6 Criterias For Evaluating Sandbox Solutions

A sandbox is a security mechanism to analyze the behaviour of any suspicious file types and web objects by allowing it to execute in an isolated environment with constrained resources. It allows one to execute any untested, un-trusted/outsourced code without causing any damage to the host machine and production environment. Usually the program is run into Virtual environment or emulation software which provide the feel and functionality similar to the actual environment.

There are two ways to deploy a sandbox solution in your network:

  • On-Premise : Sandbox appliance is present on-premise. All the network security solutions such as firewalls, IDSes, IPSes, SWGs and SEGs feeds suspicious files into the sandbox and based on the analysis it assigns threat score for the same. Generally on-premise deployment are preferred by those who has data security concerns and do not want their data to reside on third party cloud. This deployment however adds to the cost of appliance and sensors (if needed) hence increasing the TCO

  • Cloud based: Sandbox appliance resides in Cloud. This deployment is very cost-effective as it reduces the cost of owning and managing appliance. Also the licensing options are flexible in this regard which further reduces the TCO. Since all on-premise network security devices have to upload/retrieves files to the Cloud sandbox this adds to the cost of network bandwidth requirement  for an organization

( Read More: Incident Response: How To Respond To A Security Breach During First 24 Hours (Checklist )

Sandboxing technology is used to detect advanced malware and is one of the most sought after security tools today. Here in this blog we look at some of the criteria to help us evaluate sandboxing technology. 

1. The ability to analyze wide-ranging  file types and web objects:

A sandbox solution should be able to analyze all kind of file types such as Executables, pdf's, Ms office files, graphic files, Archived files ad web objects such as javascripts, HTML pages, URL's etc.

2. The ability to Automatically upload files to Sandbox platforms:

Earlier, using sandbox environment to analyze malware used to be a tedious and complex task for the malware analysts, as they had to manually upload files to the Sandbox environment for analysis. This has changed in the current times with the sandbox solutions having capabilities to automatically upload the files and analyze the files for its suspicious behaviour if any.

3. The ability to support multiple OS environment and Application stack

Certain malwares are designed to detonate in specific environment conditions such as  type of operating systems/applications, versions of operating systems/ applications etc. It is very important for any sandbox solution to detect such malware through support for variety of OS environments and applications stacks.

4. The ability to analyze malwares with VM-evasion technologies:

Malware authors are getting smarter by the day. Current day malware has VM-aware capabilities,  which basically finds out if it's executing in any sandbox. Such malware can stay idle for long time and evade its detection by traditional sandbox environments.

5. The ability to integrate with existing security controls:

Sandbox solutions must be able to integrate with existing security controls such as Firewalls, IPSes, IDSes, SWGs, SEGs, Endpoint Protection platforms and Forensics tools. These security Controls can actually feed suspicious files and web objects into the Sandbox solution. This reduces the overall TCO and increases the efficacy of Sandbox solutions.

6. The ability to preserve malware samples for contextual analysis and forensics:

Preserving malware samples for forensics and contextual analysis is useful in understanding the tactics, techniques and procedures of the attacker. This helps us create signatures, gain deeper insight into the attack and helps create incident response plan for similar attacks in future.

( Read More: Checklist On Skillset Required For An Incident Management Person )

Pre-Registrations For Annual Summit Is Now open! Click Here To Know More

8669814092?profile=original

E-mail me when people leave their comments –

CISO Platform

You need to be a member of CISO Platform to add comments!

Join CISO Platform

CISO Platform

A global community of 5K+ Senior IT Security executives and 40K+ subscribers with the vision of meaningful collaboration, knowledge, and intelligence sharing to fight the growing cyber security threats.

Join CISO Community Share Your Knowledge (Post A Blog)