Home Interviews “Threat Detection has Evolved from Static to Dynamic Behavioral Analysis to Detect-Threatening...

“Threat Detection has Evolved from Static to Dynamic Behavioral Analysis to Detect-Threatening Behavior”

Debashish Sonicwall

Debasish Mukherjee is the Vice President, Regional Sales (APAC), SonicWall. He has over 18 years of experience throughout in IT industry and has worked in India & Middle East in various roles. During this time, he focused on building and motivating cross-functional teams as well as managing and driving partner and customer relationships in various organizations. Mukherjee is in the security industry since last seven years; prior to that he was with Dell as the Regional Solution Manager and with Huawei as the Regional Sales Director. He has an extensive experience in Channel Sales, Data Center Solution & IT Infrastructure solutions across verticals.

In an exclusive e-mail interview with Augustin Kurian, Senior Feature Writer of CISO MAG, Mukherjee talks about the fast-moving cryptocurrency markets and how bitcoin is helping cryptojacking to stay a relevant lucrative option for cybercriminals. He discusses some of the pressing cybersecurity issues faced by Indian telcos. Mukherjee states that unknown zero-day threats are just that — unknown. And there is no way to predict the next vulnerability avenue that will be exploited. He highlights how SonicWall’s intelligence-driven analytic service addresses zero-day attacks.

In one of your earlier interviews with CISO MAG, you said, “The rise of ransomware forced companies to improve their defenses against malware and intrusions. As a result, malware developers seek new ways to evade network security defenses.” While hackers are innovating and leveraging methods like cryptojacking, what are the steps taken by Sonic Wall to thwart malicious activities like cryptojacking and many others?

With the rising costs of mining cryptocurrencies such as Bitcoin, hackers develop and distribute malware to make victims do it for them. SonicWall prevents cryptojacking software from being downloaded and spreading throughout the network through the power of our next-generation multi-layered technology chain of security devices and services.

Cryptocurrency markets are fast-moving, where quick bull runs (often caused by price manipulation) can cause dramatic price spikes. Bitcoin ($BTC) prices also drive the value of Monero ($XMR), which is the alt coin of choice for many cybercriminals since its transactions can’t be publicly tracked like bitcoin. Halfway through 2019, bitcoin is surging again and is helping cryptojacking stay relevant as a lucrative option for cybercriminals. Cryptojacking volume hit 52.7 million registered attacks for the first six months of the year, as published in the mid-year update of the 2019 SonicWall Cyber Threat Report.

We can log hits and analyze signatures all day. But it remains difficult to align cryptojacking attacks — and criminal intentions — with cryptocurrency value.

Ultimately, it doesn’t matter what they mine. It only matters how they mine and all forms of these illegal miners — and future — damage systems and create security vulnerabilities.

SonicWall Firewalls filter out cryptojacking software entering the network. Intrusion Prevention Service (IPS) stops cryptojackers like Coinhive from spreading across the network and connected devices. Eliminate phishing emails with SonicWall Email Security. Scan email attachments and embedded URLs for advanced threats. Prevent malicious uploads with SonicWall Secure Mobile Access (SMA). Roll back affected endpoints with cryptojacking software to a clean state with Capture Client. Leverage SonicWall Gateway Anti-virus to stop known forms of cryptojackers. Funnel suspicious files to SonicWall Capture ATP to discover and stop new strains of coinhive and other related attacks. Block access to cryptojacking websites with Content Filtering Service. Continuously monitor system behavior for cryptocurrency mining behavior.

SonicWall is aiming to provide managed security services to Indian telcos. What advancements have been made on that front? Also, what are the pressing cybersecurity issues faced by Indian telcos?

Risk to non-adherence to cybersecurity regulations, breach of subscriber data, DDoS intended to disrupting services, risk management and mitigation for rolling out new technologies with right security controls, stopping leakage of database by outsourced entities, minimize the magnitude of an event to recover as quickly as possible and reduce the impact on their customers.

These however have brought new avenues to telcos. They can offer cybersecurity services to enterprises, providing services on securing end customer networks, thereby using cybersecurity as an opportunity to gain upper hand in a very competitive market.

In this perspective SonicWall has developed many offerings for MSSP and in India we have started offering our services with one of the leading telcos and we are in process of launching several new services in next few months.

When it comes to malware detection and protection, several companies are relying on signature-based malware monitoring. What are the challenges in using signature-based malware monitoring? How does SonicWall differentiate itself from other vendors when it comes to malware detection and protection?

Threat detection has evolved from static to dynamic behavioral analysis to detect-threatening behavior. Comprehensive layers of defense, properly placed within the network and the endpoint, provide the best and most efficient detection and response capabilities to match today’s evolving threats.

For years, SonicWall offered endpoint protection utilizing traditional antivirus (AV) capabilities. It relied on what is known as static analysis. The word “static” is just like it sounds. Traditional antivirus used static lists of hashes, signatures, behavioral rules and heuristics to discover viruses, malware and potentially unwanted programs (PUPs). It scanned these static artifacts across the entire operating system and mounted filesystems for retroactive detection of malicious artifacts through scheduled scanning.

