Sandboxes and Silver Bullets: Vendors Promote New/Old Detection Techniques to Stop Zero-Day Threats
March 29, 2013 Leave a comment
- Anti-malware vendors are falling over each other to emulate the success FireEye has seen with its particular update to the sandbox technique for detecting zero-day threats that evade existing defenses.
- Prospective buyers should be thorough in their evaluation not only of effectiveness and false positives, but also costs to deploy and scale the technology for their own environments.
At this year’s RSA conference in San Francisco, a handful of anti-malware vendors resurrected an old malicious code detection technology with a new twist on it. Sandboxing was promoted as the latest silver bullet to detect more sophisticated attacks that get past traditional defenses. Vendors including McAfee, Trend Micro, Fortinet and sandbox veteran Norman Security all launched new sandbox initiatives, following the successful lead of niche player FireEye, which has seen significant growth as a result of its success using its Virtual Execution engine and Malware Analysis System to detect and shutdown malware infections that got past traditional defenses. Other vendors also pursuing this new twist include Palo Alto Networks and Sourcefire.
Sandboxing techniques typically take suspicious files detected on the network and send them to a protected, virtual environment to be ‘detonated’ or executed to determine how they would behave in the real environment. However, given that such techniques have been in use for at least ten years (Norman Security claims to have patented the technique ten years ago), sophisticated malware writers know how to detect the presence of a sandbox and take evasive maneuvers. Those can include ‘stalling,’ as startup Lastline calls it, in which the malware sample delays execution, causing the sandbox to timeout, but also performs some meaningless computation to suggest activity (the ‘boss is coming, look busy’ routine). Other malware detection and evasion mechanisms described by Lastline include environmental checks and sandbox blind spots. Each vendor will claim to have addressed these evasions, but the proof is in the usage. These latest sandboxing techniques need to be scrutinized closely, and the costs associated with implementing and scaling deployments have to be weighed against their success rates and the potential cost of a breach to the organization. (In its own research of such breach costs, Trend Micro claims the average cost of an insurance payout for breaches in larger organizations is $3.7 million.) Their costs should also be weighed against the cost to maintain traditional defenses, which still provide necessary – albeit insufficient – protection.
Any CISO seriously looking at sandboxing techniques as a means to stop APTs and zero-day threats should direct staff to conduct bakeoffs of competing offerings, weighing not only effectiveness but also cost to deploy. References are also key. If the evaluation proves worthwhile, prospective buyers should use the increased competition as leverage to gain better pricing.