How long is the wait?
Does this question sound familiar? You have probably asked this question several times. Nobody likes to wait. But yet, we wait at restaurants, to see the doctor, and to get our hands on the latest cool tech gadget. We spend a lot of time waiting and we have grown accustomed to it. Having to wait even extends to cybersecurity. Waiting twenty minutes for a table may be tolerable, but waiting for an update to secure your network is not.
Today’s state of cyber security is constantly changing. The proliferation of new variants of malware makes it impossible to detect and prevent zero-day threats in real-time. The one constant is that there is always a patient-zero – the first infected user.
Sandboxes fail to detect and prevent zero-day threats. The problem lies in the implementation of the technology. A sandbox takes time to execute a file, analyze behavior, and create a signature to identify the threat. Sandbox vendors claim their product can analyze a file and deliver a signature after file analysis with 30 minutes. By this time, the file with the threat has already been delivered to the endpoint and potentially forwarded onto many more.
Even worse, threats and malware are designed to entirely evade sandbox detections. In addition to being able to identify the presence of a sandbox, threats and malware can also distinguish between virtual machine behavior and user behavior. Detecting a virtual machine sandbox, malware can stay dormant for more than 30 minutes, or even weeks, to escape detection. If you believe that a 30-minute wait time is acceptable, think again.
30 minutes wait time can easily become 30 or more days.
Wait, there’s more. Sandboxes are specific to operating systems, mostly to detect threats to the Windows operating systems in the files and Web content analyzed. The result is other operating systems are vulnerable.
The 2015 M-trends Beyond the Breach report indicates the median number of days to detect an attack is 205. The longest presence of a threat in a network was 2,982 days.
There is a critical need to detect threats and malware using methods other than sandboxing. Once threats and malware evade perimeter defenses, the phases of a cyber attack that follow typically exhibit a finite number of network behaviors, making detection easier. Attackers use techniques such as internal reconnaissance to spy – building a map of your network, then spread, escalating privilege and expanding their footprint, and steal – accumulating and exfiltrating data to sell for a profit. All of these activities happen inside the perimeter and out of sight of the firewall and sandbox, thereby going undetected.
But wait, there’s good news! Cybersecurity based on data science, machine learning and behavioral analytics can identify the cyber attackers spying, spreading and stealing inside the perimeter in real-time and automatically correlate these behaviors to the computer being attacked. This approach provides security analysts with actionable insight to stop the attack and to prevent further damage.
While waiting for a sandbox to deliver a signature – assuming it detects a threat or malware, cybersecurity based on data science, machine learning and behavioral analytics systems complement perimeter security devices by detecting indicators of an attack in real time to prevent or reduce damage caused by threats.
Automating detection of threats in real time is critical to the cyber health of your organization.