New Sandboxing Techniques a Silver Bullet for APTs? Not So Fast
March 15, 2013 Leave a comment
- Sandboxing to discover malware is not new, so what makes these latest techniques more effective?
- How well do these new sandboxing solutions avoid being detected by the malware sample?
The latest silver bullet aimed at shooting down those stealthy advanced persistent threats (APTs) or targeted attacks that make it past more traditional defenses, on display at the recent RSA conference, may or may not hit the mark. Several anti-malware vendors announced new sandboxing technologies, despite the fact that sandboxing is not a new malware identification technique. It is in fact at least 10 years old by Norman Data Defense Systems’ reckoning. Norman claims it has a patent on the technique that dates back 10 years. Of course, all the vendors jumping on this bandwagon, including McAfee, Fortinet, Check Point, and Trend Micro, are hoping to replicate some of the success that FireEye is seeing. FireEye appears to be the latest hot independent security company; it markets an on-premises device that can examine e-mail attachments and content downloaded from a Web site. Just last month, FireEye received a new $50 million venture funding injection (on top of an existing $55 million round), and former McAfee CEO Dave DeWalt has been hired to run the company, which appears to be angling for an IPO. These latest sandboxing developments follow Palo Alto Network’s year-old cloud-based sandboxing service.
Here’s the rub: more sophisticated malware can sense when it is being executed in a sandbox and avoid detection by laying low. Clearly not all of these sandboxing techniques are the same, and enterprises that are looking into the new breed of sandboxing technology should be asking what makes it more effective now, especially since some malware can sense when it is being executed in a virtual environment and respond by hiding its intent. None of the vendors hawking these next-generation sandboxing techniques really talk about how they identify the suspect files that they submit to the sandbox for detonation. Moreover, with the sudden increase in the number of competitors in this fairly new market niche, vendors will have to work harder to differentiate their approaches. McAfee is highlighting the fact that its ValidEdge technology (acquired from LynuxWorks) has been certified by the National Security Agency (NSA). Another potential differentiator may end up being price, given the steep price tag that comes with the FireEye offering.
One other concern surrounding this new sandboxing wrinkle is the patent that Norman Security holds. With all this new attention on a relatively mature technique, is it possible that Norman is preparing to launch a patent war? The company did split itself in two last fall, with one company serving legacy customers while the other pursues malware analysis and SCADA protection. However, given that it claims to have moved beyond its patented technology to provide a hybrid sandboxing technology that detonates suspect files in parallel, with one emulated environment able to trigger parameters the potential malware cannot see, a patent war is less likely. Norman Shark, the company that markets the advanced sandboxing technology, hopes to attract OEMs to its approach.
Enterprises interested in this old/new approach to malware identification would be well advised to evaluate multiple offerings in a proof-of-concept bakeoff and ask pointed questions about effectiveness and false positive rates.