For an enterprise that's looking to leverage security sandboxes, when should an organization create full virtual...
machines, as opposed to just using software containers, or "jails"?
There are a few things to understand upfront when speaking about the differences between sandboxing and software containers, which are sometimes called "jails," and before you make a decision on which one to implement. The answer is a combination of both, but many organizations might not be able to afford or have the expertise to implement both. Hopefully, understanding how they're used will allow enterprises to make an educated decision moving forward.
Sandboxes became a big hit a few years back, after we realized malware was still making its way past antivirus software and infecting our networks. The issue with antivirus is that all systems need signature-based agents installed on the machines, and they have to be updated to at least give the endpoint a fighting chance against malware. Since antivirus wasn't catching everything -- even when it was fully updated and installed on workstations -- the use of sandboxing grew.
Sandboxing relies on multiple virtual machines (VMs) to catch traffic as it ingresses/egresses in the network, and it is used as a choke point for malicious activity detection. The goal of sandboxing is to take unknown files and detonate them within one of the VMs to determine if the file is safe for installation. Since there are multiple evasion techniques, this doesn't always make for a foolproof solution; it's just an extra layer of defense.
With a software container, everything within it is considered dangerous. And it doesn't try to determine if a file is bad, it just contains it from spreading. Software containers don't use signatures; they just keep the malicious activity from spreading. Many of the software containers today are built around an application and isolate attacks from occurring or spreading to other parts of the operating system. In many ways, the container takes sandboxing to the endpoint. It's not as worried about the file as it is the application. There are also container-based configurations for operating systems -- like chroot jails in Linux, for example -- and these techniques are all the same. Anything within them is always untrusted, and the containers will treat it that way.
Now, determining which one to use is tricky, and it's best to use both when possible. Sandboxing normally involves a system that's going to pick off files as they pass the sandbox, and it doesn't require an agent to be installed. On the other hand, software containers are usually endpoint-heavy, and they rely on how the endpoint or application is configured with the container. Try to decide which area is currently the largest risk to your environment and determine which one of these options will give you the most protection upfront.
It's really up to your architecture as to what makes the most sense for your environment, but understanding the difference between containers and sandboxes should definitely give you a starting point.
Ask the Expert:
Want to ask Matt Pascucci a question about security? Submit your question now via email. (All questions are anonymous.)
Read more about malware analysis beyond the sandbox
Learn how a smart sandbox is different from a traditional sandbox
Find out how the Trochilus RAT is able to evade detection and sandboxing
Dig Deeper on Real-time network monitoring and forensics
Related Q&A from Matthew Pascucci
Troubleshooting VPN session timeout and lockout issues should focus first on isolating where the root of the problem lies -- be it the internet ... Continue Reading
What sets web roles and worker roles apart in Microsoft's Azure Cloud Services? Here's a look at how they are different. Continue Reading
Container security continues to be a pressing issue as containers and hosts are being used more frequently. Learn how to keep your enterprise safe ... Continue Reading