With so much riding on cyber security, those of us charged with providing it must make a devil’s bargain between conflicting priorities: maintain productivity by letting users receive and transmit information quickly, or protect information at the cost of unacceptable latency.
The dilemma arises from the nature of today’s threats. In the original threat-signature model, which is still valid, threat actors distribute malware, which honeypots and other sensors around the Internet pick up and pass to security analysts. The analysts quickly generate the threat signatures antivirus and intrusion-prevention systems use to block threats. Security vendors update malware signatures in their products within minutes. Signatures let unknown malware quickly becomes known and easy to block. Looking up threat signatures is pretty fast too. As long as you sized the security product correctly for the amount of traffic it must inspect, user productivity did not become an issue during the golden age of signature-based security.
Now however, threat actors use software that automatically changes known malware to make it unrecognizable using its original threat signature. This automation is letting attackers release an enormous volume of unknown malware that hits security controls before security analysts can generate and distribute threat signatures. In addition, malware developers use other obfuscation techniques that help their malware evade detection by security controls and sensors. Clearly, we also need security that goes beyond signatures. Enter the sandbox.
For more about threats, read Chapter 2 “The Attack Arsenal: Known and Unknown Malware” in the Check Point Security Report.
After passing signature lookup, the security control sends the file to a protected virtual environment for the purpose of triggering any malicious activity. This is sandbox threat emulation. Here’s the productivity problem. We know that some widely used sandboxes can take at least five minutes to emulate threats and significantly longer for larger size files[i]. Can you imagine the uproar if opening a PDF or word file downloaded from a website took five minutes and longer? What do many security vendors do to keep work moving without impacting users? They pass the files through to networks while threat emulation runs. Find a threat in the sandbox? Too late. That threat is also in your network. Now, you have to find the threat and determine what damage it has done. If you have one of these sandboxes, you are probably a very busy person. Standard sandboxes pay the devil by letting malware into the system during threat emulation to protect service delivery levels.
In contrast, Check Point cheats the devil by adding the element of threat extraction. Our advanced threat prevention technology deconstructs files and reassembles them without any active elements that could spread threats. It quickly sends the reconstructed files to users. Threat Extraction preserves productivity and security. With threat extraction, we don’t pass “unpasteurized” data into networks while threat emulation is running. Our threat emulation technology also catches many more threats than the others. But, our superior catch rate is another story.
For more information about threat trends and security best practices, download the Check Point Security Report.
[i] Check Point, September 2016, Facts vs. Hype: Top 10 Considerations for Choosing a Strategic Cybersecurity Partner