Get in Touch
Get in Touch


Why are zero day threats so hard to stop?

October 2, 2015

Michael Sutton   

Chief Information Security Officer

Zero day threats are nasty, insidious creatures that can be very hard to defend against. And what exactly are they? Zero day refers to the number of days the general public has known of the threat, making zero day threats an unknown quantity.

Zero day threats are dangerous because breaches often go undetected for a long time. It can take seconds for the initial intrusion to take place and minutes for exfiltration to happen, but often weeks or months before the breach is detected.

And so why are they so hard to stop? The enterprise workforce, technology used to conduct attacks and cyber attackers themselves have all evolved significantly. Therefore, the enterprise security industry has a thankless task trying to keep pace.

We continue to rely on signature based technologies to combat malware. Zero days by their very nature will not be detected by signature based techniques which rely on some prior knowledge of the threat in order to develop a signature in the first place. When dealing with zero days threats, we need to leverage alternate approaches to security such as behavioural analysis (aka sandboxing) which require no prior knowledge of a threat in order to flag a file as malicious.

The reality is that existing security controls are not stopping infections today. Specifically, existing firewalls, intrusion detection systems, anti-virus and anti-malware programs are failing to provide robust protection. This leaves businesses vulnerable to a zero day attack.

Best practices for stopping zero day threats
Data breaches are on the rise and they are in the headlines more and more. In 2014, we saw a significant jump in the number of security breaches, particularly in the retail and healthcare sectors as attackers go after lucrative financial and personally identifiable information (PII).

At Zscaler, we see 13 billion internet transactions and we block 100 million threats every day. We found that 54% of the advanced threats we block were delivered over encrypted channels leveraging SSL (Secure Socket Layer). This is driven by the fact that many Internet properties are now delivering all content over SSL by default. If you don’t have the ability to decrypt and inspect your Internet traffic, you’re missing half the threats.

So where can you stop threats? The best practice is a layered defence that provides a multi-layered approach to protect, detect and remediate. In the protection phase, you scan all traffic, regardless of source and stop infections before they infiltrate your organization. In the detection phase, you identify anomalous outbound traffic from your organization, specifically looking at data exfiltration attempts or botnet command and control communication. Finally, once you have identified an infection, you need to track those infections down and remediate them.

If multinational organisations such as Anthem, Sony, Home Depot, Target and Neiman Marcus can fall victim to security breaches, so can any business. Without a proper understanding of zero-day threats, companies have no way of conducting an informed assessment of their security solution and knowing whether they are truly protected against an attack that could happen at any time.

Ready to learn more? Watch the webcast: Stopping zero day threats.