Subscribe

Sandboxing critical to threat detection

Regina Pazvakavambwa
By Regina Pazvakavambwa, ITWeb portals journalist.
Johannesburg, 26 Aug 2016
Today's threats are becoming more and more sophisticated and often bypass traditional malware security, says Fortinet.
Today's threats are becoming more and more sophisticated and often bypass traditional malware security, says Fortinet.

As data breaches continue to make headlines, security has become number one priority for most enterprises in 2016.

This is according to John Ward, Systems Engineer, Africa, at Fortinet, who was speaking at a media round table discussion in Johannesburg yesterday.

Ward says today's threats are becoming more and more sophisticated and often bypass traditional security.

"Cyber breaches have become an industry. These criminals now work like a full-time organisation, with strategists and information technology specialists who understand your environment."

Therefore, with increasingly advanced threats found on networks, organisations should now assume that they are in a state of continuous compromise - especially given the time malware remains undetected, says Ward.

He points out sandboxing should play a critical role in organisations' breach detection strategy.

Sandboxes virtually replicate operating environments, execute suspicious code and report observed behaviours, says Fortinet.

And while not a silver bullet, they are an important tool that often enables security professionals to block or contain malware in the environment, the company says.

According to Gartner, network sandboxing is an increasingly important component of advanced threat detection.

This assessment helps security professionals evaluate the strengths and weaknesses of network sandboxing in detecting and disrupting specific phases of malware attacks, it adds.

IDC says sandbox technology, once an esoteric tool used by malware analysts, is now incorporated into both on-premises appliances and subscription-based services.

In the sandbox, suspicious files are detonated, examined, and documented to provide protection, IDC notes. It generally examines files from messaging, endpoint, and Web activity, tying together security products deployed to cover the various attack vectors, it adds.

With cyber criminals leveraging known and unknown techniques to attack an enterprise's network, sandbox provides a safe environment in which to execute and observe malicious code in files and network connections, says Ward.

"By deploying sandbox into the endpoint of your laptop and into the mail scanner, Web application firewall and between that internal network segmentation firewall, you now have the ability to inspect all things known and unknown. As a result you will have a record of it, gather intelligence and be able to mitigate attacks on your network."

Ward says many companies are waking up to the fact that they are being taken by ransomware, which can be stopped by sandboxing. However, because this is not a requirement by auditors, they are not deploying sandboxes as yet, he adds.

According to Forrester research, the journey toward building an effective breach detection strategy begins with implementing the malware analysis capabilities of a sandbox.

But before a company takes that step, it's important to take the time to select the right sandbox, it advises.

Ward warned organisations to make sure no surface in their network is left unchecked.

"Log, monitor everything, make sure if you have users accessing the Internet that they are authenticated. Also, make sure you sandbox whatever you can. Typically you can deploy your own sandbox inside your network."

Share