The occurrence of SSL-based threats are continuing to rise. Hackers are getting more and more creative in how they deliver threats, which creates new inspection challenges. Attend this webcast to discuss the latest attack trends, and best practices you can employ within your Zscaler installation to bolster your security.
11. • Distribution of new unique malicious payloads
seen in Zscaler Cloud Sandbox leveraging
SSL/TLS for C&C activity
Taking callbacks to a new level
Zscaler Cloud Threat Intelligence – Sandbox SSL/TLS threats
• 60 percent were comprised of multiple Banking
Trojan families (Dridex/Emotet, Trickbot, Zbot
etc.)
• 25 percent were comprised of ransomware
families
• 12 percent were comprised of Infostealer Trojan
families (Fareit, Papras, etc.)
SSL Blacklist (sslbl.abuse.ch)
17. Objectives
Ransom ExfiltratePropagate
.Exe, Archive or
Embedded Script
How Files and Websites Spread Malware
Infection StageHunting Stage
Malware .EXE delivers final payload.
Enables final hacking objectives.
Enables command and control.
4
User browses trusted web page
with compromised content
1
Hackers web servers deliver initial
file and keeps exploit server hidden
2
Exploit Server Creates new malware samples
on demand to bypass signature
detection
3
iFrame
redirect
Exploit &
Call home
18. Web content scanning, Risk based
analysis, App Control
Browser Control
Risk Based Scoring
File, User, Group and QoS Control,
Signature-based AV and IPS
Inline Content Control
Complete Packet ByteScan
Malicious Hosts, Sites, Botnets
Phishing, GEO, Protocol & ACLs
Destination Based Blocking
Dynamic & Behavioral
Analysis of User ContentSandboxing
Breaking the kill chain with Zscaler
Recon and
Creation
Survey defenses
Planning attack
Create Payload
Delivery
Via trusted/untrusted
sites and web content
Exploitation
Payload exploits
unpatched
vulnerability
Installation
Installing malware
onto asset
Command &
Control (C2)
Remote Control.
Additional malware
downloads
Action on
Objectives
Lateral movement,
data exfiltration,
disruption, etc.
DNS
Security
Botnet and
Callback
Detection
DLP
Security
Full SSL Inspection Full SSL Inspection
Find and stop more malicious threats
10% increase
Google predicted 80% of traffic to all Google property will be SSL
Mozila page loads over HTTPS is 66.5%
AV, sandboxing, IDS/IPS, DLP, etc.. are rendered useless without the ability to decrypt SSL
Compromised sites, Squatted domains..
Self signed, compromised, etc
21 => 45
Platform approach a key piece
Zscaler Cloud Sandbox easily scale protection to all users regardless of location.
Typical centralized appliances are not able to deliver complete protection for users off network. Malware can exploit the system, and then spread laterally when connected to the network.
Additionally, centralized appliances usually remain in tap mode and rarely make it inline, which limits their effectiveness. Malware is allowed to pass, and detection occurs after the fact
By way of it’s architecture, Zscaler delivers a sandbox that always sits inline. Files can be quarantined and confirmed sandbox clean before delivery.
Lastly, Zscaler Cloud Sandbox delivers the Cloud-effect which shares new threat detections across the cloud in seconds.
Add to all this the fact that Zscaler can accommodate all a customers SSL traffic with no capacity limitation, and Zscaler is the clear winner over traditional appliance based solutions.
As one of our customers deployed Zscaler, they noticed a change in their security logs. They were so excited that the forward the data to us without us even asking. We often get unsolicited feedback from customers on how excited they are about their Zscaler installation.
In this case, you can see this customer did a controlled rollout of Zscaler over a 6 month period. As you can see, the more they deployed Zscaler, threat blocks increased on the Zscaler side, and FireEye detection reduced. There are a couple interesting notes about this case study:
1. Zscaler was able to block FAR more threats than FireEye due to the fact that all users on and off network can be covered
2. Many of the alerts FireEye saw after deployment were found to benign
3. The value of SSL inspection can’t be overstated. Customer found far more threats. FireEye is unable to inspect SSL traffic without costly additional hardware.
With Zscaler at full deployment and actively blocking FAR more threats that FireEye ever was detecting (not blocking), it seems FireEye’s days are numbered!
With Zscaler it’s simple to get started. In fact, we’ve cut over 40,000 in 1 weekend night and 160,000 users over 60 days.
All you need to do to make Zscaler your next hop to the Internet is to make Zscaler your default route. A number of customers did this to block threats that were going undetected by their current security appliances without making any policy changes. Some also start by securing their mobile workers, then migrating their office locations. This allows them to take their security from a 6 or 7 to a 9 or 9.5 out of 10. No one is perfect. One ZPA customer got started with one of the uses cases before replacing their entire VPN infrastructure.
The second phase of the journey involves phasing out security appliances to reduce cost and complexity. This can be done at your pace, but more often than not, this is typically shortly after or in tandem with starting to send traffic to Zscaler.
With Zscaler in place, the third phase of the journey is about routing traffic locally via Internet breakouts to Zscaler. By routing traffic locally companies can optimize their MPLS spend and deliver a more secure and better user experience. Office 365 has been a key accelerator for local breakouts as Microsoft now recommends routing traffic locally and doing local DNS. So users are connecting to the closest Office 365 pop and on their CDN Network as fast as possible. ExpressRoute is now only recommending for very specific use cases. Microsoft also cautions against hub-and spoke-architectures with centralized proxies for a variety of reasons.