One of the most difficult things about securing your enterprise is that threats change so rapidly. You used to be able to defend yourself against specific types of threats, like viruses, and know that you were probably well-protected. Modern threats are completely different, which is why we have to approach security in terms of threat vectors and attack surfaces.
We identified six threat vectors in our last blog, and talked about why it's important to give each its own layer of protection. Threats are evolving quickly, and criminals are better at their work than ever before. The IT security industry has been developing new methods to protect the public from these threats. Here are some of the more significant innovations we've made in threat defense.
Deep Machine Learning
In the last five years tremendous progress has been made in the field of artificial intelligence (AI) – more progress than in fifty years prior. The progress is driven by availability of computing power and advanced algorithms enabling machines to beat contestants in Jeopardy, find cures to our medical problems and drive our cars. It stands to reason that the same approach could be used to assure that we do not receive bad email.
Deep machine learning is only as effective as the data used to train it. The more diverse the training set is, the more likely it is that we will catch all bad messages without also stopping good ones from going through. At Barracuda we have been working for 13 years on email security and we have the most diverse training data set available. Today our deep machine learning system is responsible for assuring that some of the most nefarious messages never reach your inbox.
Multi Level Intent Analysis
Sometimes the true intent of the message can only be discovered by following the links embedded in the email and then following links on the resulting web sites. The nefarious content could be buried pretty deep to avoid detection. Our engine is capable of discovering it and making sure that the message linking to the bad external content is properly blocked.
Real Time Link Protection
Oftentimes at the time that the message is scanned and delivered, the included links point to perfectly safe web sites. Minutes, hours or even days after sending the message, attackers modify the site to carry malicious content. To protect the user from accessing such sites, original links present in the message could be re-written to ensure that click requests are always re-directed through the site operated by your security vendor in order to make a real time determination of the target web site veracity. If the site turned bad, the user receives a warning and is stopped from proceeding any further.
Advanced Threat Detection
Malicious email attachments are a primary means of spreading malware, including ransomware. The classical way of detecting bad files is based on comparing the signature of the known malware file to the attachment. This process worked very well when malware writers developed single program and tried to distribute it to millions of computers. It was the race between malware distributor and security companies to discover the malware, analyze it, develop a signature, and then publish it to all systems which needed protection. Few users will be infected, but the vast majority was protected – inoculated – against this specific piece of malware.
Unfortunately malware developers realized that in order to be more effective they should start developing malware in such a way that each attachment targeted at each individual user is a little different from that delivered to someone else. Polymorphic malware was born and signature based detection became much less effective.
Security community responded in variety of ways – using heuristic (aka machine learning) methods to track the properties of the malware and any metadata present, stripping files of anything that is superfluous to remove polymorphism, and finally sandboxing to determine the true intent of the malicious file. Using sandboxing we can run the file in the secure, isolated environment to observe if its actions are potentially malicious. The process is both time consuming and expensive, but it does result in high detection rates of the malware that could not be caught through other layers.
What does this mean for you?
These technologies all work together to learn new patterns and protect you from the latest threats. Comprehensive threat protection simply wouldn't be possible without them.
If you'd like to know more about defending yourself from ransomware and other threats, visit these resources:
- NoMoreRansom project
- The evolution of ransomware
- Microsoft Malware Protection Center
- Ransomware blog posts
In our next post we will talk about why email is the number one threat vector.
To view all posts in this series, click here.