1. Integration with Existing Security SolutionsAny security-savvy person knows that a strong defense strategy employs multiple layers of protection to defend against new threats. Network and host-based controls span all phases of threat protection — from prevention, to detection, to response. When incorporating a sandbox solution into your environment, it is important to consider the ease (or level of difficulty) of integration with solutions from other vendors. “If you can find a solution that has good network detection and tight integration with endpoint forensics capabilities, that's a very powerful combination,” explains Gartner industry analyst Lawrence Orans. Strong, effective and open integrations between solutions can enhance the capabilities of each technology, beyond what they can provide on their own. Beware of sandbox-based solutions with closed architectures that force you to rip and replace other security investments in order to add sandboxing capabilities.
2. High Level of Visibility into Malware BehaviorA sandbox has to see as much as possible of the execution of a program, otherwise, it can miss important activity and cannot accurately detect the presence of malware in an environment. When monitoring the behavior of a user mode process, almost all sandboxes look at the system call interface or the Windows API. System calls are functions that the operating system exposes to user mode processes, so that they can interact with their environment (e.g. read files, send packets over the network, read a registry entry on Windows, etc.). System calls and Windows API function calls need to be monitored but this is only one piece of the puzzle. A sandbox that only monitors system calls is blind to everything that happens in between. Many recently-discovered sophisticated attacks (like Equation, Regin, Dark Hotel, and Turla/Uroburos) execute in the kernel of the operating system – a behavior that lies outside the scope of what can be monitored using traditional hooking mechanisms. These threats are particularly pernicious because their kernel components are running with the highest level of permissions available on a computer system. Some sandboxes are able to go one step further than just hooking function calls to also monitor the instructions that a program executes between these.
3. Resistance to EvasionIn the past year, we’ve seen a massive increase in evasive malware behavior designed specifically to bypass first-generation sandboxing systems. If a sandbox does not perform monitoring in a stealthy way, there is a good chance malware will recognize it is under surveillance and alter its behavior to “play nice” and (at least appear to) follow the rules. Many sandboxes reveal weakness here. “Most of the current sandboxes on the market use a virtualization approach, where they're running a version of Windows on top of a hypervisor, for example,” explains Lastline’s VP of Products Brian Laing. “They're then installing code and files inside the operating system for the detection. This really minimizes what they can see, because they can only see what the operating system will allow them to see. It also means that they have files and processes that are in there that make them detectable.”
4. Scalability of Analysis and ManagementMost people focus very heavily on the detection capabilities of the sandbox system (and rightfully so), but we need to spend just as much time on the scalability aspects of the system, as well. Not only must it scale to handle any amount of network traffic present but also process any number of files that must be analyzed and manage the number of events generated. Many appliance-based approaches fail to scale, as new boxes must be purchased to handle high volumes of traffic and objects analyzed. “If your system can handle the files your network sees in a 24-hour period, but all of those files come in during the first eight hours of the day or even less, you may be waiting eight plus hours before you have the information or even knowledge that there's a breach in your network,” said Laing. “And that means the attacker is spending much longer exfiltrating data and spreading laterally around your network.”
When in Doubt, Test it OutSome of the architectural concepts and differentiation points between sandboxes can be complicated. When determining the right fit for your environment, make sure to request a proof of concept and spend time thoroughly testing each product. Put two or more sandboxes into your production environment and take note of malware detection rates, manageability and workflow capabilities.