Productivity and Zero-Day Prevention – A Zero-Sum Game?

By Mor Ahuvia, Threat Prevention Product Marketing Manager

Can you defend against zero day threats? Most organizations cannot. But with the right technology, organizations can not only detect more zero days, but also stave them off–without having to compromise on business agility or speed. Here is Part Three of our four part series, “Stopping Zero Days at the Speed of Business.”

CISOs, IT and security practitioners are routinely challenged with balancing security and productivity. Adding layers of security often results in more user friction, a poor user experience, higher help desk overhead and business downtime. That is why, when it comes to unknown threats, organizations often resort to running their sandboxes in “detect-mode” rather than “prevent mode. This means that unknown emails and malware are let into the network, while their analysis continues in the background. By the time a verdict is reached, it is often too late, as the damage of the unknown threat has already been done.

So is zero-day attack prevention a zero-sum game?

It doesn’t have to be. And here is why.

Preemptive controls offer a seamless user experience

You want to keep users productive, and you don’t want to keep them waiting for a threat analysis verdict as they browse the web and open their email.

By pre-emptively removing risky content elements from web downloads and email attachments (for example, macros) you can ensure users remain productive while the original, unknown file is prevented from entering the network until a malicious or benign verdict is reached. It takes less than 1.5 seconds to deliver this type of risk-free content using threat extraction, so user workflows are not compromised; meanwhile your attack surface shrinks and your security posture is greatly enhanced.

As unknown threats account for 57% of malicious files reaching organizations, according to Check Point Research, an ounce of pre-emptive controls is worth a pound of cure.

To protect users from email-based fraud and phishing (sent with no attachment), all email aspects including links, sender, recipient and email language can be transparently vetted and blocked within seconds—thanks to the power of artificial intelligence (AI).

Threat analysis verdicts can be accurate and fast

To maintain productivity, analyzing unknown threats should not cause downtime or delays. Otherwise, IT and security teams will be asked to revert to ‘detect-mode.’ To this end, speed is paramount. And how do you reach speed? With data science, of course.

By utilizing a sequence of signature lookups, static code analysis and evasion-resistant threat emulation, AI engines can reach a malicious/benign verdict within just a few minutes. That verdict, specific to the analyzed file, can in turn be added as a new signature (e.g. MD5 or SHA hash) so that future encounters with that malicious file will result in its immediate blocking.

Leveraging AI engines that study the broader campaign associated with that malware file may yield a collection of broader malware campaign IoCs, such as C2 domains, IP addresses, and others.

By sharing the newly-identified malware signature and broader IoCs through a global threat intelligence network, organizations across the globe can block that very same threat—and other related threats—within seconds.

Management can be minimal

When it comes to setting up and optimizing network protection policies, complex and fragmented configuration, combined with tedious manual updates, may also contribute to downtime and loss of productivity.

This can be addressed with three-fold optimization:

  • Profile-based policies – By applying consistent best-practice policies to the same type of network segment, e.g. internal network, guest network, perimeter etc. the time required to set up policies can be slashed by up to 70%.
  • Automated policy updates – To ensure that policies are always up to date based on the latest vulnerabilities and technology, these can be pushed automatically in the background, removing the need to push policies manually.
  • Automated optimization of protections – Different network segments operate with different protocols, OSs and applications. To ensure optimized performance, including bandwidth and CPU consumption, controls such as IPSs can be continually and automatically optimized to only include and update protections relevant for a given segment.

Ready to experience zero-day protection at speed? Contact us for a demo to get started today.

To learn more, check out the SandBlast Network Solution Brief or watch a replay of the webinar, Stopping Zero Days at the Speed of Business