How to Choose a Sandbox
Published 04/24/2017
Grab a shovel and start digging through the details
By Mathias Wilder, Area Director and General Manager/EMEA Central, Zscaler
Businesses have become painfully aware that conventional approaches — virus signature scanning and URL filtering — are no longer sufficient in the fight against cyberthreats. This is in part because malware is constantly changing, generating new signatures with a frequency that far outpaces the updates of signature detection systems. In addition, malware today tends to be targeted to specific sectors, companies, or even individual members of a management team, and such targeted attacks are difficult to spot. It has become necessary to use state-of-the-art technology based on behavioral analysis, also known as the sandbox. This blog examines how a sandbox can increase security and it looks at what to consider when choosing a sandbox solution.
The sandbox as a playground against malware
Zero-day ransomware and new malware strains are spreading at a frightening pace. Due to the dynamic nature of the attacks, it is no longer possible to develop a signature for each new variant. In addition, signatures tend to be available only after malware has reached a critical mass — in other words, after an outbreak has occurred. As malware changes its face all the time, the code is likely to change before a new signature for any given type of malware can be developed, and the game starts from scratch. How can we protect ourselves against such polymorphous threats?
There is another trend that should influence your decision about the level of protection you need: malware targeted at individuals. It is designed to work covertly, making smart use of social engineering mechanisms that are difficult to identify as fake. It only take a moment for a targeted attack to drop the harmful payload — and the amount of time between system infection and access to information is getting shorter all the time.
What is needed is a quick remedy that does not rely on signatures alone. To detect today’s amorphous, malicious code, complex behavioural analysis is necessary, which in turn requires new security systems. The purpose of a sandbox is to analyse suspicious files in a protected environment before they can reach the user. The sandbox provides a safe space, where the code can be run without doing any harm to the user’s system.
The right choice to improve security
Today’s market appears crowded with providers offering various solutions. Some of them include virtualization technology (where an attack is triggered through what appears to be virtual system) or a simulated hardware solution (where the malware is offered a PC), through to solutions in which the entire network is mapped in the sandbox. However, malware developers have been hard at work, too, and a well-coded package can recognize whether a person is sitting in front of the PC, it can detect if it’s in a virtual environment in which case it can alter its behavior, and it can undermine the sandboxing measures by delaying activation of the malicious code after infection. So, what should companies look for when they want to enhance their security posture through behavioral analysis?
What to look for in a sandbox
- The solution should cover all users and their devices, regardless of their location. Buyers should check whether mobile users are also covered by a solution.
- The solution should work inline and not in a TAP mode. This is the only way one can identify threats and block them directly without having to create new rules through third-party devices such as firewalls.
- First-file sandboxing is crucial to prevent an initial infection without an existing detection pattern.
- It should include a patient-zero identification capability to detect an infection affecting a single user.
- Smart malware often hides behind SSL traffic, so a sandbox solution should be able to examine SSL traffic. With this capability, it is also important to look at performance, because SSL scanning drains a system’s resources. With respect to traditional appliances, a multitude of new hardware is often required to enable SSL scanning — up to eight times more hardware, depending on the manufacturer.
- In the case of a cloud sandbox, it should comply with relevant laws and regulations, such as the Federal Data Protection Act in Germany. It is important to ensure that the sandboxing is done within the EU, ideally in Germany. The strict German data protection regulations also benefit customers from other EU countries.
- A sandbox is not a universal remedy, so it should, as an intelligent solution, be able to work with other security modules. For example, it is important to be able to stop the outbound traffic to a command-and-control (C&C) centre in the case of an infection. In turn, it should be possible to turn off the infected computer by tracing back the C&C communication.
Putting it all together
All these criteria can be covered by an efficient and highly integrated security platform, rather than individual hardware components (“point” appliances). One advantage of such a model is that you get almost instantly correlated logs from across the security modules on the platform without any manual interaction. If a sandbox is part of the platform, the interplay of various protection technologies through the automated correlation of data ensures faster and significantly higher protection. This is because it is no longer necessary to feed the SIEM system manually with logs from different manufacturers.
Platform models do not lose any information as they allow all security tools — such as proxy, URL filters, antivirus, APT protection, and other technologies — to communicate with one another. It eliminates the time-consuming evaluation of alerts, as the platform blocks unwanted data extraction automatically. A cloud-based sandbox together with a security platform is, therefore, an effective solution. It complements an existing security solution by adding behavioral analysis components to detect previously unknown malware and strengthens the overall security posture — without increasing operating costs.