A top security industry vendor recently announced a sandbox appliance for advanced threat protection. Can you please...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
explain what these appliances are and in what scenarios they offer value to an enterprise?
For those who aren't familiar with the concept in the context of information security, a sandbox is an isolated environment in which a program or file can be executed without affecting the application in which it runs. Sandboxes are a great advancement in incident response, forensics and malware analysis and have been extremely beneficial for blocking malware at the network level.
In the introduction of sandboxing to antimalware research, malware authors attempted to detect sandboxes and alter their malware to avoid detection. There has been a continual cat-and-mouse game of improving sandboxes and finding ways to detect the sandbox ever since.
Modern enterprises will benefit from sandboxes in many different ways, and extending sandboxing to the network level will certainly help combat malware. There are many examples of enterprise sandbox use:
- Adobe Reader includes a sandbox to minimize the risk of opening a potentially malicious PDF file. Reader limits access to the local system from the application to stop the malicious PDF from compromising a system.
- Similarly, Internet Explorer sandboxes Web-based content or anything opened in Internet Explorer.
- Virtual machines are used as sandboxes to contain an attack to the individual system.
- Some host-based antimalware tools first execute a file in a sandbox, monitor what it does and identify potentially malicious behavior before giving access to the local system. In a sandbox in a network-based antimalware tool, any time an executable is downloaded on the enterprise's network, the executable is run in the sandbox on the appliance to determine if it is malicious. If it is determined malicious, it is blocked or an alert is generated.
Per your question, a variety of unified threat management, next-generation firewall, Web gateway and other threat-detection vendors have introduced sandboxing features to their products. In most cases, when a potentially malicious file or program is detected, the device places it into a sandbox and opens or executes it to determine whether it is in fact malicious. In most instances the sandboxing relies on the device's ability to first identify malicious activity.
It's great to see sandboxing become a more broadly used security control within a wide variety of enterprise security products, but ultimately it's just one feature. Stopping APTs requires an entire "kill chain" of security controls, products and policy so that organizations have multiple methods to detect and disrupt an advanced attack.
Ask the Expert!
SearchSecurity expert Nick Lewis is ready to answer your enterprise threat questions -- submit them now! (All questions are anonymous.)
Dig Deeper on Malware, Viruses, Trojans and Spyware
Related Q&A from Nick Lewis
Locky ransomware has borrowed features from Dridex malware, which focused on attacking banks. Expert Nick Lewis explains Locky's techniques and how ...continue reading
The Mazar malware can wipe an entire Android device once it has been installed. Expert Nick Lewis explains how this malware works, and how attacks ...continue reading
MouseJack, a wireless mouse and keyboard security flaw, allows attackers to type malicious commands. Expert Nick Lewis explains how enterprises can ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.