Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

What's the difference between software containers and sandboxing?

Understanding the difference between software containers and sandboxing can help enterprises make the right decision about which to use. Expert Matthew Pascucci explains them.

For an enterprise that's looking to leverage security sandboxes, when should an organization create full virtual...

machines, as opposed to just using software containers, or "jails"?

There are a few things to understand upfront when speaking about the differences between sandboxing and software containers, which are sometimes called "jails," and before you make a decision on which one to implement. The answer is a combination of both, but many organizations might not be able to afford or have the expertise to implement both. Hopefully, understanding how they're used will allow enterprises to make an educated decision moving forward.

Sandboxes became a big hit a few years back, after we realized malware was still making its way past antivirus software and infecting our networks. The issue with antivirus is that all systems need signature-based agents installed on the machines, and they have to be updated to at least give the endpoint a fighting chance against malware. Since antivirus wasn't catching everything -- even when it was fully updated and installed on workstations -- the use of sandboxing grew.

Sandboxing relies on multiple virtual machines (VMs) to catch traffic as it ingresses/egresses in the network, and it is used as a choke point for malicious activity detection. The goal of sandboxing is to take unknown files and detonate them within one of the VMs to determine if the file is safe for installation. Since there are multiple evasion techniques, this doesn't always make for a foolproof solution; it's just an extra layer of defense.

With a software container, everything within it is considered dangerous. And it doesn't try to determine if a file is bad, it just contains it from spreading. Software containers don't use signatures; they just keep the malicious activity from spreading. Many of the software containers today are built around an application and isolate attacks from occurring or spreading to other parts of the operating system. In many ways, the container takes sandboxing to the endpoint. It's not as worried about the file as it is the application. There are also container-based configurations for operating systems -- like chroot jails in Linux, for example -- and these techniques are all the same. Anything within them is always untrusted, and the containers will treat it that way.

Now, determining which one to use is tricky, and it's best to use both when possible. Sandboxing normally involves a system that's going to pick off files as they pass the sandbox, and it doesn't require an agent to be installed. On the other hand, software containers are usually endpoint-heavy, and they rely on how the endpoint or application is configured with the container. Try to decide which area is currently the largest risk to your environment and determine which one of these options will give you the most protection upfront.

It's really up to your architecture as to what makes the most sense for your environment, but understanding the difference between containers and sandboxes should definitely give you a starting point.

Ask the Expert:
Want to ask Matt Pascucci a question about security? Submit your question now via email. (All questions are anonymous.)

Next Steps

Read more about malware analysis beyond the sandbox

Learn how a smart sandbox is different from a traditional sandbox

Find out how the Trochilus RAT is able to evade detection and sandboxing

This was last published in January 2017

Dig Deeper on Real-time network monitoring and forensics