The Need for Speed: Why Signatures and Sandboxes Can’t Keep Up

Danelle Au

As an industry, we spend $96.3B in worldwide enterprise security security spending, up 8% from 2017. (Source: Gartner).

Yet breaches are still occurring. Why?

To start, let’s first understand the challenge the industry is facing. Here’s what we know about the threat landscape today:

  • 73% of data breaches are caused by external attackers. (Verizon DBIR, 2018)
  • The industry sees approx 350,000 new malware threats every day. (AV-Test GmbH 2017).
  • This equates to four new malware specimens unleashed onto the Internet every second.
  • The time it takes cybercriminals to compromise a system is often also a matter of seconds. (Verizon DBIR, 2018)

Blue Hexagon AI Security Graph

The statistics show us that attackers are operating at a speed that’s very hard to match. Attackers have figured out the way to bypass security systems is with speed and volume of attacks. They do this via malware variants – malware authors are using automation and a variety of morphing techniques to make their malware look “new again” to evade security controls.

It takes very little time for a system to be compromised. Once the compromise occurs, the attack spreads quickly. What is also interesting from the data is that a focus on stopping attacks at the edge/network segment can pay dividends. However, existing network security products such as signature-based and sandbox-based malware detection systems can’t keep up because of the fundamental flaws in these technologies.

Signature-based Malware Detection

Signature-based malware detection systems uses a process where a unique identifier is established about a threat such as a pattern of code used by the malware author or the hash of a known malicious file. This means that signature-based malware detection requires a Patient Zero in order to identify a malware the FIRST time. Subsequent identification works only if the malware or malicious file is exactly the same. This means signature-based malware detection works only for known attacks.

Sandboxing-based Malware Detection

Malware sandboxes use dynamic analysis to determine the runtime effects of a malware. The premise is that by detonating a file in a “virtual sandbox”, security teams enable the malware to execute the way an attacker intended it to do. Bad behavior is observed, the file is designated malicious, and another signature is created for this. However, this process is slow. Imagine how many unknown files would need to be executed with the volume of malware variants that we’re seeing today. Malware sandboxes also have limitations with size of files that can actually be detonated. Malware that can evade sandbox detection is also becoming increasingly common.

Is there a better way? For the past ten years, we’ve relied on Signature and Sandbox-based detection systems while attackers have innovated and automated. Compromise happens in seconds, so we need a solution that:

  1. Detects and prevents threats in seconds!
  2. Works for known and unknown threats— in ONE product.
  3. Operates at 10 Gbps wire speed without introducing latency.
  4. Does NOT require a PATIENT ZERO.. It should work right the first time!
  5. Be flexibly deployed whereever threats are — enterprise edge, network boundaries, network segments.

We believe real-time deep learning is the answer. More to follow about speed of detection and deep learning in our next blogs.