Traditional antivirus focuses on pre-process execution prevention. Meaning, all the scanning mechanisms are primarily designed to prevent the execution of malicious binaries. If we go back 20 years, this approach was very effective at blocking the majority of malware, and many antivirus companies capitalized on their execution prevention approaches.

SonicWall developed advanced real-time memory monitoring to detect malware designed to evade sandbox technology. Today, SonicWall uses a multitude of capabilities — coupled with patent-pending Real-Time Deep Memory Inspection (RTDMITM)—to identify and mitigate malware more effectively than competing solutions.

SonicWall Capture Client is a unified endpoint offering with multiple protection capabilities. With a next-generation malware protection engine, Capture Client applies advanced threat protection techniques, such as machine learning, network sandbox integration and system rollback. Capture Client uses automated intelligence to adapt and detect new strains of malware through advanced behavior analytics. One crucial feature of the latest Capture Client solution is the ability to record all the behaviors of an attack and the processes involved on an endpoint into an attack storyline—essential for security operations detection, triage and response efforts. SonicWall Capture Client combines multiple technologies to provide the most efficient and effective defense against threat actors. The solution should be paired with a defense-in-depth security strategy across all the key layers of transport, including email, network and endpoints.

Adoption of AI and ML is touted to be the future of cybersecurity. In that front, SonicWall has always been way ahead in the league. Briefly tell us about the upcoming products and services from SonicWall that aim to counter threats of the future.

Unknown zero-day threats are just that — unknown. You have no way (besides historical experience) to predict the next vulnerability avenue that will be exploited. The other quandary faced when tackling complex targeted zero days is the skills gap. Staffing a security operations center (SOC) with highly skilled cybersecurity professionals comes at a cost and only becomes profitable with economies of scale that a large customer base brings.

AI understands the big data coming from behavioral analysis. It can adapt the discovery approach to uncover threats that try to hide and, once determined as malicious, can fingerprint the payload via signature, turning a zero day into a known threat. It is the speed of propagation of this new, known signature to the protection appliances participating in the mesh protection network that drives the efficiencies to discover more threats.

Also, it’s the size of the mesh network catchment area that allows you the largest overall service area of attaches, which helps your AI to quickly learn from the largest sample data set. SonicWall has you covered on all these fronts. With more than one million sensors deployed across 215 territories and countries, SonicWall has one of the largest global footprints of active firewalls. Plus, the cloud-based, multi-engine SonicWall Capture Advanced Threat Protection (ATP) sandbox service discovers and stops unknown, zero-day attacks, such as ransomware, at the gateway with automated remediation. Our recent introduction of the patent-pending Real-Time Deep Memory Inspection (RTDMITM) technology, which inspects memory in real time, can detect and prevent chip vulnerability attaches such as Spectre, Meltdown and Foreshadow. It’s included with every Capture ATP activation.

At SonicWall, the mantra of automated, real-time breach detection and prevention is fundamental to our security portfolio. It is how our partners drive predictable operational expenditures in the most challenging security environments. Only via connected solutions, utilizing shared intelligence, can you protect against all cyberthreat vectors.

Can you update us how SonicWall products address zero-day attacks? What is the kind of “threat intelligence” and “predictive capabilities” in your products?

SonicWall Analytics is a powerful intelligence-driven analytic service. It gives a direct line of sight into the threat intelligence of your networks and users in real time, all through a single pane of glass. With drill-down capabilities, security teams can mine various sets of contextualized firewall log and flow data to easily find and tackle security as well as network performance issues quickly.

SonicWall provides single-pane visibility and complete situational awareness of the network security environment, perform deep investigative analysis, gain deeper knowledge and understanding of potential and real risks and threats, hunt, detect and remediate risks with greater clarity, certainty and speed, reduce incident response time with real-time, actionable threat intelligence.

Analytics is available in SaaS mode via the SonicWall Capture Security Center and can also be deployed on key virtual platforms such as VMWare and Hyper-V. The flexibility to leverage this product across multiple platforms along with capex or opex-based licensing helps ease the financial and operation planning and decision processes. This gives organizations the operational and economic benefits of virtualization and cloud computing. It also enables dynamic upscaling of storage to fulfill the growing data retention requirements from virtually unlimited number of firewall nodes.

SonicWall is announcing new offerings for managed security service providers (MSSP) on April 6, 2020. The newly announced capabilities allow MSSPs to simplify oversight, visibility and management of cybersecurity ecosystems as they continue to expand.

The cyberthreat intelligence, which is available in the SonicWall Security Center, maps the behavior of cybercriminals and the tactics they employ to breach the networks of businesses and organizations across the world. Included with Capture ATP, SonicWall’s patent-pending RTDMI technology catches more malware than behavior-based sandboxing methods, with a lower false positive rate.

First announced in February 2018, RTDMI technology is used by the SonicWall Capture Cloud Platform to identify and mitigate even the most insidious cyberthreats, including memory-based attacks. RTDMI proactively detects and blocks unknown mass-market malware — including malicious PDFs and attacks leveraging Microsoft Office documents — via deep memory inspection in real time. Because of obfuscation techniques, many legacy firewalls and anti-virus solutions are unable to effectively identify and mitigate PDFs or Microsoft Office file types that contain malicious content.