Sandboxes and Silver Bullets: Vendors Promote New/Old Detection Techniques to Stop Zero-Day Threats

Paula Musich

Paula Musich

Summary Bullets:

  • Anti-malware vendors are falling over each other to emulate the success FireEye has seen with its particular update to the sandbox technique for detecting zero-day threats that evade existing defenses.
  • Prospective buyers should be thorough in their evaluation not only of effectiveness and false positives, but also costs to deploy and scale the technology for their own environments.

At this year’s RSA conference in San Francisco, a handful of anti-malware vendors resurrected an old malicious code detection technology with a new twist on it.  Sandboxing was promoted as the latest silver bullet to detect more sophisticated attacks that get past traditional defenses.  Vendors including McAfee, Trend Micro, Fortinet and sandbox veteran Norman Security all launched new sandbox initiatives, following the successful lead of niche player FireEye, which has seen significant growth as a result of its success using its Virtual Execution engine and Malware Analysis System to detect and shutdown malware infections that got past traditional defenses.  Other vendors also pursuing this new twist include Palo Alto Networks and Sourcefire. 

Sandboxing techniques typically take suspicious files detected on the network and send them to a protected, virtual environment to be ‘detonated’ or executed to determine how they would behave in the real environment.  However, given that such techniques have been in use for at least ten years (Norman Security claims to have patented the technique ten years ago), sophisticated malware writers know how to detect the presence of a sandbox and take evasive maneuvers.  Those can include ‘stalling,’ as startup Lastline calls it, in which the malware sample delays execution, causing the sandbox to timeout, but also performs some meaningless computation to suggest activity (the ‘boss is coming, look busy’ routine).  Other malware detection and evasion mechanisms described by Lastline include environmental checks and sandbox blind spots.  Each vendor will claim to have addressed these evasions, but the proof is in the usage.  These latest sandboxing techniques need to be scrutinized closely, and the costs associated with implementing and scaling deployments have to be weighed against their success rates and the potential cost of a breach to the organization.  (In its own research of such breach costs, Trend Micro claims the average cost of an insurance payout for breaches in larger organizations is $3.7 million.)  Their costs should also be weighed against the cost to maintain traditional defenses, which still provide necessary – albeit insufficient – protection.

Any CISO seriously looking at sandboxing techniques as a means to stop APTs and zero-day threats should direct staff to conduct bakeoffs of competing offerings, weighing not only effectiveness but also cost to deploy.  References are also key.  If the evaluation proves worthwhile, prospective buyers should use the increased competition as leverage to gain better pricing.

About Paula Musich
Paula brings 20 years of experience in the networking technology and management markets to Current Analysis clients. As Senior Analyst for Enterprise Network and Security, Paula is responsible for tracking and analyzing the evolving technological and competitive developments in the threat management segments of the information security market. Paula is responsible for coverage of the Anti-X, IPS, DLP, secure messaging, and Web security markets. In addition, she covers major technological, strategic and tactical developments in the enterprise networking market.

What do you think?

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: