While the concept of sandboxing isn’t new, it wasn’t until a few years ago that it entered the mainstream network security vocabulary and enterprises began using on-premises sandboxing appliances to test suspicious executables for malware. And while the results have been impressive — especially compared to systems that rely exclusively on signature-based antivirus software — there has been some criticism of late with respect to sandboxing’s potential and, especially, its limitations.
This criticism was nicely articulated in a recent article by IOActive’s CTO Gunter Ollmann, in which he argued that vendors who claim that this approach will stop all APTs and targeted attacks are flat out wrong because sandboxing appliances:
· Stumble when it comes to stopping targeted threats that require users to perform certain actions;
· Aren’t effective against threats that target less common desktop environments, such as those running 64-bit systems or are comprised of Apple, Android, Linux or non-Windows legacy devices;
In response to this, the first thing to note is that Ollmann is correct and his warning is significant: sandboxing appliances cannot replace an existing security solution, and vendors who suggest otherwise are guilty of overly-aggressive marketing at best, and outright deception at worst. In truth, sandboxing can only augment an existing system – it cannot replace one.
Yet with that being said, rumors of sandboxing’s demise are indeed greatly exaggerated. It certainly can and should be a big piece of the network security puzzle — provided that enterprises elevate their approach. How high should they aim? To the cloud, of course!
There are three key reasons why cloud-based sandboxes are qualitatively more effective than on-premise appliances:
1. Cloud-based sandboxes are free of hardware limitations, and therefore scalable and elastic. As a result, they can track malware over a period of hours or days — instead of seconds or minutes — to build robust malware profiles of targeted threats (such as the one that used a fake Mandiant APT1 report), or to uncover “Time Bomb” attacks that need to be simulated with custom times and dates (such as Shamoon).
2. Cloud-based sandboxes can be easily updated with any OS type and version, including those that aren’t part of a sandboxing appliance’s default set of images. Enterprises can also upload images and create their own custom environment.
3. Cloud-based sandboxes aren’t limited by geography. For example, attackers often target offices that are located in a different region than where the on-premise sandbox is running (typically the enterprise’s headquarters). As such, the attacker will not respond to the malware since it communicates from a different region. However, cloud-based sandboxes avoid this by allowing the malware to run from different locations worldwide.
Based on these reasons, it’s easy to see why cloud-based sandboxing makes sense for CISOs and everyone else who is tasked with defending the network (and since there’s no new hardware or software to purchase, it also makes CFOs and those holding the enterprise’s purse strings quite happy).
Yet, the beneficial picture I’ve painted here should not give rise to the error that some vendors have committed — and that Ollmann has rightly criticized — which is to suggest that cloud-based sandboxing will magically prevent 100% of APTs and targeted threats. That’s simply not possible, and likely will never be.
Ultimately, the best approach is to rely on cloud-based sandboxing, alongside botnet interception, cloud-based traffic log analysis, security appliances, tools and technologies, to create a comprehensive network security system; one that levels the playing field, and gives enterprises a fighting chance against today’s surprisingly sophisticated, well-funded and insidious cyber criminal.