Brad, I know you've been an advocate for using virtualization/sandboxing to detect malware, but I've seen other security analysts say that sandboxing is limited because of the inability to cover all platforms and targeted attacks. Would you agree with this assessment? What would you say the limitations to virtualized environments are from a security perspective, and how should they be supplemented?
Ask the expert
Have questions about network security for our expert? Send them via email today! (All questions are anonymous.)
I would certainly agree with this assessment. While I am a big fan of offloading packets that contain executables to a separate device, executing them, and testing for malicious code, I am not fond of utilizing this solely. Much like your investment portfolio, your security strategy should be diversified, namely via a network security defense-in-depth paradigm.
In terms of limitations, many of these concepts have to do with application sandboxes that execute files on the same box on which the sandbox resides, which is a little different than my offloading scenario mentioned above. There are some profound limitations with application sandboxing. Many -- if not all -- of these limitations are directly related to inherent weaknesses existing within the underlying operating system.
A number of recent kernel-sidestepping scenarios are directly related to weaknesses in the Windows kernel. Perhaps the most infamous of these kernel exploits is a piece of malware known as Duqu. In a nutshell, Duqu exploits a characteristic in Microsoft Word that requires the Word application to make a call to the kernel and manipulate the underlying font engine. Admittedly, kernel exploits require a unique degree of sophistication to write, but they are nonetheless a threat to be monitored.
With regard to sandbox supplementation, I suggest pairing strict access control lists at the firewall with some sort of deep packet inspection mechanism. While sandboxing may have limitations, it can still run executables and look for callouts within the code. If the callouts are known to be malicious, your sandboxing efforts are not for nothing, and you can subsequently use this information as a means of discarding the accompanying packet.
Related Q&A from Brad Casey, Contributor
Can Project Sonar, an Internet-scanning project, benefit enterprise network security? Expert Brad Casey discusses.continue reading
Does your enterprise track eliminated firewall rules? It's one of the change management best practices suggested by expert Brad Casey.continue reading
The Department of Defense is using a converged network security architecture to simplify security management. Learn about the security benefits.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.