SonicWall launches real-time deep memory inspection technology; effective against Meltdown processor vulnerability

SonicWall, a security partner protecting more than 1 million networks globally, revealed on Tuesday that a new Capture Cloud engine has discovered hundreds of new malware variants not seen before by sandboxing technology.

Through the use of previously unannounced patent-pending technology, SonicWall Capture Labs security researchers engineered an advanced method for identifying and mitigating threats through deep memory inspection — in real time.

The SonicWall Capture Cloud Real-Time Deep Memory Inspection (RTDMI) technology and engine has been operational for months, and is discovering hundreds of malware strands not detected by sandboxing technology.

SonicWall is unveiling this technology to strengthen the company’s automated real-time breach detection and prevention platform. SonicWall RTDMI is a patent-pending technology and process utilized by the SonicWall Capture Cloud to identify and mitigate even the most insidious modern threats, including future Meltdown exploits.

The new RTDMI technology proactively detects and blocks unknown mass-market malware via deep memory inspection in real time; detects and blocks malware that does not exhibit any malicious behavior and hides its weaponry via custom encryption; forces malware to “reveal” its weaponry into memory; and identifies and mitigates sophisticated attacks where weaponry is exposed for less than 100 nanoseconds.

On Jan. 3, a new processor vulnerability, known as Meltdown, was published by Google’s Project Zero security team. A successful exploit of this vulnerability could allow an attacker to access sensitive information such as passwords, high-value crypto keys, login cookies and VPN credentials, inside protected memory regions on modern processors.

SonicWall Capture Labs threat researchers have validated SonicWall RTDMI technology is also effective against future exploits built on the Meltdown vulnerability, using the engine’s real-time analysis of instruction and memory usage.

“Threat actors have been so far ahead of the game they’ve been able to create highly evasive malware without the greater industry even knowing,” said SonicWall President and CEO Bill Conner. “This new real-time deep memory inspection technology, coupled with more than a decade of machine-learning experience, will help level the playing field and eliminate some of the most challenging attack vectors. The new engine is the latest addition to our Capture Cloud Platform that reinforces our leadership position.”

“This is a revolution in engineering, execution and innovation,” said General Michael Hayden, principal at the Chertoff Group, a global advisory firm focused on security and risk management. “To introduce this technology in the relatively early stages of these advanced attacks is a huge win for the security industry, as well as the public and private sectors.”

SonicWall deployed the RTDMI engine into the SonicWall Capture Cloud Platform and is leveraging the technology to support SonicWall’s layered security platform, which includes next-generation firewalls, wireless network security, email security, secure mobile and remote access offerings, as well as cloud and IoT solutions.

SonicWall’s RTDMI technology detects and blocks malware that does not exhibit any malicious behavior and hides its weaponry via encryption. By forcing malware to reveal its weaponry into memory, the RTDMI engine proactively detects and blocks mass-market, zero-day threats and unknown malware.

Sandbox engines execute files in a virtual environment, log the resulting activity, and then, after execution, look for and attempt to correlate malicious behavior. The correlation and scoring of these activities and behaviors are prone to both false positives and false negatives.

Modern malware writers implement advanced techniques, including custom encryption, obfuscation and packing, as well as acting benign within sandbox environments, to allow malicious behavior to remain hidden. These techniques often hide the most sophisticated weaponry, which is only exposed when run dynamically and, in most cases, is impossible to analyze in real-time using static detection techniques.

SonicWall Capture Labs researchers leveraged a variety of deep-learning techniques to analyze code blocks of hundreds of terabytes of malware and related high-quality metadata of extracted features, and those combined insights resulted in the RTDMI solution.

“Sandbox techniques are often ineffective when analyzing the most modern malware. SonicWall’s RTDMI technology is very fast and very precise, and can mitigate sophisticated attacks where the malware’s most protected weaponry is exposed for less than 100 nanoseconds,” said John Gmuender, SonicWall CTO.

Leave a Reply

WWPI – Covering the best in IT since 1980