How to Combat the Long Lives of Zero-Day Vulnerabilities? Nir Gaist, CTO of Nyotron Has The Answers

  • By Jenny Schecher
  • in
  • on November 13, 2018

Our Transformational CISO Assembly is tomorrow! In the run up to the event, Nir Gaist, Founder and CTO of Nyotron gave Digital Diary an exclusive look into “zero-day vulnerabilities.” Take a look below!

We’ve all heard stories about advanced nation-states leveraging zero days to exploit a previously unknown security vulnerability. Perhaps the most infamous example is Stuxnet (with its four zero days) that survived for an estimated five years prior to being discovered. However, that does not mean the ability to develop exploits for zero-day vulnerabilities is reserved only for well-financed state-sponsored actors.

According to RAND Corporation research, “…any serious attacker can always get an affordable zero-day for almost any target.” Worse, the data suggests that the time between vulnerability discovery to public disclosure and patch availability is almost seven years, a big red flag indicating that companies are dramatically underestimating their exposure.

The term “zero-day vulnerability” is a bit of a misnomer, because it might convey that an attacker tries to quickly get in to victims’ computers, exfiltrate data or launch malware and get out. But just the opposite is the case, as some of the key findings from that RAND report illustrate:

  • Long life: Zero-day exploits and their underlying vulnerabilities have a 6.9 year life expectancy, on average. That’s 2,521 days after the initial discovery. 25 percent of those zero days will survive more than 9.5 years, according to the research.
  • The bad guys work fast: When it comes to the time required to create a working exploit, almost a third are developed in a week or less, with the majority being developed in approximately 22 days from the point an exploitable vulnerability has been found.
  • Bargain price: Although in certain cases for very unique targets and/or environments, the costs may reach millions (i.e., “unicorn exploits”), most zero-day exploits can be purchased for anywhere between $30,000 and $100,000 on the gray or black markets.
  • Walking dead: Declaring a vulnerability as alive or dead can be too simplistic. There are vulnerabilities that are quasi-alive (like zombies) because due to code revisions they got removed from a product without being disclosed, but can still be exploited in older versions. There are also “immortal” vulnerabilities – those that will remain in a product in perpetuity because the vendor no longer maintains the code or issues updates.

A vulnerability’s long life span means that even organizations with industry-leading vulnerability management and patching processes are still exposed. This is true even if you go through the pain of immediately testing and rolling out all critical patches. If you have ever managed patch management tools and projects, you know how difficult it is to consider change control policies, rollback requirements, off-line and remote systems, rollout issues and more. Moreover, we are not talking about just patching Windows operating systems, but all third-party applications in use within an organization, firmware and all operating systems including those powering mobile devices.

The RAND report comes to a grim conclusion: “Defenders will always be vulnerable to zero-day vulnerabilities…” Chances are your organization may already have undetected malware leveraging zero-day vulnerabilities.

The security industry still hasn’t figured out an effective approach to patch management. And then all those pesky fileless attacks that exploit legitimate scripting and administration tools (e.g., PowerShell) have become popular in the last few years. In reality, the majority of commodity malware and opportunistic attacks rely on already known vulnerabilities.

Defending Against Zero Days

It’s simply unrealistic to prevent all zero days from gaining access to your system, but you can stop the damage they try to inflict by building a Defense-in-Depth system that combines the negative and positive security models.

Traditional solutions focus on identifying the “bad” and allows everything else. This model is commonly used in anti-virus, host intrusion prevention system, next-generation antivirus and data loss prevention products, among others. But these solutions struggle to identify fileless and unknown threats. The SANS 2018 Survey on Endpoint Protection and Response survey revealed that while antivirus is the most commonly-used tool for detecting the initial vector of attack, it only managed to detect about 47 prevent of attacks.

However, don’t believe the “AV is dead” hype. It remains an important component of detection and prevention against common threats, but because it cannot protect against today’s most advanced unknown threats, some enterprises are implementing or at least purchasing the next-generation antivirus solutions. Even though the efficacy of Machine Learning-powered NGAV solutions is higher, the fact is that they are still applying negative security models by looking for the “bad” and are trained on known malware samples, thus struggling to identify and block truly unknown, evasive and fileless malware.

If we keep focusing on “badness”, then indeed we’ll always be behind. There will always be another zero day, another new attack vector (e.g., Spectre, Meltdown), another previously unimaginable way for the bad guys to break in. No machine learning model will be able to predict completely new attacks.

