SonicWall reveals new Capture engine that proved effective against Meltdown

The SonicWall Capture Cloud Real-Time Deep Memory Inspection was added as a fourth Capture Cloud engine some months back, and is now being made public because of its ability to block the Meltdown exploit.

Bill Conner, SonicWall’s CEO

Security vendor SonicWall has disclosed that a patent-pending new engine used in their Capture Cloud  service has been remarkably effective at discovering new malware variants. It was extremely effective at detecting the Meltdown exploit of a flaw in Intel processors.

The new technology, which SonicWall has termed Real-Time Deep Memory Inspection [RTDMI], was added as the fourth engine in SonicWall’s Capture service several months ago, but has not been publicized until now.

“We had always planned to make this public, and it was originally going to be announced in our Threat Report which is a month away,” said Bill Conner, SonicWall’s CEO. “However, with all the attention being given to Meltdown and some of the new malicious malware cocktails, we decided that it was too important to keep under the bushel until then.”

The technology was developed as a project of the SonicWall Capture Labs which began in 2014, and was completed in 2016.

John Gmuender, SonicWall’s CTO

“In Deep Packet Inspection, the concept of Deep meant there was an additional level to which you went to understand flows and thus get more visibility into applications,” said John Gmuender, SonicWall’s CTO. “The same analogy holds true for deep memory inspection. It can force malware to reveal its weaponization into memory, and can then identify and respond to them, even though the weapon is only visible for between 10 and 100 nanoseconds. The firewall then gets access to this information from Capture in real time, and is able to block the threat.”

The premise of Capture’s multiple engines has always been that while malware may be customized to evade one, the odds of it evading all the engines is much lower. SonicWall is emphasizing that is the case here.

“The three other engines in Capture would not have caught this particular malware,” Conner said.  “No other deployed solution that we know of would have been able top catch this the way we have, in real time, so that it can be blocked right now. This is something that researchers can figure it out, but we are able to do it in a way that actually protects people proactively.”

RTDMI’s ability to block the Meltdown vulnerability in Intel processors, which was identified by Google’s Project Zero security team early this year, was a major accomplishment.

“Its framework has exactly the right infrastructure to identity Meltdown attacks,” Gmuender said. “Of course when we developed this, we had no idea that something that Meltdown would come in – but it’s so different that we can detect and block it. It adds a level of coverage that other vendors are not able to provide.”

That’s especially important because the Meltdown vulnerability isn’t something that can be quickly patched.

“Meltdown is an absolute flaw in microprocessors, and it will basically take Intel producing new chips to fix it,” Gmuender said. “Most people won’t have updated chips, certainly among the broader base of customers that make up SonicWall’s customers. This technology is uniquely capable of addressing that. In addition, new malware cocktails will come out, so that the benefits of this will be far broader than Meltdown, even though the Meltdown story itself has a long way to go.”

The RTDMI protection is communicated from the Capture platform to all of SonicWall’s solutions.

“This is the fun part of being at SonicWall now as the innovation curve turns up,” Conner said. “We are solving really difficult problems. This IS rocket science. We don’t make French Fries. This stuff is incredibly complex, and bad guys will find ways to further weaponize this exploit.”