Join our community of SUBSCRIBERS and be part of the conversation.
To subscribe, simply enter your email address on our website or click the subscribe button below. Don't worry, we respect your privacy and won't spam your inbox. Your information is safe with us.
Palo Alto Networks, a next-generation firewall (NGFW) solutions provider has released a modern malware review that finds traditional antivirus solutions are not equipped enough to handle malware threats these days. Palo Alto Network’s Director of Systems Engineering in APAC , Kelly Brazil said that besides uncovering real-time apps and FTPs as preferred targets for malware, more than half of malware behaviour is found to be focused on remaining undetected by security vendors.
And once malware latches itself into the network, it tends to be very sticky; a lot of their activity is around remaining undetected and remaining persistent on the host. Hence the need for defense to begin at the edge, and for Palo Alto, the firewall tends to be the point of enforcement. Brazil emphasised that the traditional security approach of classifying traffic based on ports and protocols or stateful inspection methods is not enough anymore, and that they are able to classify traffic via content and behavioural-based analysis technology called Wildfire. Email schmemail What the modern malware report reveals, raises questions about how effective the usual security approach is, these days. A lot of traditional security solutions focus on applications like emails, and do a really good job of securing it. But, different applications are treated differently by malware. Brazil observed that security vendors are usually more concerned with dealing with malware that cause widespread attacks. The thing is, malware associated with Advanced Persistent Threats (APT) tend to stay under the radar. Palo Alto’s modern malware review found that increasingly more of these kinds of malware seem to be coming in with traffic via unknown, under-the-radar applications, as reflected by now over half of them resorting to stealthy behaviour. So, if an organisation is under “attack” and eventually crashes, it may be because of a malicious file which isn’t detected or identified. “Application sharing type of apps could take up to 24% of bandwidth but (have been found) to have very low correlation with threats. Not that they aren’t important to look at, but really where malware tends to hide, is within dynamic apps like file sharing or web browsing,” said Brazil. Brazil added that security vendors could take up to over 20 days on average, just to get malware signatures for these dynamic applications. Also, 98% of exploits found in APAC were on just 9 applications. Brazil described those apps as business apps that people need to use and were business-critical. Havoc at a hacker’s will The main objective of APTs is to have malware set up camp or a base on an organisation’s network, so that it can explore and create havoc at a hacker’s will. One of the scariest prospects of a malware-infiltrated network, is it sending information back to the hacker in the form of unknown UDP and TCP traffic. This command and control (C2) type of threat is completely invisible to traditional security, but according to Brazil, Palo Alto Networks’ next-generation technology decodes Web traffic at a deeper level that enables it to detect unknown UDP, TCP and fake DNS traffic which would not be associated with any legitimate application and which tends to be highly correlated with malware. Knowing the unknown Malware able to defeat blacklists these days. “Blacklists are rendered quite ineffective because it is so easy to create more and more brand new Day Zero malware these days.” Different solutions come into play all along the whole lifecycle of an APT attack. But to deal with unknown malware, Palo Alto has introduced Wildfire, a cloud-based solution that does behavioural analysis of malware, so detection and defense does not rely on reputation or blacklists. “Wildfire will actually run the bad file in a sandbox and see what it looks like. When a file is doing what it is not supposed to, we will send down its signature to all other firewalls ie. our customers.” Why Wildfire? Brazil shared, “We decode traffic at a deeper level so we can understand applications; even ones that are unknown; and users that use it.” This involves two other solutions from Palo Alto also, called App-ID and User-ID. When organisations decode traffic and understand those apps and the users that use them, a third component called Content-ID kicks in. “We understand the content that goes through them and that’s how we understand the threats.” Brazil explained that visibility even includes SSL encrypted data. “We can look at that selectively (addressing privacy issues) to see what threats are inside them. We can do real-time scanning at the edge of vulnerability.” Now, besides Wildfire being offered on a public cloud, there is a private cloud version, that has the same support and functions as the public cloud, but addresses regulated industries like the FSI, telco and government. “It is a very attractive architecture because you do not need more hardware, just one single appliance for a private cloud, and this talks to other existing firewalls on the Internet edge,” said Brazil.
Cat Yong is Editor-in-Chief of Enterprise IT News, a regional news website which began in Malaysia circa 2011. A common theme in all of her work - opinions, analysis, features and more - is how technology and innovation drives business and outcomes.
A career tech journalist for 22 years, her work has evolved to also encompass narratives of tech powering human potential.
