Blue Hexagon Blog

Thanks For Making Our Case, Palo Alto Networks: Attackers are Indeed Bypassing Traditional Inline Defenses

When we announced the launch of Blue Hexagon on February 5, we said that, “A new approach is needed, and recent advancements in deep learning make it the ideal technology to address the velocity and volume of attacks.” Our position (and that of the CISO community) is that traditional approaches to network security are being overwhelmed by a relentless, global attack. They can’t keep up. The industry is desperately trying to do better, but incremental improvement is insufficient in the face of an automated onslaught of malicious, morphing malware.

Palo Alto Networks confirmed that point during their February 19 investor conference call announcing the acquisition of security orchestration, automation and response (SOAR) platform developer, Demisto.

In response to one analyst’s question about whether Palo Alto was becoming more focused on data science and analytics, Chairman and CEO Nikesh Arora said, “Today’s approach over time is going to get antiquated, and the notion of deploying a solution and the infrastructure popping up an alert having a SOC analyst data remediate it over 50 or 150 days, by the time the bad actors have come in, taken what they wanted to take and left your infrastructure or perhaps who is sitting in there, is going to make it antiquated.”

“From that perspective,” Arora continued, “you have to believe that things are going to get by the inline sensors that you have in the infrastructure.”

That is a disquieting summary of the state of security in 2019, and a tacit admission that the industry’s consensus focus right now is on improving response and remediation because it can’t yet effectively address detection and prevention. At least not on a scale that matches today’s threat volume.

Arora then went on to say that artificial intelligence is needed to better hunt for and identify threats, and that the acquisition “is our first step to create learning systems for security in the future.”

Blue Hexagon vehemently agrees that AI is the answer. But we think the best place to apply AI is at the network perimeter because the most efficient way to tackle remediation is to stop an attack in the first place. That’s why we disagree with the security industry’s penchant to upsell add-on solutions (that then need to be orchestrated) in an attempt to cover the gaping hole left by the customer’s primary perimeter defense.

Stopping a malicious payload at the point of entry, in real time and before the enterprise is infected, is the holy grail. Blue Hexagon is applying our expertise in deep learning to—for the first time—detect and prevent network threats, including zero-days, in sub-seconds and at wire speed. We recognized that deep learning was the ideal technology to solve the biggest problems in cybersecurity.

Here’s why that’s important. A recent ZDnet article introduced the concept of threat actor “breakout times,” or the time it takes malware to move laterally within a network from the point of initial access. Russian nation-state actors, the most prolific and efficient hackers in the business, have breakout times of about 18 minutes. That means your security team has less than 18 minutes to detect infections and contain them. The bad news is that processing an unfamiliar malware sample can take 12-24 hours using signature and sandbox-based security. The good news is that, using the most advanced deep learning techniques for inspection of the complete network flow (including payloads, headers, C2 communications and URLs), Blue Hexagon can deliver threat verdicts in less than a second and stop attacks cold.

As Palo Alto Networks described in their investor call, threat actors are indeed bypassing “inline sensors” like IPS and malware sandboxes. Let’s fix this problem by harnessing deep learning for network threat protection, rather than compounding the problem with add-on products and more orchestration. It’s okay to expect better from your primary perimeter threat detection.

Let us know what you think. Connect with us at RSA; I’d love to hear your thoughts. And if you’re a CISO, please join us at RSA on Sunday, March 3for our CISO Manifesto event, and help us define the right malware metrics for the industry.