Skip to content

What is a sandbox? And why do I need one to defend against advanced threats?

sophos-sandstormIT teams in organizations of all sizes understand that sophisticated cyberattacks can use unknown malware to evade traditional gateway and endpoint protection.

These advanced persistent threats, or APTs, use custom-developed targeted attacks to gain access to a network and remain undetected for long periods of time. The success of APTs depends on staying under the radar as long as possible, using evasive coding techniques to slip past traditional security barriers and steal sensitive data.

This is why many organizations are considering additional “next-generation” solutions to deal with these unknown threats. One technology that’s had a fair share of hype is the sandbox. A sandbox is an isolated, safe environment, which imitates an entire computer system. In the sandbox, suspicious programs can be executed to monitor their behavior and understand their intended purpose, without endangering an organization’s network.

You might be asking yourself a few questions about what a sandbox is and how it stops advanced threats. Let’s answer these questions to understand why organizations of all sizes should consider a sandbox solution.

1. Do I really need a sandbox?

Organizations need a range of security technologies to protect them from threats both known and unknown. What a sandbox provides is your own dedicated environment to analyze, understand and take action on the threats to your organization that haven’t been detected by conventional security measures. Sophisticated, targeted malware, designed to evade detection, will be detected and blocked when detonated in your sandbox.

2. Why don’t my conventional defenses protect me from these APTs?

Signature-based antivirus is reactive and increasingly outpaced by today’s attackers. Most leading security vendors use a range of approaches such as malicious traffic detection capabilities and emulation to supplement signature-based detection. However, if your data or credentials are valuable enough to the attacker, they will have spent time discovering what type of security you are using and tested their unique malware to ensure that it will evade detection by your defenses.

3. Surely this kind of technology is only for larger organizations?

The attack on Target Stores resulted in 40 million credit card numbers stolen. Target is certainly a large organization, but what’s important to consider is that the attackers stole the credentials of Target’s air conditioning contractor. This small supplier was seen as a soft target and an easier route into the larger business. So organizations of all sizes should consider sandbox technology; a targeted attack could cost you your key customers and is one factor in the statistic that 60% of small firms go out of business within six months of a data breach.

4. Another point solution? That sounds expensive.

Previously, a sandbox solution had to run on dedicated hardware and have a team of analysts, limiting it to large enterprises and malware research labs. By moving sandboxing to the cloud, the reduction in cost means security vendors can apply more processing power and share resources across multiple customers. It also means you no longer have to rely on in-house expertise, as vendors or partners can provide the analysts from a central location. This reduces the costs to such a level that all organizations can afford sandboxing.

5. It sounds complicated – do I have the resources to try and deploy this?

When you begin to trial solutions, consider solutions that are easy to try and deploy. Cloud-based solutions can be rapidly deployed giving you instant results without the need to deploy hardware or upgrade appliances.

We address all these questions in our new guide Defeating the Targeted Threat: Bolstering Defenses With a Sandbox Solution. The paper explains why you should consider a sandbox and answers your questions about what to look for in a sandbox solution.

To find out if Sophos Sandstorm is the right sandbox solution for your business, visit sophos.com/sandstorm.

3 Comments

I need the exact explanation for sandbox vs firewall

Reply

Generally speaking, the term “network firewall” is a metaphor for a secure network router that sits between two parts of your network to manage the stuff that travels between them.

Typically you plug one firewall network port into your internet connection and another into the rest of the network so that network traffic has to pass through the firewall, which therefore becomes a choke point to help you keep the bad stuff out and the good stuff in.

A “malware sandbox” is a special, controlled environment in which you deliberately run suspicious files under close observation to see what they do. This allows you to monitor the behaviour of new malware realistically, but without putting other computers or users at risk.

A firewall may choose to send unknown files (with permission, of course) off to a sandbox for automatic analysis.

Our sandbox, known as Sandstorm, doesn’t run on the firewall itself but on special servers, operated by us, that provide a controlled, lab-like environment. This helps with both performance and safety.

The sandbox can then report back to the firewall to help it decide whether to block, allow, clean, quarantine, and so on.

Quick answer: network firewall = secure network gateway to keep bad stuff out and good stuff in; malware sandbox = controlled environment where possible new malware can be experimented with safely.

Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!