A psychologist might tell you that the way a child plays in the sandbox is a reflection of how they will act in their adult life. The same is true for malicious software, though we aren't speaking about the same sandbox.
There is a growing concern among security professionals about advanced persistent threats (APTs). The problem is not new, but it is of growing importance. Now, more than ever, highly targeted attacks (often specifically crafted to beat traditional defenses) pose a significant risk to enterprise level organizations. Despite advances in established security capabilities such as endpoint protection platforms, next generation firewalls, etc. the sleuth and perseverance of modern day attackers is carrying the day, resulting in a challenging security gap.
Closing this gap is critical because of the simplicity by which attackers are entering the network. It is sometimes as simple as wrapping a malicious element in a seemingly safe signature, allowing such elements to slide right past a conventional firewall. While next generation firewalls play an important role in defending against advanced persistent threats, there is a growing need for something more.
Enter Specialized Threat Analysis and Protection (STAP) products, including "sandboxing," forecast to grow to $1.2bn annually over the next few years. As defined by analyst group IDC, "STAP products must use a predominantly signature-less technology (i.e., sandboxing, emulation, big data analytics, containerization) to detect malicious activity." The reality is that --given the prospect of very simple code, often designed to do nothing more than reach out to a website, hiding in legitimate documents and websites-- there is sometimes no way to know for certain that something is safe until it is already too late. Which is where sandbox comes in.
How does it work?
In short, a "sandbox" in this context is generally a server that runs virtual desktop images reflective of an end user environment and, ideally, contains automation to make it act like a real user desktop and trigger the activity (if any) of the code. In the case of unknown malware, this activity might be:
- Exploit of software vulnerabilities
- System or process changes
- Irregular network activity
- Communication with malicious sites
- Downloads of additional code
- And much more
What place does a sandbox have in my network?
Common use cases include:
Email Gateway Plus Sandbox: Suspicious or high risk files in emails can be quarantined by existing gateway solutions and be held until this "sandboxing" occurs.
Network Firewall Plus Sandbox: Files delivered via the web can be copied into the sandbox to speed detection of sophisticated threats
Endpoint Protection Plus Sandbox: When end user PCs are acting funny, new files on it can be uploaded to the sandbox for inspection.
The list goes on, but an important thing to keep in mind is that a sandbox is typically used to learn about a previously unknown attack in order to react faster. It is not a "silver bullet" for stopping everything. A Fortinet partner recently said, "My customers know that they have a big gap in security due to these highly targeted attacks and anything you can do to help close that gap helps."