SonicWall, the trusted security partner protecting more than 1 million networks worldwide, reveals that a new Capture Cloud engine has discovered hundreds of new malware variants not seen before by sandboxing technology. Through the use of previously unannounced patent-pending technology, SonicWall Capture Labs security researchers engineered an advanced method for identifying and mitigating threats through deep memory inspection — all in real time.
“Threat actors have been so far ahead of the game they’ve been able to create highly evasive malware without the greater industry even knowing,” said SonicWall President and CEO Bill Conner. “This new real-time deep memory inspection technology, coupled with more than a decade of machine-learning experience, will help level the playing field and eliminate some of the most challenging attack vectors. The new engine is the latest addition to our Capture Cloud Platform that reinforces our leadership position.”
The new SonicWall Capture Cloud Real-Time Deep Memory Inspection (RTDMITM) technology and engine has been operational for months and is discovering hundreds of malware strands not detected by sandboxing technology.
“This is a revolution in engineering, execution and innovation,” said General Michael Hayden, Principal at the Chertoff Group, a global advisory firm focused on security and risk management. “To introduce this technology in the relatively early stages of these advanced attacks is a huge win for the security industry, as well as the public and private sectors.”
SonicWall is unveiling this new technology to strengthen the company’s automated real-time breach detection and prevention platform. SonicWall RTDMI is a patent-pending technology and process utilized by the SonicWall Capture Cloud to identify and mitigate even the most insidious modern threats, including future Meltdown exploits. The new RTDMI technology:
- Proactively detects and blocks unknown mass-market malware via deep memory inspection in real time
- Detects and blocks malware that does not exhibit any malicious behavior and hides its weaponry via custom encryption
- Forces malware to “reveal” its weaponry into memory
- Identifies and mitigates sophisticated attacks where weaponry is exposed for less than 100 nanoseconds
On Jan. 3, a new processor vulnerability, known as Meltdown, was published by Google’s Project Zero security team. A successful exploit of this vulnerability could allow an attacker to access sensitive information (e.g., passwords, high value crypto keys, login cookies, VPN credentials) inside protected memory regions on modern processors.
SonicWall Capture Labs threat researchers have validated SonicWall RTDMI technology is also effective against future exploits built on the Meltdown vulnerability, via the engine’s real-time analysis of instruction and memory usage.
How SonicWall Real-Time Deep Memory Inspection Works
SonicWall deployed the RTDMI engine into the SonicWall Capture Cloud Platform and is leveraging the technology to support SonicWall’s layered security platform, which includes next-generation firewalls, wireless network security, email security, secure mobile and remote access offerings, as well as cloud and IoT solutions.
SonicWall’s RTDMI technology detects and blocks malware that does not exhibit any malicious behavior and hides its weaponry via encryption. By forcing malware to reveal its weaponry into memory, the RTDMI engine proactively detects and blocks mass-market, zero-day threats and unknown malware.
Sandbox engines execute files in a virtual environment, log the resulting activity, and then, after execution, look for and attempt to correlate malicious behavior. The correlation and scoring of these activities and behaviors are prone to both false positives and false negatives.
Modern malware writers implement advanced techniques, including custom encryption, obfuscation and packing, as well as acting benign within sandbox environments, to allow malicious behavior to remain hidden. These techniques often hide the most sophisticated weaponry, which is only exposed when run dynamically and, in most cases, is impossible to analyze in real-time using static detection techniques.
SonicWall Capture Labs researchers leveraged a variety of deep-learning techniques to analyze code blocks of hundreds of terabytes of malware and related high-quality metadata of extracted features, and those combined insights resulted in the RTDMI solution.
“Sandbox techniques are often ineffective when analyzing the most modern malware. SonicWall’s RTDMI technology is very fast and very precise, and can mitigate sophisticated attacks where the malware’s most protected weaponry is exposed for less than 100 nanoseconds,” said John Gmuender, SonicWall CTO.
The Evolution of DPI
In 2004, SonicWall Capture Labs researchers pioneered the use of machine learning for threat analysis, and those insights and innovations led to the patented Reassembly Free Deep Packet Inspection technology scanning files for threats without requiring reassembly — on the fly blocking in real-time — resulting in a low-latency, high-throughput solution without memory constraints. Today, SonicWall’s machine-learning technology powers the protection provided by the Capture Cloud Platform.
“More than a decade ago we pioneered the use of reassembly-free, deep-packet inspection for the security industry, which changed the speed and effectiveness for inspecting and mitigating advanced cyber threats in real-time,” said Gmuender. “Coupled with our deep experience in machine learning and artificial intelligence, our advances in cloud technology allow us to quickly extend this value to our partners and customers. And we will continue to do so with future innovation in threat detection and prevention. Combining our deep security domain expertise with our experience and innovation in AI, we are continuing to take the offensive in the cyber arms race.”
For More Information
To learn more about opportunities to partner with SonicWall, please visit: