Why is Antivirus and IPS Not Enough Anymore?
The speed of doing business is steadily increasing. Unfortunately, this also applies to the business of malware and ransomware attacking your organization. Popular branches of cryptographic ransomware like Locky or CryptoLocker get reissued every five to 10 minutes, requiring a new signature. By nature, this is a showstopper for pattern-based defense layers like antivirus and IPS/ IDS. Today, threats spread at a high velocity, and it is not possible to detect a threat, isolate the signature, add the signature to the databases, and make it publicly and continually available within five minutes. By the time the database update is available, the threat has already compromised systems in a network and successfully covered up its traces.
While these signature-based legacy systems are still important as a first line of defense for prefiltering the network traffic, organizations still need an additional security layer to protect against today’s targeted malware.
The Barracuda Difference
Barracuda Advanced Threat Protection (ATP) is a cloud-based sandboxing service that is available in all Barracuda NextGen Firewall Series models, as well as available for all sizes and deployment types. Unlike many other first-generation, advanced persistent threat security vendors, Barracuda's ATP implements full-system emulation and next-generation sandboxing techniques that provide granular visibility into malware behavior.
First, all files are checked against a constantly updated and worldwide synchronized hash database of already emulated files. If the file is not known, it is uploaded and emulated in a virtual sandbox where all malicious behavior is revealed. While traditional breach detection solutions detect network threats only after they have entered the network and after sending log notifications to the administrator, ATP on Barracuda's NextGen Firewalls stops not yet known advanced persistent threats and ransomware before it enters the network.
Additionally, Advanced Threat Protection is also available on the Barracuda Email Security Gateway, Barracuda Essentials for Office 365, and Barracuda Essentials for Email Security – processing more than 20 million requests per day. This results in one of the world’s most comprehensive databases of known bad IP addresses, “spyware domains," and command and control servers used by botnets.
Provides the Flexibility an Organization Needs
Administrators have to deal with more than just one file type and/or protocol. Barracuda Advanced Threat Protection gives NextGen Firewall administrators the flexibility they need to ensure the highest quality of service possible.
Create ATP policies per file type, whether it's an Office file, Android APKs, Executables, etc. Even the protocol where the file entered your network can be taken into consideration. Therefore, a policy may force PDF files received via spam mail to be rigorously handled than PDF files coming from a well-known, good website.
Define (per file type/protocol) how the files are delivered. ATP offers a fast mode, where the file is simultaneously delivered to the emulation service and the requesting system, thereby minimizing delivery delay. As soon as the file is scanned and malicious file activity has been identified, a log event is created and the administrator can contact the user to remediate the threat. Since the malware has been downloaded to the corporate network already, preventing the malware from spreading and causing further damage is key. Barracuda NextGen Firewalls can be configured to automatically quarantine user/IP/machine combinations for these cases, blocking further network activities. If the file is recognized as benign, the quarantine status is set back and the system is granted all connectivity again.
ATP's second mode of delivery inherits more security, but also includes a slight delay in delivery. This delay depends on if the file is already known to the ATP database. Depending on the file type such a delay in delivery may range from only a couple of seconds up to a minute.
Unfortunately, malicious files can also sneak their way into the network through thumbdrives or not-so-strict BYOD policies. Barracuda NextGen Firewalls act as the linchpin for an organization's network traffic, and (by using ATP) are aware of domains/IP addresses known to spread malware, ransomware that cause botnet infections. So by detecting network traffic from inside the network to botnet and spyware control servers, data theft is stopped before the actual connections are created. Additionally, administrators are notified accordingly to take care of the compromised system.
Auditing and reporting is a key task in modern IT departments. To make this effort as smooth as possible, Barracuda NextGen Firewall deployments can make use of the Barracuda Report Creator. This reporting tool is windows executable, and is free for download at https://dlportal. barracudanetworks.com. Create on-demand and/ or scheduled reports on a selection of or on the complete NextGen Firewall deployment, or just on compromised users, systems, IP addresses. It is up to you. The reports are sent in PDF format to a customizable set of email addresses.
Every now and then administrators come across files where they are unsure of its status. For such files, the configuration tool for Barracuda NextGen Firewall, the NextGen Admin, allows to manually upload files to the ATP cloud and, thereby, benefiting of the same deep inspection. Alternatively, files can also be uploaded for inspection manually via the web interface provided by Barracuda Central.
Barracuda Advanced Threat Protection at a Glance
- Dynamic, on-demand analysis of malware programs (sandboxing)
- Prevent malicious files—even unknown ones—from entering the organization and avoid network breaches
- Identify zero-day malware exploits, ransomware, targeted attacks, advanced persistent threats and other advanced malware, which routinely bypasses traditional signature based IPS and anti-virus engines
- Detailed forensics for both malware binaries and web threats (exploits)
- High resolution malware analysis (monitoring execution from the inside)
- Granular control over PDFs, EXEs/MSIs/DLLs, Android APKs, Microsoft Office files, Open Office files, macOS executables, and compressed files and archives
- Blocking of active content in Office and PDF documents
- Full interoperability with the integrated SSL Inspection - files can be extracted and checked in order to detect advanced malware in the encrypted stream
- Cloud-based emulation – resource intensive file emulation is offloaded to the Barracuda Advanced Threat Protection cloud
- Fast response times provided by synchronized cryptographic hash database for emulation shared across the Advanced Threat Protection cloud
- Multiple and simultaneous OS environments for emulated files (Windows, macOS, etc.)
- Temporary blocking of web and mail traffic during analysis
- Optional “deliver first then scan” policy with automatic quarantine function
- Stops spyware and botnet infected machines phoning home via DNS sinkhole technology
- Automatic quarantining and reporting on potentially infected machines in the network
- Scheduled reporting on potentially infected machines via Report Creator (includes automated distribution of the reports)
- Available for hardware and virtual appliances, as well as for Microsoft Azure, Amazon AWS, and Google Cloud Platform.
The Barracuda Advantage
- Flexible and simple deployment: Easy to deploy, easy to use, and affordable Advanced Persistent Threat Protection.
- No new equipment needed.
- Full system emulation: Not only detects targeted and persistent attacks, but also malware that was designed to evade detection by traditional sandboxes used by firstgeneration advanced persistent threat security vendors
- Automatic user and IP blacklisting: Based on identified malware activities, infected users can be automatically blocked from the corporate network.
- On-demand and scheduled reporting for infected machines.
- Customizable, on-demand analysis reports: Available for any emulated file providing full information on malicious activities such as registry entries, network activity (e.g., botnet command and control center traffic), or obfuscation tactics.
- Unrivaled detection speed: Provides nearly instant threat visibility and protection
- Information on identified malware: It’s centrally stored and shared in order to optimize emulation.
- The Barracuda Advanced Threat Protection is available as an affordable add-on subscription on top and requiring an existing Malware Protection or Web Security subscription.
- Barracuda ATP and malware protection are available as an affordable bundle subscription
- Barracuda ATP for all NextGen Firewalls F-Series hardware models and X-Series.
- Barracuda ATP is available for all virtual appliances VF25 or higher.
- Barracuda ATP is available for Microsoft Azure, Amazon AWS, Google Cloud Platform and vCloud Air public cloud offerings.