Brad, I know you've been an advocate for using virtualization/sandboxing to detect malware, but I've seen other security analysts say that sandboxing is limited because of the inability to cover all platforms and targeted attacks. Would you agree with this assessment? What would you say the limitations to virtualized environments are from a security perspective, and how should they be supplemented?
Ask the expert
Have questions about network security for our expert? Send them via email today! (All questions are anonymous.)
I would certainly agree with this assessment. While I am a big fan of offloading packets that contain executables to a separate device, executing them, and testing for malicious code, I am not fond of utilizing this solely. Much like your investment portfolio, your security strategy should be diversified, namely via a network security defense-in-depth paradigm.
In terms of limitations, many of these concepts have to do with application sandboxes that execute files on the same box on which the sandbox resides, which is a little different than my offloading scenario mentioned above. There are some profound limitations with application sandboxing. Many -- if not all -- of these limitations are directly related to inherent weaknesses existing within the underlying operating system.
A number of recent kernel-sidestepping scenarios are directly related to weaknesses in the Windows kernel. Perhaps the most infamous of these kernel exploits is a piece of malware known as Duqu. In a nutshell, Duqu exploits a characteristic in Microsoft Word that requires the Word application to make a call to the kernel and manipulate the underlying font engine. Admittedly, kernel exploits require a unique degree of sophistication to write, but they are nonetheless a threat to be monitored.
With regard to sandbox supplementation, I suggest pairing strict access control lists at the firewall with some sort of deep packet inspection mechanism. While sandboxing may have limitations, it can still run executables and look for callouts within the code. If the callouts are known to be malicious, your sandboxing efforts are not for nothing, and you can subsequently use this information as a means of discarding the accompanying packet.
Dig Deeper on Endpoint protection and client security
Related Q&A from Brad Casey
Allowing users to tunnel through a firewall to access any site creates a security risk. How big of a risk is it? It depends on how much you trust ... Continue Reading
Our IT organization needs to secure customer names, but also needs to conduct searches on the entire customer database to match and merge records. Continue Reading
Don't treat physical and virtual machines' security differently. Since VM security issues threaten the whole infrastructure, here's how to stop ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.