Zero Day May Be Too Late. Do you have Zero Second Protection?

February 5, 2019

Once an infected file enters your network, the timer begins. From one breached machine, attackers can make lateral moves around your IT environment, moving to access critical infrastructure or assets such as customer databases. They can also escalate privileges by stealing user credentials to gain more and more control and visibility. In short, the longer a hacker is inside your network, the more damage they can do.

Finding these attackers once they’ve breached your four walls can be a lengthy and arduous task, reliant on the hacker making mistakes and drawing attention to themselves, or deep visibility tools that show every communication and flow. The SANS 2017 Incident Response Survey showed that for as many as 50% of organizations, this dwell time is more than 24 hours. With the speed of today’s threats, even 24 seconds might be enough to cause irreversible damage.

Understanding the Limitations of Detection Tools

Today’s security solutions boast the ability to find threats faster than any other, to identify unusual behavior and to limit dwell time. They promise that they can detect any anomalies and stop threats in their tracks. They tend to use signature-based detection to identify a problem, and then incident response tools to prevent it spreading further.

The problem with signature-based detection is that it’s living in the past. Using a known database of existing attacks, it can spot threats which have already been brought into the public conscious. What it can’t do, is recognize new threats that haven’t been seen before. As 8 new cyber threats are discovered every second, enterprises need to be ahead of the game. Risks such as Advanced Persistent Threats (APTs) may not make themselves known when they breach your network, insidiously making moves under the surface to steal resources or bide their time to uncover sensitive data. If these slip past your radar, you might not realize until it’s too late.

With the latest threats, another consideration is the delay involved for organizations to update threat databases. Solutions like Palo Alto Network’s Wildfire publish that it takes around 30-60 minutes to generate a signature and to make it available for their subscribers to benefit from. Look at a devastating ransomware attack like WannaCry. The first victim opened an unsafe email attachment at around 8.30am, and the attack had hit hundreds of thousands of victims by midmorning. Minutes, or even seconds, may not be enough. Secure organizations need a solution that solves a problem in zero seconds flat.

A Change in Perspective

Firstly, identify the biggest threats to your enterprise. Many experts agree that file-based malware is one of the easiest ways for attackers to gain a foothold. “The widespread use of file sharing between organizations is to some extent a dream come true for a cyber-criminal,” according to Darren Thomson, chief technology officer of Symantec. “If you can exploit a file sharing vulnerability, then you can get to tens or even hundreds of thousands of users.”

Minimizing threats means changing your point of view about what you expect from your security solution. If you are looking for a detection tool, you will always be one step behind, waiting for something to find, or for a risk that matches a particular pattern.

Being able to safeguard any and every file as it enters your network perimeter is, therefore, a huge advance on signature-based detection.

Moving from Detection to Prevention

A prevention technique takes this new approach. Votiro CDR does not use detection methods to identify unsafe files. It also doesn’t need human interaction to mark a file or attachment as a potential threat, an administrative process that slows down security and creates bottlenecks. Instead, every single file that enters your perimeter is taken apart, disarmed and reconstructed as a new and safe version of itself. No exceptions. The process takes under one second, and no file-based malware ever reaches its patient zero.

Zero second response time means that hackers are not allowed even one second on your network, blocked from even the possibility of entry. This approach eliminates the fear of lateral movement, as well as the constraints of signature-based detection. Why would you accept anything less?