Malware Headlines Make Case for Sandbox
With The New York Times recently reporting on the origins of Stuxnet and all the commentary and speculation on the incredibly sophisticated Flame malware, some interesting questions are being raised by my colleagues in the security industry and the journalists covering these threats. There are obviously some serious geopolitical and ethical considerations attached to the reported original intent of Stuxnet. And the analysis of Flame will continue to bring scrutiny to its origin and how security vendors develop solutions to combat these threats.
In the aftermath of any new discovery, there’s debate about which security vendor found what variant of the sample first, if heuristics or definitions are more effective at thwarting these threats, and if traditional antivirus is outmatched when it comes to complex and very well engineered lines of code.
While these questions arise every time a new threat emerges and displays behavior we’ve never seen before, they are the wrong questions to ask.
What we should be asking is this: With increasingly sophisticated malware spreading across the Internet – regardless of its source or original intent – why are enterprises not taking advantage of all the tools available to them to protect their networks? Why are enterprises so slow to adopt sandbox technologies?
Antivirus, firewalls, web filtering, mail security, Mobile Device Management, Data Loss Prevention and other solutions are central components of a layered network defense, and they will remain so into the foreseeable future to defend against the bulk of malware trying to infect us. What we’re increasingly witnessing, though, is how effective sophisticated threats are at exploiting lapses in the technical and human defenses employed by corporations. Enterprises are being targeted with custom-created malware – never intended to be set loose in the wild – developed for the singular purpose of compromising a specific network or even a specific user on that network. The ultimate goal of this malware can range from simply trying to steal customer data to more extreme and damaging cyber-espionage pursuing intellectual property that, if lost, could cripple a corporation and turn a global industry on its head.
It’s Time for all Enterprises to Sandbox
These persistent threats are now the biggest risk to even the most strongly defended networks, making it more critical than ever before that enterprises deploy a sandbox to assess suspected files for malicious behavior and defend themselves against these cyber-attacks.
Already deployed by defense, law enforcement and civilian government agencies, sandbox technology enables cybersecurity professionals to analyze suspected malware in a controlled environment. A sandbox enables users to track how potential malware applications execute, what system changes were made, and what network traffic was generated, without risking loss of data or compromising a network. Regardless of whether or not antivirus detections exist yet for a suspected malware sample, a sandbox enables security professionals to understand exactly what it will do on a network. Armed with this malware behavioral analysis, users can identify malicious files that intend to compromise their networks that may have slipped past their antivirus, firewall and other defenses. This information, in turn, can be used to create custom malware signatures that can be deployed within existing security technologies. Then, a given network is protected without the need of having the malicious file “known” to the greater cyber-community.
Unfortunately, sandbox technology is greatly underutilized in the private sector, where sophisticated malware poses a tremendous threat to corporate networks, particularly in industries such as financial services, healthcare and energy, as well as critical entities like power and water utilities. This is primarily due to lack of training and awareness about sandbox technologies in the enterprise space, and it is why GFI Software is making advanced malware analysis more accessible to enterprise cyber-security professionals.
It’s time for cybersecurity professionals to integrate sandbox solutions into their network defenses and equip themselves with the tools they need to adequately defend against the latest and most sophisticated threats targeting their networks.
Julian Waits is vice president of the Advanced Technology Group at GFI Software. Julian is responsible for GFI Software’s advanced threat awareness solutions, GFI SandBox® and GFI ThreatTrack™, as well as the GFI OEM Partner Program.
Sandbox, as many other really useful technologies might be hard to communicate to senior management and since these are the guys that approve purchases, even if the admin favors the technology, it ends being not used in the enterprise. It might look the sandbox offers little benefit for the money – why get it when we already have antivirus? Try and explain to a manager that this is not the same as an antivirus and that they do different things.
Anyone who utilizes a test space for patch deployment but does not take the same approach in keeping a sandbox prepared to observe the behavior of malware is being somewhat hypocritical in my view. Granted not every business is going to need to study malware as closely as security industries, but if you have the means, and you’re interested in anticipating potential downtime no matter how it comes about, a sandbox is right for the job.
Ian, I agree with your comments. Here at GFI, we’re building integration modules that allow custom signatures to get imported into vaying perimeter based security products, such as Sourcefire, Qualys, Rapid7, and others. The key issue, in my opinion, is that the SandBox has to be tied into the existing cyber defense architecture.
You obviously understand that AV alone is not the answer. It’s the job of SandBox vendors, like GFI, to demonstrate the value our technology brings to the Enterprise.
Although IT personnel are often intrigued and are quick to jump on the next-hot-app-out-there, I know some who are complacent and would rather remain using with the limited tools that they have.
It’s true that experience pays. However, sometimes, older IT guys don’t update themselves and fallen into the rut of being an “expert” on things that are no longer relevant, or worse obsolete. That’s why an IT department needs to have a good mix of staff. Some should be experienced, others newbies. Newbies bring on a fresh perspective and attitude on things. And the diversity could bring on a great synergy.