Dell SonicWall’s multi-engine sandbox approach to capturing evasive malware

 As businesses in Asia Pacific become more digitized, enterprises and governments in this region have to ensure that their security programs are updated and future-proof to prevent imminent breaches from constantly evolving threats.

In 2015, Dell SonicWall noted a rise in the use of exploit kits that have evolved with greater speed, heightened stealth and novel shape-shifting abilities. This is driven by the overwhelming number of exploit kit options that offer attackers a steady stream of opportunities to target the latest zero-day vulnerabilities.

According to the Dell Security Annual Threat Report, there was a 73% increase globally in unique malware samples in 2015 over 2014, of which most of these threats were targeted, evasive and zero-day attacks found across computing systems and devices. Dell Security alone has blocked 2.17 trillion IPS attacks and 8.19 billion malware attacks throughout 2015.

Covert intelligence

In an recent interview via email with Networks Asia, Kent Shuart, director of APJ SonicWall Product Marketing at Dell Security, pointed out that smarter threats are now designed to evade discovery by single sandbox approaches to identifying malware. “Organizations need an intelligent, advanced threat detection system that analyzes the behavior of suspicious files and uncovers hidden malware without being found,” Shuart emphasized.

The alarming rise in shape-shifting threat tactics and zero-day attacks has been driving strong customer and partner demand for Dell SonicWall Capture Service, an innovative multi-phase, multi-engine approach to advanced threat analysis that also supports prevention.

In the first phase of this approach, SonicWall employs its Reassembly Free Deep Packet Inspection engine to inspect files at line speeds to identify known threats without slowing down network performance.

Suspicious files are passed on to a second phase, SonicWall’s in-house developed sandbox engine, which incorporates the VMRay third-generation Analyzer threat detection engine and Lastline Breach Detection platform to deliver a three-layer defense that organizations need to safeguard against unknown threats.

“Malware in 2016 goes beyond infection and has evolved to evading detection,” Shuart said. “Together with our relationship with market leading partners – VMRay and Lastline – and our in-house developed sandbox, the Dell SonicWall Capture Advanced Threat Protection service analyzes suspicious objects in parallel, to deliver a virtually evasion-proof security solution that not only analyzes the file and reports malicious file behavior, but automates security by blocking malware at the gateway until a verdict is determined.”

When the SonicWall Capture sandbox identifies a possible attack or malware, it will hold the file until a decision is made whether it is a safe file. Capture uses both system emulation and virtualization techniques for better threat detection than single sandbox solutions.

Once a zero-day threat is identified, the SonicWall GRID network updates Capture customers in real time and to all SonicWall firewalls within 48 hours. The Dell SonicWall GRID, Dell Security’s cloud forensics platform, leverages real-time analytics from more than one million connected next-generation firewalls worldwide.

A better shave

“Just as shaving razors of today use multiple blades to give a better shave, the multi-engine approach delivers a better, more secure solution,” Shuart explained. “With the SonicWall approach, first a flow method-based inspection is utilized to analyze files at line speed so legitimate files can be quickly passed through, optimizing performance.

“Then, only suspicious files are sent to the Capture sandbox for inspection. Furthermore, competitors that use first generation sandboxing are at greater risk as malware can evade or compromise the single engine to make bad files appear legitimate.”

Dell Security can help organizations from any vertical industry, including retail, healthcare and education, that suffer the onslaught of attacks on a regular basis to protect themselves in two distinct, critical ways. First, they can establish true governance of user and admin access to their network, applications and data. Further, they can achieve deeper security without compromising network performance.

The combination of these security offerings helps organizations rely on one provider to effectively raise productivity and security, without increasing costs.