Firmware v4.38 and Express Mode

itxnc

So, the splash screen in 4.38 talks about the new cloud query 'Express' mode for threat analysis. The closing makes it sound like it can improve throughput? 

But the question is, what difference in security is there between Express and Stream? One would assume that Express would have all the signature file based signatures PLUS realtime updates. But if that's the case, why do the ATPs support a Hybrid mode where both Cloud and Signature analysis is done? What's the advantage? Or is Express mode more secure because of realtime updates, but slower overall because of cloud query latency? Or is it a subset of protection compared to Stream mode?

The McAfee announcement doesn't help much:
https://www.businesswire.com/news/home/20200427005100/en/Zyxel-Partners-McAfee-Provide-Robust-One-Box-Security

The Express mode leverages an ever-expanding AI-driven cloud database to provide an unprecedented level of threat intelligence, while the Stream mode uses a signature-based database to provide a granular and thorough deep local scan. The new hybrid mode combines the two functions to maximize security coverage with wide and deep security scans to protect the network from the inside-out and defend the business from rapidly evolving cyber attacks.

Can Zyxel provide some added insight into this? Hybrid makes sense on an ATP, but for a USG, when would you want Express? For real time threat updates but with less coverage and faster throughput? Or just if you needed a boost in throughput but you sacrifice some security?

wabla47

I have the same question, which is important, especially since one cannot activate both modes concurrently on a USG.

Zyxel_Charlie

@itxnc

On the Express mode, the throughput will be higher on UTM performance.

To your questions, here it is the Pros and Cons between Express and Stream Mode for your reference. It should be able to  give you some ideas to make the decision.

 Express Mode:

Better performance on UTM throughput and Threat intelligence will evolve by AI.

However, on Express Mode, the internet is Required. It cannot work in isolated environment, Mutant Malware may be skipped initiatively.

 

Stream Mode:

Good for fresh mutant malware protection, Signatures can be provided offline

However, the throughput could be effected due to computing power overhead, and Number of signatures limited by hardware

itxnc

OK discounting the online/offline scenario where we should always have Internet access (it's an Internet gateway ), let me see if I'm understanding....

Express uses AI that will learn over time, but is *less* effective against new threats? While the signature/Stream is better against new threats? 

That seems to go against what you'd think, that by querying the cloud, you'd have access to threat signatures in realtime. So which gets the latest signatures first, Express or Stream? or does Stream not do signature based threat analysis and is just Heuristic/AI based?