Identifying Vulnerabilities with Cloud Sandbox’s Zero Day Virtual Machine Scan

As a pioneer of cloud-based security, Zscaler operates a network of over 160 global data centers that have the necessary infrastructure to:

• Intercept data flowing between client and server for 9,400+ global customers
• Scan and analyze over 500 billion daily transactions for threats
• Process 500 trillion daily signals for our AI/ML cloud effect that continuously detects and prevents threats

Zscaler’s Cloud Sandbox now provides customers an environment in which they can deploy new virtual machine (VM) types and apply the latest vendor-provided patches. Cloud Sandbox detonates sample binaries on a fully patched VM to derive a score based on a binary’s behavior: the higher the value, the greater the risk of exploitation. This blog looks at how Zscaler is able to achieve this and reduce patch deployment friction for security operations teams.

Determining a Vendor-supplied Patch’s Impact with Zscaler’s Cloud Sandbox

Operating the world’s largest security cloud platform means we can rapidly evaluate the  behaviour and efficacy of the latest third-party vendor patches when applied. There are multiple nodes in Zscaler’s infrastructure that comprise the infrastructure required to execute data interception and inspection – here’s a look at what each edge component does:

• The first hop from the customer is a Cloud Enforcement Node (CNE) node, which is an explicit proxy that an endpoint client browser or other application points to.
• The requests from application-to-application servers are directed to OCS (Original Content Server) via the CNE node.
• The CNE node is configured explicitly as a proxy on the client endpoint application and performs inline inspection on incoming data.
• The CNE node forwards the data based on policy to the SM Behavioral Analytics (SMBA) node. This node fronts the Cloud Sandbox infrastructure. The data can take the form of various file types such as .exe, .dll, .pdf etc.
• SMBA nodes forward the data to the Sandbox Nodes (JSB) for detonation.
• The JSB nodes detonate the incoming data as a file type, collect behavioral data and determine the impact on the host node. This data is sent back to the SMBA node.

Every SOC Team’s Dream: Knowing the Impact of Vendor Patches Before Applying Them  

Patch rollout is a very cumbersome process operationally for IT and security teams: they have to apply and verify that the patches were applied properly—and this process must be applied for multiple patches.

Before applying and rolling out patches, these teams would ideally have a rating that indicates how the patch impacts overall data flow in an organization, which could be any of the following:

• Fixing known vulnerabilities
• Uncovering latent vulnerabilities
• Though unlikely, introducing additional vulnerabilities 

All these outcomes could impact data flow, including if a new vulnerability is detected and if it could be blocked by security policies customers configure and add in their Zscaler tenant.

With such a rating, operations teams could make better decisions on which patches can be applied immediately without causing disruption versus those that pose more risk of interrupting workflows.

Zscaler’s Cloud Sandbox now provides customers an environment in which they can deploy new virtual machine types and apply the latest vendor-provided patches. Cloud Sandbox detonates these binaries on a fully patched VM to derive a score based on a binary’s behavior: the higher the value, the greater the risk of exploitation. 

Cloud Sandbox VM Score Report Provides Threat Score with Behavioral Indicators

Comparing this score of a given binary on a fully patched VM (referred to as “Zero Day VM” going forward in this entry) helps customers understand the value of the patch. 

For example, assuming the score of a binary in a regular unpatched VM is X and the same as Y on Zero Day VM we can determine the outcome would be the final one in this list of potential impacts:

• X > Y: Zero Day VM score decreased: the applied patches fixed some of the vulnerabilities.
• X the applied patches detected latent vulnerabilities, e.g., zero day detection of vulnerabilities.
• X = Y: Zero Day VM score is negligible: the risk negates the value of a patch that is supposed to address a specific vulnerability

Let’s look at an example of how this works: a customer submits a suspected zero-day exploit sample in two virtual machine environments: a "Regular VM" with limited patches and a "Zero Day VM" that was fully patched.

Despite the Zero Day VM being fully patched, the exploit was still successfully executed, confirming it was a true zero-day vulnerability. The resulting report below shows a threat score of 100 for the exploit. Further, the report also identifies behavioural characteristics that support this finding in addition to security bypass, networking and stealth tactics and techniques.

Zscaler's Cloud Sandbox effectively mitigated the threat. It not only accurately identified the novel exploit behavior but, more importantly, blocked the attack based on behavioral detection. This proves Cloud Sandbox’s ability to provide proactive protection against emerging threats by recognizing the underlying exploit technique (e.g., anomalous system calls, memory manipulation) rather than relying on a specific signature.

Learn more about how Zscaler’s Cloud Sandbox can help your SOC team achieve greater operational efficiencies like this while bolstering your security posture.