Are your cyber defenses stuck in the sandbox?
Installing a network sandbox to safeguard against external threats has been accepted by many as the gold standard for more than a decade. Sandbox-based cybersecurity solutions are a protected and isolated environment on a network that simulates a company’s production network for security testing and analysis purposes.
In advanced threat protection, sandboxing provides an added layer of protection in which any email that passes the email filter and still contains unknown URL links, file types, or suspicious senders can be isolated and tested before they reach the network or mail server. But as more businesses move their critical data and cybersecurity defenses to the cloud and the volume of network traffic increases substantially, enterprise cybersecurity teams are rethinking their use of sandbox environments.
As new cybersecurity machine-learning technologies take hold and improve the speed and accuracy of identifying and mitigating threats, enterprises are shifting how they deploy sandboxes to reduce costs and improve the speed of advanced threat detection. Here are the top four reasons to re-evaluate and evolve your organization’s approach to sandbox security solutions:
Malware evasion techniques
As nation-states and organized hacking groups increasingly become more sophisticated with their attack vectors, several have effectively eluded sandbox defenses. It’s becoming increasingly easier to avoid the sandbox as enterprises generally direct only a sampling of their traffic to the sandbox. Malware often uses various evasions that work on a sandbox or physical endpoint, including time delays and specific user actions/interactions – both of which sandboxes try to account for, but can’t always.
Another common detection evasion technique includes requiring instruction from an organization’s C2 channel (a channel that is set up to remotely control another system), which can’t be simulated by a sandbox. Or threat actors can simply play a numbers game against the organization’s infrastructure and sandbox by sending the same messages weeks or months later or pinpoint an organization’s rules for sending messages to the sandbox to avoid it.
And finally, threat actors can simply overwhelm the sandbox with increased traffic to make the sandbox extra busy, so it’s easier for other malware to avoid detection. These are just a few of the evasion tactics cybercriminals are deploying to get around sandbox defenses.
Time to detect
More organizations are migrating their security tools (and their production workloads and data) to the cloud to provide widespread access and increase overall scalability. On networks with high data rates or with hybrid infrastructures, sandboxes become cost prohibitive to scale to meet needs. Sandboxes can typically analyze a threat object in a couple of minutes for a network running at couple of gigabits per second (Gbps) of network throughput.
However, as traffic scales, the number of objects that need to be analyzed can get overwhelming. One answer for detecting malware at a much quicker pace at today’s network speeds is machine-learning advanced threat detection. Instead of dynamically executing a sample, machine learning technologies can statistically analyze an attack and give a response in seconds at line speed.
Waiting minutes for a sandbox to analyze a file is a recipe for disaster, as threat actors can quickly deploy malware like WannaCry and completely take over a network. In threat detection, every second counts.
Total cost of ownership
It’s expensive to operate a full sandbox solution for an organization’s cybersecurity needs. On average, sandbox solutions cost twice as much to run as machine-learning solutions today. On large enterprise networks with enormous amounts of data moving through it, it’s extremely costly to sandbox. On high data rate and complex networks, the security team sends only a small representative set of content and traffic for analysis by a sandbox creating a significant gap in coverage.
Enterprises are then forced to either live with the gap or set up tens to hundreds or even thousands of sandboxes for very large corporations to cover potential threats. That’s a lot of additional cybersecurity infrastructure costs and rack space and power consumption in the data center or in the cloud for enterprises to manage, operate, monitor, maintain, and upgrade. This increases the total cost of ownership for enterprises to absorb.
Limited attack vector protection
Because total cost of ownership to sandbox is high, cybersecurity teams will try to identify which data is suspicious and thus limit the data sent to sandbox to limit the cost. By not evaluating all the data for threats in real time at line speed, there are gaps in security coverage. Sandboxes can’t effectively cover entire attack surfaces that machine-learning solutions can. Sandboxes provide widespread detection of executables but have a spottier track record detecting advanced persistent threats, zero-day malware or non-executable binaries.
Most companies run a fraction of their data through the sandbox, creating down sampling events and often must guess which data is suspect. For larger networks, as down sampling is compounded, it often takes the sandbox multiple minutes to root out the suspect data or file. This gives threat actors ample time to access weaknesses or detonate attacks.
When part of a robust, multi-layered cybersecurity defense, sandboxing is a useful tool in an organization’s cybersecurity arsenal. But as more scalable, machine-learning cybersecurity approaches come to market, organizations can better aim their sandboxing solutions to identify and analyze root cause security issues – further safeguarding investments and providing excellent visibility to SOC analysts.
Knowing when to use sandbox solutions is critical to protecting an organization against ever elusive and increasingly sophisticated threat attack vectors. Sandboxes are great at delivering valuable insight to an analyst when making certain decisions about malware process execution and can safely detonate and record malware behaviors to help malware analysts better understand threats.
Sandboxes are even quite helpful when paired with machine learning advanced threat protection tools to reduce samples. This allows sandboxes to fulfill their original intent – execute only suspect files to determine the root cause and makeup of an attack and provide analysts with the knowledge needed to implement operational rules to avoid future attacks.