration, they tested a brand new malware sample, not known to any security vendor. Check Point’s SandBlast solution was the only one to pass Avanan’s test. It is important to note that SandBlast prevailed not only in comparison with signature-based solutions, but also in comparison with other advanced solutions, which failed to catch the malware. The main value advanced solutions should offer is catching unknown malware. If they fail to do so, they are no better than traditional solutions.
There are two key takeaways for enterprises from Avanan’s demonstration:
- Signature-based solutions are not sufficient in today’s threat landscape.
- Some sandboxes are better than others. When selecting a vendor, whether to protect your enterprise network or cloud applications, you should not only ask about the features of and differences between the products they offer, but also make sure they actually do catch zero-day malware.