Rapid analysis of potential malware threats a reality

We are constantly told that the wave of malware is rising. We’re told that for the very good reason that it’s true. But the problem with blocking potential malware at source is that it’s a two-factor problem. You need to be able to scan potentially infected files fast enough not only to avoid them activating auto-commands that destroy or ransom your data. And you need to be able to scan them deeply enough to ensure they’re worth scanning in the first place. The thing that joins those two factors together is a need to not impinge on the user experience to an unacceptable degree.

Square peg, round hole, ticking clock. The results up to now have been skewed one of two ways. Shallow scanning gets you speed of result, but significantly less certainty of danger. Deep scanning gets you incisive wisdom on one particular threat, but probably not fast enough to act on the information. Either way, what you end up with is effectively useless information.

Square pegs and round holes

We sat down with Hallgrímur Björnsson, Director of R&D at Cyren – a company with an OEM product (the superbly named Hybrid Analyzer) which, Björnsson claims, can square the circle, and offer deep automatic threat analysis at very actionable speed.

THQ:

We hear a lot about the idea that the malware threat is rising. And lots of companies are just arming themselves with every available mitigation tool they can get the hands on. To what degree as far as we know are they overspending on cybersecurity as a result?

HB:

This is a very wide field, full of very, very different tools and services, and intelligence and information that you can purchase to protect you from various threats. But malware in files is, as you say, rising exponentially. So there is a growing gap between what the technology or today’s solution can do and this rising tide. The tide scales faster than we can meet that growth.

Then in some cases, there is the shotgun approach. That’s where the situation arises where you either choose to go too deep into too many files, which only lets you get the information too late for it to be useful, (as in the case of a sandbox), or you are just scanning everything, but you miss a lot of the unknown malware.

A view to a kill

You don’t need a shotgun for this job. You need a sniper rifle. So if you’re spending on anything that doesn’t do the job of a sniper rifle – precise targeting and elimination of threats – you could argue you’re overspending on your cybersecurity.

Perversely, while you’re probably overspending in some areas, you’re also probably underspending in others. Think about this – most malware comes into your system buried in files. And, rightly to some extent, because it’s still a very popular way to get files into systems, companies focus on protecting their email from malware. Good. Great.

Which company do you know that solely communicates by email these days? There’s Slack, there’s Teams, there’s LinkedIn, there’s Messenger, there are Dropbox, WeTransfer, Google Drive – you name it, we live in a multi-file-transfer jungle. But a lot of the attention – and therefore a lot of the money – goes on protecting, if you like, the front door, the email system. We need to greatly expand our understanding of how files come to us. And we need to do that so that the CIO can justify spending money on shutting every available door to malware – without interrupting the user experience too much.

THQ:

That’s going to be tricky, because as you say, email is the ‘known threat’ – so there’s no difficulty persuading a board to spend money on securing it. But there haven’t been ‘enough’ high-profile cases yet to justify protecting against malware that comes through those other channels, have there?

Close every window

HB:

That’s exactly right, but I would put it differently. The threat is in the file. So where there is a file, there is a threat of it being malicious. So if you focus only on email, you’re ignoring all the other doors and windows through which a file that could be malicious can get into your systems.

THQ:

So we’re expecting there to be more and or more high profile cases with malware coming through these other channels in the next year or so?

HB:

Absolutely. Where there are files, there is the danger of malware – and there are now files coming into our systems through lots of portals, not just email.

THQ:

And of course from a cyberattacker’s point of view, that makes sense – while everybody’s focusing on the front door, you go around the back and open a window.

HB:

Absolutely. Email is still a threat, of course, and we can do a better job, but bottom line, it’s all about the files.

THQ:

Of the two factors – depth of scan and speed of scan, how important is the speed element?

HB:

Enormously important. You don’t stop a cyberattack in the appropriate time window, all you have is a forensic case from which to improve in the future, but your data right now is gone.

And of course, most of what’s out there right now is only good at blocking the kind of malware that’s out there right now. And that’s great – but that’s not the issue.

The issue is how you handle the malware you don’t know about.

Enter the Analyzer…

THQ:

So talk us through the Analyzer. You say it can deliver both speed and detail?

HB:

We just launched it on September 30^th. Many companies may not know us, we’re kind of a “behind the scenes” company, but we have a large number of well-known customers, like Checkpoint, Google, Microsoft, and others. We’re usually in the back-end, scanning files for the likes of Google, and email providers.

The analyzer produces detailed file analysis at high speed and massive scale for service providers, technology companies and very large enterprises. So there is an emphasis on very large scale.

THQ:

What sorts of speeds and scales?

HB:

We are talking about being able to deliver a result within a second, and very often half a second or even less. Microseconds, you know? And then being able to do this on the scale of Google. With Gmail, you’re able to scan or analyze every single email attachment, that sort of scale.

That’s where this speed really shines. And that’s why this is a differentiator for us. This gives you capabilities which you can apply in different ways, but implementing smarter policies is one. You can make much smarter choices about how you write your email policies to protect your customers with this sort of speed and scale at your back.

And then from a financial point of view, you can spend less on sandbox analysis, meaning you don’t need to throw everything at the sandbox, you can be a little bit smarter about it, because this gives you the data you need in 99% of the cases, so you have to refer to the sandbox more rarely.

The thing is that the vast majority of malware is already detected. But all the trouble comes from the small percentage that isn’t. So the gap we’re addressing here is essentially the compromise between speed and depth of analysis. The Analyzer gives you sandbox-like analysis, but with speed and useful throughput rates.

It deploys rather than executes. You get behavior data, you get structural data, you use the identifies the system calls and the file is trying to access, but it doesn’t require you to actually run the file in the real thing, or close to the real thing, which would be a sandbox.

It’s enormously more lean than a traditional sandbox, and we emulate the operating system or the operating environment, like Office. But it’s not the real thing, which means it can do things really fast and get a lot of the data you would get from a sandbox… without being a sandbox.

The non-sandbox sandbox

The Analyzer gives you an overall threat score, and a scan, with some overall statistics here. And you get an overview of indicators that can show you why the Analyzer had flagged up a file as potentially malicious – be it evasion commands, automatic execution, download activity or whatever. And it scores each of these out of 100, to show you how certain the Analyzer is that this is malicious.

And it can do that for every file, in the space of around 60 milliseconds.

We’ve got millions of apps these days. You can apply the Analyzer to make some decisions in real time about policies that you can apply for your customers. So let’s say you’re an email service provider handling thousands of companies, you’re providing them an email service, outbound and inbound, and you want to go beyond just blocking the malware, you want to make a smarter decision.

What does a smarter decision look like? Well, say you have a restaurant chain as your customer. And there’s an accounts department. You can say “I am going to be much more conservative with the restaurant when they receive a file or Excel file containing a macro, than I am with the accounts department, because you know that a restaurant is rarely going to be needing Excel files with macros in, whereas the accounts department may well. So you can make cause and likelihood-based decisions in what you allow through, which improves the overall customer experience.

 

For the moment, Cyren is keeping the Analyzer “behind the scenes” as an OEM product, so if you experience it, you may well never know it unless, for instance, your email provider tells you so – which it is of course unlikely to do. There may be an enterprise version in development down the line, but for now, it’s merely an example of high tech development being used to solve the unsolveable problems of stopping malware coming through to you, at speed and with sufficient analytical depth to allow action to be taken to defeat the would-be cyberattackers before they get to your systems.