By Mor Ahuvia, Threat Prevention Product Marketing Manager
Can you defend against zero day threats? Most organizations cannot. But with the right technology, organizations can not only detect more zero days, but can stop them before they ever reach their network, without compromising business agility or speed. Here is Part 2 of our three part series on “Stopping Zero Days at the Speed of Business.”
To recap Part 1, common network protection approaches against zero day threats include sandboxing, endpoint protection and incident response. However, each of these approaches has drawbacks that leave key parts of your network exposed, e.g. datacenters and enterprise IoT.
A three-pronged strategy to advanced network threat prevention
To provide an effective first line of defense against zero day threats, organizations should consider deploying a triple-layered network security strategy, comprised of the below technologies.
Pre-emptive user protections – According to the latest Verizon Data Breach Investigations Report, 94% of attacks whose origin is known were delivered by email. Since humans are the weakest link in the security chain, it makes sense for security to follow them wherever they go—be it browsing or email.
To this end, various pre-emptive technologies can be deployed to eliminate potential threats before they reach users, without affecting their workflows or productivity. They include:
- Threat Extraction – Is also known as content disarm and reconstruction, or CDR –and is employed to remove risky content from web downloads and emails. Threat Extraction cleans PDFs, images and other documents, removing exploitable elements such as active content and embedded objects. Files are then reconstructed, retaining their original format, and delivered to the user. Meanwhile, the original file is emulated in the background, and can be accessed by the user if deemed benign (as shown in this video.)
- Advanced email protections – Innovative technologies have emerged to defend against malicious emails, including malicious links, phishing, business email compromise (BEC) and other social engineering attacks. These include revolutionary AI neural network Natural Language Processing (NLP) engines that scrutinize hundreds of email parameters, including the language of the text body, the job title of the purported sender and a host of other variables. To protect against new zero-day phishing sites, Click-Time URL Protection, or URL rewriting, examines and blocks suspicious links in real time, removing the risk of URLs that are populated with malicious content at the last minute, and for which reputation data does not exist.
Real-time threat intelligence — Threat intelligence gleaned from hundreds of millions of sensors deployed on various assets, such as endpoints, devices and networks can be shared in real time to block the newest attacks. The larger the install base of the sensor data, the more visibility is gained into the latest attacks in the wild.
Threat intelligence may also be obtained from multiple sources, including feeds from non-profits such as CERTs and industry alliances, as well as proprietary vendor research and feeds.
By using the latest threat intelligence, organizations can block the newest malware and phishing attacks based on previously discovered indicators of compromise (IoCs), even if their antivirus software has yet to include them.
Exhaustive AI engines — Where IoCs do not exist for a suspicious email or file, organizations can vet risky documents and messages using the power of data science. In addition to static code analysis, OSINT, file reputation and other sources of data, files that may contain malware, and emails that may harbor phishing, are emulated to examine their runtime behavior.
The file or email is analyzed by rich, exhaustive artificial intelligence (AI) engines using millions of parameters that examine runtime behavior. Examples of AI engines used include:
- Malware DNA analysis that attempts to identify the origins of a malware’s code and associate it with known malware families, if any
- Image Recognition, which examines an executable by treating it as a static image
- Code Flow Analysis, which recognizes malicious code flow patterns
An uber-AI engine that interprets and weighs dozens of engines’ risk scores can be used to reach a single and final ‘malicious’ or ‘benign’ verdict. And finally false positives can be minimized using a dedicated self-learning engine. Heuristics should be continually optimized to detect the latest threats in the wild, as these evolve and change over time.
Moving to a prevention-first strategy
By investing in zero-day threat prevention, organizations can save money and breach-related costs downstream by blocking more attacks upstream. When emulation is fast, verdicts are accurate, and network protection follows users seamlessly throughout their usual workflows, prevention becomes not only possible, but practical.
Part 3 of this blog highlights the four best practices for configuring network security against zero day threats, to provide the best network protection without incurring additional management overhead.