Stopping new and evasive threats is one of the biggest challenges in cybersecurity. This is one of the biggest reasons why attacks have risen dramatically again over the past year, despite an estimated $172 billion of his spending on global cybersecurity in 2022.
Armed with cloud-based tools and backed by sophisticated affiliate networks, attackers can develop new evasive malware faster than organizations can update their protections.
Against these rapidly changing attacks, relying on malware signatures and blocklists has become pointless. As a result, SOC toolkits today primarily revolve around threat detection and investigation. If an attacker can bypass the first block, I would expect tools to pick them up at some point in the attack chain. Every organization’s digital architecture incorporates security controls that log potentially malicious things. A security analyst will examine these logs in detail to determine what to investigate further.
does this work? Let’s look at the numbers:
- 76% of security teams say they are understaffed and unable to meet their goals
- 56% of attacks take months or longer to discover
- Attacks continue to increase.The global cost of cybercrime is expected to reach $10.5 trillion by 2025
Obviously something has to change.Detection technologies serve an important purpose, but investments in them do not errorbut it’s certainly overemphasized.
Organizations must return to prioritizing threat prevention first and foremost. This comes from the Zero Trust leader. This is basically a model that assumes that preventative controls have already failed and are actively compromised all the time.
Endpoints are just starting points
While many security categories present gaps in detection-first security strategies, let’s take a look at one particularly popular category: endpoint detection and response (EDR).
EDR adoption is growing rapidly. Already a $2 billion industry, growing at his CAGR of 25.3%. This makes sense. Most attacks start at the endpoint, and if detected early in the attack chain, the impact can be minimized. A good EDR solution also provides rich endpoint telemetry to aid in investigation, compliance, and finding and shutting down vulnerabilities.
Endpoint security is a key area to invest in and a key component of Zero Trust, but it’s not the big picture. Vendors claim “enhanced” detection and response that stitches together data across the enterprise, but XDR solutions don’t offer defense-in-depth on their own. EDR has antivirus to stop known malware, but usually allows all other traffic through, and finally he relies on analytics to detect what AV misses.
All tools have their drawbacks and EDR is no exception. Here’s why:
Not all attacks start at the endpoint. The Internet is the new network and most organizations store different data and applications in different clouds. They also frequently use devices such as VPNs and firewalls that are routable from the Internet. Anything that is public is subject to attack. Zscaler ThreatLabz found that 30% of SSL-based attacks are hidden in cloud-based file sharing services like AWS, Google Drive, OneDrive and Dropbox.
Not all endpoints are managed. EDR relies on agents being installed on every IT-managed device, which does not consider the myriad scenarios where unmanaged endpoints can access data and networks : IoT and OT devices, personal (BYOD) endpoints used for work, etc. – partners and contractors with access to your data, recent mergers and acquisitions, and even guests who come to your office to use Wi-Fi.
EDR can be bypassed. All security tools have their weaknesses, and EDR has proven fairly easy to circumvent using some common techniques, such as exploiting system calls. Attackers automatically generate new PDFs, Microsoft 365 documents, and other files using encryption and obfuscation techniques. These files can alter malware fingerprints and bypass traditional cybersecurity models without being detected.
Modern threats move very fast. Almost all of today’s ransomware variants are available for purchase on the dark web and are potential cybercriminals, but they can encrypt data so quickly that detection-based techniques are rendered useless. LockBit v3.0 can encrypt 25,000 files per minute, not the fastest ransomware. Conversely, the average time to detect and mitigate a breach is measured at 280 days. That’s enough time for LockBit to encrypt over 10 billion files.
Get your security in order
Certainly, signature-based antivirus technology alone is not enough to thwart sophisticated attacks. But it is also true that the same AI-powered analytics behind detection technology can (and should!) be used for prevention as well as detection. This prevention strategy should consider the entire infrastructure, not just endpoints or other parts of the architecture.
Sandboxes are an important example of security tools that can be deployed in this manner. Sandbox provides real-time protection against sophisticated and unknown threats by analyzing suspicious files and URLs in a safe and isolated environment. Deploying them inline (rather than as passthrough) means that the file cannot continue until the solution makes a decision.
The Zscaler Zero Trust Exchange platform includes cloud-native proxies that inspect all traffic, encrypted or unencrypted, for secure access. As a proxy, all of the platform’s layered controls, including an integrated advanced sandbox, are delivered inline with a prevention-first approach.
Complementing our detection technology with Zscaler’s cloud-native inline sandbox allows you to:
AI-powered real-time protection against zero-day threats
Zscaler uses advanced machine learning algorithms that are continuously improved by the world’s largest security cloud that processes over 300 billion transactions per day. These algorithms analyze suspicious files and URLs in real time to detect and block potential threats before they can do damage.
It begins with a pre-filtering analysis that checks file content against 40+ threat feeds, antivirus signatures, hash blocklists, and YARA rules for known indicators of compromise (IOCs). AI/ML models work more effectively by reducing the number of files required for deeper analysis. If a file remains unknown or suspicious after initial triage, Zscaler Sandbox launches the file for robust static, dynamic, and secondary analysis, including code to detect advanced evasion techniques and secondary payload analysis. Perform the following analysis. Upon completion, a report is generated with threat scores and actionable verdicts to block malicious or suspicious files based on policy configuration.
Scalability
One of the cloud’s biggest selling points is its ability to scale up or down quickly to meet the needs of organizations of all sizes. Security controls deployed in the cloud are naturally easier to provision and manage, giving organizations the flexibility to adapt to changing security needs.
Cost reduction
Cost is one of the key inputs that define many security strategies and comes in many forms, including user productivity, operational efficiency, and hardware costs. But the biggest cost to watch is the cost of being compromised. Preventing attacks eliminates downtime, reputational damage, lost business, and remediation costs. All of these can be easily added up to 7 digits in one attack. ESG found that the average organization using a Zero Trust Exchange saw a 65% reduction in malware, an 85% reduction in ransomware, a 27% reduction in data breaches, and an overall ROI of 139%. .
Comprehensive threat protection
Zero Trust Exchange offers comprehensive threat prevention, detection, and analysis capabilities, giving organizations a unified security control strategy across all locations, users, and devices. Zscaler Sandbox can analyze files anywhere, not just endpoints, and is integrated with a variety of additional features such as DNS security, browser isolation (for fileless attacks), data loss prevention, application and workload security, deception, and more. increase. This gives you a complete view of your organization’s security posture and the defense-in-depth your security team is aiming for.
Prevention comes first
In an arms race with attackers, security teams should prioritize inline security controls over pass-through detection techniques. Files are not allowed on endpoints or networks unless you are sure the file is benign.
For more information on the Zscaler Zero Trust Exchange, please visit zscaler.com.
