Sandboxing Technologies, Techniques Get Another Look
Neil MacDonald, a vice president at Gartner, wrote in a blog last week the idea of sandboxing potentially malicious content and applications isn’t new, but interest in this type of approach – particularly on Windows desktops – is on the rise.
A growing number of virtualization and abstraction techniques available on Windows, he wrote, create isolation to provide security separation.
FortiGuard Labs describes sandboxing as a practice employed by security technology to separate running programs and applications so malicious code cannot transfer from one process (a document reader) to another (the operating system).
Gartner believes there will be a renaissance in sandboxing/virtualization/container technologies on Windows and mobile devices. That’s based on innovation around virtualization techniques and decreasing effectiveness of signature-based approaches to protect against advanced targeted attacks and advanced persistent threats.
MacDonald writes the idea is compellingly simple: Define a core set of OSes and applications as “trusted,” then if you need to handle a piece of unknown content or application, treat it as untrusted by default and isolate its ability to damage the system, access enterprise data and launch attacks on other enterprise systems.
“In reality, it is harder than this,” wrote MacDonald. “There is no silver bullet in information security. Isolation can be powerful, but has its drawbacks.”
At the same time, he points out, you can’t lock out all content and applications. End users may want to download and run untrusted applications, and they’ll want these applications to handle trusted content. Untrusted content and applications need to persist on the file system and survive a reboot. All of these use cases involve risk, especially if end users are called on to make decisions as to when and where untrusted content and applications can be “trusted.”
Another issue is hackers targeting the containment mechanism itself. MacDonald points to the recent Java zero-day as a direct result of a breach of containment and recalls solution provider Bromium’s recent event presentation that demonstrated how to break containment of several leading sandboxing solutions.
Interestingly, he writes, rather than attack the walls or doors of the containment mechanism, Bromium’s breaches originated by attacking the OS kernel. In Gartner’s analogy, the research firm equates it to saying “I don’t care how thick your walls and roof are, or what they are made of – these containment structures are built on a foundation with a bunch of holes.”
There are plenty of emerging alternatives at all layers in the stack: Make sure you understand the pros and cons of solutions and approaches before buying.
For its part, Fortinet last month launched a cloud-based sandboxing service aimed at staving off advanced persistent threats. The FortiGuard Labs service adds a layer of capabilities for Fortinet’s flagship appliances FortiGate, FortiCloud and FortiDDoS.
The sandboxing service detects malware with behavioral technologies and executes suspicious code in a virtual environment. Suspicious files are then submitted to the hosted service for additional scanning without impacting the performance of the appliance. The FortiCloud solution creates an online sandboxing portal with detailed status and visibility into the results of the scan.