Don’t Let Application File Uploads Become Malware Downloads

While most cybersecurity strategies are focused on the endpoint there is an overlooked risk that needs attention: your application file uploads.

Applications are the backbone of modern business, with thousands (if not millions) of files uploaded and downloaded every day. If those files contain malware they pose a significant risk as they traverse through an organization’s IT infrastructure and end up stored in local or cloud repositories.

Most organizations have challenges addressing these risks, such as:

• Files not being scanned at all
• Files scanned with legacy tools that cannot keep up with the changing threat landscape
• Security that slows down or interrupts business processes
• Scanning tools that can’t scale up to enterprise volumes (up to 10s of millions of files daily)

If a malicious file is downloaded and allowed to run, the attack begins, and it's a race to stop it before a breach. The struggle is that traditional security approaches are ineffective and unknown malware is easily passing through. Waiting until it ends up in storage and hits the endpoint is far too late.

File Uploads in the Enterprise: A Business Risk

Organizations must accept files through their web applications to run their business. But files uploaded by customers or end users could contain malware. In fact, 80% of successful breaches come from new or unknown zero-day attacks. These attacks most often come from the exploitation of undisclosed vulnerabilities or evolved malware variants that infiltrate a system unrecognized. Gartner states in their report on file upload security:

“…if the application provides access to a large number of external users, security leaders should require an application design that protects against the abuse of the channel for uploading malware.”

File upload security is an ever-increasing necessity in today’s business environment. There are several traditional approaches that exist, but each has its individual drawbacks.

How Traditional Security Approaches Fall Short

There are four common approaches to preventing malicious file uploads: Traditional anti-virus (AV), multi-AV, file sandboxing, and content disarm & reconstruction (CDR). Each solution approaches the problem uniquely, but all fall short of providing complete protection.

In a nutshell, single AV won’t catch new malware variants, multi-AV suffers the same problem, sandboxing causes delays that are not acceptable to the business, and CDR (while effective) often manipulates and destroys content and requires numerous business exceptions creating an administrative nightmare.

Further drawbacks of AV, Sandbox, and CDR solutions include the following:

• Business disruption
• Scalability issues
• Low unknown malware catch rate coupled with high false positive rate
• Limited number of file types scanned
• Vast CPU and infrastructure resource requirements

For a more in-depth analysis, check out the blog post: Top-3 Drawbacks of Content Disarm + Reconstruction (CDR) for Malware Prevention.

A New Approach: The Requirements

To meet the demands of today’s enterprise and cloud-first organizations, a better solution is needed. The solution needs to quickly scan files and return a verdict without an impact on business operations or SOC team productivity.

The most advanced AI, Deep Learning, is a core requirement to create a solution that autonomously prevents unknown malware. A solution natively architected with Deep Learning can achieve the following:

• Scan tens of millions of files per day with <0.1% false positives
• Prevent >99% of unknown malware, whether offline or online
• Deliver decisions without a reliance on cloud threat intelligence feeds
• Protect data privacy and file integrity
• Scale to meet throughput needs of the largest enterprises

Align to business requirements with minimal friction by providing:

• Flexible, deploy-anywhere model via a Docker container cluster
• Reduced TCO by lowering CPU usage and infrastructure requirements
• REST API or ICAP integration for DevOps to easily connect applications to scan files
• Low AI model maintenance with only 2-3 updates needed per year

Enter Deep Instinct Prevention for Applications

Deep Instinct Prevention for Applications is an agentless, antimalware file scanning solution that was architected with deep learning at its core. Deployed in a container cluster and integrated via API or ICAP, Deep Instinct provides the flexibility and scale that meets the demands of the largest enterprises.

Deep Instinct Prevention for Applications is already scanning tens of millions of files per day for some of the largest organizations in the world. Our customers are experiencing scan speeds of <20ms per file and false positive rates well under >0.1%. In addition, they are finding >99% of unknown malware is stopped before it enters their environment, better protecting themselves and their customers.

For a more in-depth discussion of file upload security and how traditional approaches are not enough, check out our File Upload Security: The Missing Category for a Comprehensive Security Posture report.

For more reading about threats lurking in file uploads:

• Emotet is back
• VSTO takes over where macros left off
• CDR drawbacks

RESOURCES

• The Third Annual Study on the State of Endpoint Security Risk
• Cross-site Scripting Via File Upload
• A Not So Common Cold: Malware Statistics in 2022
• Malware Sandbox Evasion: Techniques, Principles & Solutions
• What is Content Disarm and Reconstruction (CDR)?