6 Criterias For Evaluating Sandbox Solutions

A sandbox is a security mechanism to analyze the behaviour of any suspicious file types and web objects by allowing it to execute in an isolated environment with constrained resources. It allows one to execute any untested, un-trusted/outsourced code without causing any damage to the host machine and production environment. Usually the program is run into Virtual environment or emulation software which provide the feel and functionality similar to the actual environment.

There are two ways to deploy a sandbox solution in your network:

  • On-Premise : Sandbox appliance is present on-premise. All the network security solutions such as firewalls, IDSes, IPSes, SWGs and SEGs feeds suspicious files into the sandbox and based on the analysis it assigns threat score for the same. Generally on-premise deployment are preferred by those who has data security concerns and do not want their data to reside on third party cloud. This deployment however adds to the cost of appliance and sensors (if needed) hence increasing the TCO

  • Cloud based: Sandbox appliance resides in Cloud. This deployment is very cost-effective as it reduces the cost of owning and managing appliance. Also the licensing options are flexible in this regard which further reduces the TCO. Since all on-premise network security devices have to upload/retrieves files to the Cloud sandbox this adds to the cost of network bandwidth requirement  for an organization

( Read More: Incident Response: How To Respond To A Security Breach During First 24 Hours (Checklist )

Sandboxing technology is used to detect advanced malware and is one of the most sought after security tools today. Here in this blog we look at some of the criteria to help us evaluate sandboxing technology. 

1. The ability to analyze wide-ranging  file types and web objects:

A sandbox solution should be able to analyze all kind of file types such as Executables, pdf's, Ms office files, graphic files, Archived files ad web objects such as javascripts, HTML pages, URL's etc.

2. The ability to Automatically upload files to Sandbox platforms:

Earlier, using sandbox environment to analyze malware used to be a tedious and complex task for the malware analysts, as they had to manually upload files to the Sandbox environment for analysis. This has changed in the current times with the sandbox solutions having capabilities to automatically upload the files and analyze the files for its suspicious behaviour if any.

3. The ability to support multiple OS environment and Application stack

Certain malwares are designed to detonate in specific environment conditions such as  type of operating systems/applications, versions of operating systems/ applications etc. It is very important for any sandbox solution to detect such malware through support for variety of OS environments and applications stacks.

4. The ability to analyze malwares with VM-evasion technologies:

Malware authors are getting smarter by the day. Current day malware has VM-aware capabilities,  which basically finds out if it's executing in any sandbox. Such malware can stay idle for long time and evade its detection by traditional sandbox environments.

5. The ability to integrate with existing security controls:

Sandbox solutions must be able to integrate with existing security controls such as Firewalls, IPSes, IDSes, SWGs, SEGs, Endpoint Protection platforms and Forensics tools. These security Controls can actually feed suspicious files and web objects into the Sandbox solution. This reduces the overall TCO and increases the efficacy of Sandbox solutions.

6. The ability to preserve malware samples for contextual analysis and forensics:

Preserving malware samples for forensics and contextual analysis is useful in understanding the tactics, techniques and procedures of the attacker. This helps us create signatures, gain deeper insight into the attack and helps create incident response plan for similar attacks in future.

( Read More: Checklist On Skillset Required For An Incident Management Person )

Pre-Registrations For Annual Summit Is Now open! Click Here To Know More

Views: 759

Join the Discussion ...

You need to be a member of CISO Platform to join the discussion!

Join CISO Platform

FireCompass

Forum

CISO as an enabler

Started by Maheshkumar Vagadiya Jul 30. 0 Replies

Share the instances where you were able to convince the Executive management /board that CISO function is enabler rather then a hindrance.Thanks youMaheshContinue

Has Anyone Evaluated Digital Signature (like Docusign)?

Started by CISO Platform. Last reply by SACHIN BP SHETTY Apr 24. 1 Reply

(question posted on behalf of a CISO member)Has anyone evaluated digital signature (like Docusign), any specific risk/ security areas to be looked into while finalising a vendor? Any and all inputs will be very much appreciated.Continue

What are your strategies for using Zoom in your organization after recent vulnerabilities in news about Zoom platform?

Started by CISO Platform. Last reply by ANAND SHRIMALI May 20. 4 Replies

(question posted on behalf of a CISO member)What are your strategies for using Zoom in your organization after recent vulnerabilities in news about Zoom platform?Related Question: …Continue

[Please Suggest] Corona Virus: Security advisory for work from home

Started by CISO Platform. Last reply by Bhushan Deo Mar 20. 12 Replies

(question posted on behalf of a CISO member)Due to CORONA virus most of the organizations are allowing their employees to work form home.Has any one issued security advisory for work from home ?Continue

Tags: #COVID19

Follow us

Contact Us

Email: contact@cisoplatform.com

Mobile: +91 99002 62585

InfoSec Media Private Limited,First Floor,# 48,Dr DV Gundappa Road, Basavanagudi,Bangalore,Karnataka - 560004

© 2020   Created by CISO Platform.   Powered by

Badges  |  Report an Issue  |  Privacy Policy  |  Terms of Service