Ransomware, part 2: The role of cloud sandboxing in ransomware protection
In PART 2 of our 3-part series on Ransomware, we look at the role of Sandboxing in ransomware protection.
Protection from attack requires a multi-layered approach, incorporating cloud sandboxing to block malicious traffic.
What is cloud sandboxing?
There can be no doubt that every organisation now requires advanced malware protection. Cloud sandboxing is a dynamic analysis technique designed to identify malware that doesn’t rely on the use of signatures, taking a fundamentally different approach. It is a technique that has been leveraged by the research community for some time and is now seen as a critical component of a defence-in-depth strategy due to increasingly complex attacks that are simply not identified by traditional signature-based approaches.
Cloud Sandboxing takes a fundamentally different approach.
Rather than looking for known content within a given sample, it instead relies on monitoring the behaviour of the sample when executed. In this way, when a new attack vector is exploited, even when dealing with a true zero-day, malware can still be flagged as malicious based not on the exploited vulnerability but rather on the behaviours exhibited.
Why is cloud sandboxing analysis needed?
Simple. Because static, signature-based methods just don’t get the job done:
- URL filtering fails because malware can be hosted anywhere and is commonly hosted at “legitimate” sites as opposed to attacker-controlled domains. Getting past these controls is now a simple task.
- Antivirus, being signature-based, is ineffective against new attacks. It’s like trying to match a fingerprint or DNA sample to a criminal who has never before had his/her data recorded. To make matters worse, simply re-encoding a binary file is often sufficient to bypass a signature that was previously known.
What are the limitations of appliances?
Between remote employees, satellite offices, and SSL-encrypted traffic, organisations which made significant investments in appliance-based solutions have quickly realised that only a fraction of their overall traffic is being inspected. And because visibility is critical in security, all traffic must be inspected, regardless of the source or delivery mechanism. In order to be effective, we must be able to analyse binaries regardless of employees’ location, the devices they are using, or the protocols being used to access information. And of course all of this needs to be done without any performance issues as seen by the users. This is where appliance vendors fail, as they will simply argue that more and larger boxes are required to handle the load.
Get full visibility and stop unknown threats in real time
Zscaler Cloud Sandbox delivers inline protection and a complete picture of the threats targeting your users.
Cloud Sandboxing is a standard component of Zscaler Internet Access »