Zscaler's Cloud Security Platform Has Eye On Advanced Persistent Threats


Zscaler is adding suspicious file analysis to its cloud security platform to better detect custom malware and zero-day exploits associated with advanced persistent threats, according to company executives.

Zscaler launched in 2008 with its cloud-based secure Web gateway service that scans outbound Web traffic for malware and policy enforcement. The latest iteration mixes file behavioral analysis for suspicious Windows-based executable files, said Michael Sutton, vice president of security research at Zscaler, San Jose, Calif.

"Files go through a number of layers of static analysis up front before they get to the point where there needs to be analysis," Sutton said. "If it's a candidate for behavioral analysis then we dump it into the behavioral analysis engine for monitoring."

[Related: Advanced Persistent Threats: Not-So-Advanced Methods After All]

The service does not provide protection against malicious email file attachments, an attack vector used in several high-profile attacks including the RSA SecurID breach, which used a zero-day exploit embedded in an Excel spreadsheet. But Sutton said file attachments are not a significant threat. Targeted attacks tend to originate from a phishing email that attempts to convince end users to click on a malicious link, sending victims to the website where the malware is hosted, Sutton said.

"An attacker will leverage known threats well before they get into more advanced tactics," Sutton said. "Zero-days are a very small part of the threat landscape."

Zscaler's approach is to limit the need for the deployment of network security appliances to detect advanced threats. The company believes it can compete against FireEye, which is said to be readying an initial public offering this week; Palo Alto Networks and other network security vendors that combine threat detection with a sandbox malware analysis environment to detect files designed to dupe antivirus and other traditional security systems.

Malware analysis engines that monitor the behavior of suspicious files in a virtual machine have been available for years, said Gary Sidaway, global director of security at NTT Com Security AG, a managed services provider. The technology has been used by incident response teams, threat researchers and network security professionals, Sidaway said.

"We're only now seeing the technology embedded into commercially available products," Sidaway told CRN. "Organizations should understand all of the components that you take on with it, including what happens when a threat is detected. It forces businesses to focus more heavily on incident response."

Sutton called network security appliances that provide behavioral analysis costly and narrowly focused. Proactive protection against known and zero-day threats should combine file analysis with security analytics such as threat intelligence feeds and both blacklisting and whitelisting to help control network activity and identify potentially malicious files, Sutton said. Zscaler is planning to roll out support for behavioral analysis of suspicious Android files as well.

Zscaler and other security vendors also use crowdsourcing, connecting the customer install base by sharing threat detection data to provide faster protection when a new threat is identified.

In addition to its advanced persistent threat detection capabilities, Zscaler has added in-line traffic scanning through DNS analysis to detect botnet activity emanating from the corporate network. The company said it also provides support to feed data into security information event management systems for incident responders and proactive network monitoring.

PUBLISHED SEPT. 17, 2013