We believe, isn't a single technology/solution but is a complex program which consists of people, process and technology. Sandboxing or any single technology can only provide partial protection against “real” advanced attacks. We suggest organizations to look at the complete stack of technologies mentioned below and build a holistic program to secure against advanced attacks.
Advanced Threat Detection: ATP Products generally leverage one or more of the below mentioned techniques-
- Sandboxing: This improves the detection rates of ransomware and will enable an organization to identify customized or tailored malware which is beyond the recognition capability of traditional Antivirus.
It creates a safe environment to analyse suspicious files, either cloud-based or On-Premise:
- Virtual Sandbox & Physical Sandbox : For Virtual Machine aware malware.
- Security Analytics: Correlation & analysis of data from across the IT infra for identifying threats
- Behavioural Analytics (Network & User) ; Heuristics; Machine Learning
- Application Containerization: Isolates applications in a micro-virtual machine. It can help to reduce the load on the overall resources available.
- Embedded URL Analysis: For analysing suspicious URLs sent via emails etc.
- URL Rewriting – For real-time click protection; URL Tracking / Tracing
( Read More: Threat Intelligence (Workshop Presentation) )
- Network Traffic Analysis: This will enable ATP to detect inbound and outbound threats as well as suspicious IPs, URLs, Known C&C and other attacker behavior across the entire attack lifecycle.
- IOC Detection: Once detected, IOC can be used to quickly locate other infected devices
- File Reputation Analysis, Whitelisting, Blacklisting
- Static Code Analysis: Examine the code without executing the file for threat protection
- Threat Intelligence: Provides Intelligence about emerging threats from across the globe
It's time to go beyond using sandboxing as a standalone capability rather an organization needs to have a holistic approach for their ATP Program. You need to have efficient and robust analysis tools that can integrate with your existing security ecosystem and can continuously detect the most advanced threats.
But as Kevin Mitnick, World's Famous Hacker says "A company can spend hundreds or thousands of dollars on Firewall, IDS/IPS, ATP and other security technologies, but if attacker can call one trusted person within the company, and that person complies, and if attacker gets in, then all that money spent on technology is essentially wasted." Therefore, processes and people also play a crucial role in establishing the strong ATP Program.