Any child (and young-at-heart adult) knows that although the sandbox can be a very fun place to go on the playground, there are many other areas that have potentially more to offer for those adventurous enough to take the leap. The same holds true for the adventurous Chief Information Security Officer looking to find faster, less resource intensive and cheaper alternatives for zero-day threat prevention than conventional sandboxes.
Starting with the basics, according to Wikipedia, a sandbox is:
“a security mechanism for separating running programs, usually in an effort to mitigate system failures or software vulnerabilities from spreading. It is often used to execute untested or untrusted programs or code, possibly from unverified or untrusted third parties, suppliers, users or websites, without risking harm to the host machine or operating system.A sandbox typically provides a tightly controlled set of resources for guest programs to run in, such as scratch space on disk and memory. Network access, the ability to inspect the host system or read from input devices are usually disallowed or heavily restricted.”
By design, a sandbox duplicates your production environment in order to provide a safe place in which to test potentially infected content. Sandbox gaps are widely known and how to exploit those gaps seem to be nothing more than a Google search away. Here is what VMRay has to say about exploting these gaps:
“The second approach directly attacks and exploits weaknesses in the underlying sandbox technology or in the surrounding ecosystem. For example, we have recently seen a large volume of malware that use Microsoft COM internally because most sandboxes cannot correctly analyze such samples. Other malware will use obscure file formats which cannot be handled by the sandbox or they exploit the sandbox’s inability to process files that exceed a certain size. We’ve published an example here where the malware attempts ‘blinding the monitor’ – that is, evading analysis by doing illegitimate API usage. This can be an effective method to hide from analyzers that rely on a hook or driver injected into the target machine.”
Sandboxing technology is often misunderstood and considered the panacea for network-based malware. It offers respectable value in certain areas but falls short as well. The area of value comes in that all cyber threats are “detonated” in a safe/secure area protecting production environments from potential harm. The falling short comes in the 3 Reasons to Avoid Sandboxes.
Once you’re caught up on why Sandboxes aren’t the best solution, you will be ready to discover what alternatives are available, or more specifically what characteristics should you be evaluating for Sandbox replacement.
For those of you not ready to completely give up your sandbox strategy, either due to comfort or still amortizing an original investment, we would also like to offer an approach to extend the life of your investment while great reducing the time, resources and cost in maintaining it. Check out a previous blog titled “Nitrous Oxide” for Your Sandbox for more specifics.
The Un-Sandbox Sandbox
When is a sandbox not a sandbox but can deliver similar (but superior) value? The great news is that there are evasion proof solutions that allow you to prevent instead of having to remediate cyber threats, even zero-day malware. Solebit’s SoleGATE (now part of Mimecast) uses deep inspection and analysis methods that can interpret and detect malicious code in real time and immediately block threats. It delivers the promised value of a sandbox but without the overhead in time delays, resources and costs.
With SoleGATE every line of code is evaluated, making Sandbox evasion techniques ineffective and on average, the analysis time is between milliseconds up to a few seconds as opposed to Network Sandboxes typically taking 5-15 minutes to perform the same analysis.Bottom line is that your users will be much happier now that content is flowing faster throughout your organization and finance will be happier with the reduced expenses.
See for yourself what SoleGATE can do to deliver evasion proof security and ensure the content is safe in your organization today. Register for a free trial today.