What if we turn things on its head and focus on the good instead? Then this constant cat-and-mouse game may actually turn in our favor. “Good” can come in a form of a list of applications (e.g. Whitelisting or Application Control) or in a form of behavior (whether user behavior or the OS behavior).

While the amount of “bad” is infinite (and the number of applications is nearly there as well), the valid and legitimate behavior is finite. From the OS perspective, it is possible to create a map of all legitimate OS behavior, because there are just a handful of operating systems out there, and they change infrequently, especially in the way they operate with the file system and networking.

Of course, no single solution on its own would be sufficient. That’s why defense-in depth has become the gold standard in security. It enables you to build a layered approach to better protect against zero-day exploits, even if attackers are able to bypass one or more layers. True defense-in-depth should not just rely on the “next-gen” version of a well-known technology that is slightly better than the original, but layer different types of protection technologies to create the strongest possible defense.

Nir Giast is the founder and CTO of Nyotron.


In a new digital world, driven by data, businesses of all sizes are working tirelessly to secure their networks, devices, and of course, their data. CISOs need to plan for worst-case scenarios, stay ahead of latest IT Security transformation technology, and maintain their company’s information assets without losing sight of the corporate culture.

This November, the 6th edition of our Transformational CISO Assembly will bring together industry leaders to discuss the latest strategies and innovations in cybersecurity in Miami. Join us today, the assembly is now open for application!

Download your copy of the sponsorship prospectus here for more information>>

Leave a Reply

PUBLISHED BY Jenny Schecher

View all posts by Jenny Schecher

Related Posts

#MillenniumLive , Data , Healthcare , Podcast

#MillenniumLive on Accelerating The Consumer Experience with Data with Informatica

#MillenniumLive welcomes the team at Informatica: Chuck Hayes, Customer Insights & Master Data Management Account Executive, Healthcare & Life Sciences and Richard Cramer, Chief Strategist, Healthcare & Life Sciences. Chuck and Richard share their thoughts on the trending topic: healthcare consumer experience, and how Informatica makes moving to “the cloud” an easy experience. Together, Informatica […]

#MillenniumLive , Healthcare , Podcast

#MillenniumLive on Igniting a Digital Health Revolution with Validic

#MillenniumLive welcomes Drew Schiller, CEO & Co-Founder at Validic, the healthcare industry’s premier technology platform for convenient, easy access to digital health data from best-in-class clinical and remote-monitoring devices, sensors, fitness equipment, wearables and patient wellness applications. Drew discusses Validic’s unique perspective on the role remote patient monitoring plays as part of an organization’s digital […]

#MillenniumLive , Healthcare , Podcast

#MillenniumLive on Modernizing the Patient and Clinician Experience with Vital

#MillenniumLive welcomes Aaron Patzer, Founder and CEO of Vital, a modern, intelligent digital health application that is transforming the care experience in hospitals and in emergency departments. Aaron shares how Vital has been optimizing user experience with consumer-grade software and artificial intelligence, and how they committed to healthcare excellence, building beautiful user experiences and intelligent […]

#MillenniumLive , Healthcare , Podcast

#MillenniumLive on the ROI of Implementing Self-Service Online Triage with Clearstep

This week on #MillenniumLive, we chat with Adeel Malik, Co-Founder & CEO of Clearstep. There are few health systems in the U.S. that are properly equipped to service patient consumers in a manner that is easiest, safest and most convenient for them. Therefore, enhancing patient experiences and automating care access with clinical AI chat solutions […]

Lovin’ Digital Diary?

Premium content to our readers interested in all things business.

Check Us Out!

Millennium Membership offers Fortune 1000 C-Level executives, leading public sector/government officials, and thought leaders across a variety of disciplines unique and exclusive opportunities to meet their peers, understand industry developments, and receive introductions to new technology and service advancements to help grow their career and overall company value.

About Millenium Alliance Next

About Digital Diary

Created to provide premium content to our readers interested in all things business.

Launched in 2017, Digital Diary was created to provide premium content to our readers interested in all things business. With our blogs catered to deliver the top news stories, trends, and interviews from across all industries.

Read all story Next

Millennium Alliance Membership

Learn More Next

What does it mean to be a Millennium Member? In the midst of the constant disruption across all industries, our members are given the tools they need to digitally transform their organizations and become the best leaders they can be. Millennium Members are provided the exclusive opportunity to attend our 40+ intimate in person and virtual Assemblies, take part in industry-leading Executive Education sessions conducted by the nation’s leading academic institutions, business leaders, and technology providers and receive industry leading content through our Digital Diary Platform as well as the rapidly growing #MillenniumLive Podcast Series.