Antivirus protection isn’t enough to protect against today’s advanced threats. To fill this gap and aid in the analysis, detection, and testing of malware, sandboxing is widely used to give organizations the setting, isolation, and security tools needed to preserve the integrity of the host network.
In 2021, sandboxes are now a fundamental part of an organization’s cybersecurity architecture. We look at what a sandbox is, why sandboxing is important, and what to consider for implementation or purchase of sandbox software.
While sandboxing can help isolate threats before they do damage, it’s best to harden devices to minimize those threats in the first place. Kolide — this article’s sponsor — works with Okta to ensure that only secure devices can access company resources, guiding users to make their own fixes and updates. The end result is more secure devices and fewer threats to company resources without creating more work for IT.
Also Read: 3 Facts about Sandbox-based Gateway Appliances
Table of Contents
What is a sandbox?
A sandbox is an isolated environment where users can safely test suspicious code without risk to the device or network. Another term used to describe a sandbox is an automated malware analysis solution and it is a widely employed method of threat and breach detection.
Sandboxes most often come in the form of a software application, though, hardware alternatives do exist. Methods for implementation include third-party software, virtual machines, embedded software, or browser plug-ins. A number of computer manufacturers and cloud service providers have deployed sandboxes for regular use by clients.
As cybersecurity vendors consolidate tools into comprehensive solutions for SMB and enterprise organizations of the future, sandboxing isn’t missing the party. Naturally, some of the most reputable sandboxes today exist on endpoint and detection response (EDR) platforms.
Also Read: Top Endpoint Detection & Response (EDR) Solutions
Sandbox Features
Sandbox solutions today are compared today by their set of features to aid advanced malware analysis. Most include common security tools like:
- Threat analysis
- Pre-filtering
- Time to detection
- Reporting
- Automation
- Roadmap
Also Read: 2021’s Best Vulnerability Scanning Tools
Sandboxes vs. Virtual Machines (VMs)
Virtual machines (VMs) have been a critical development for advanced computing and often get mentioned as similar environments for anti-malware analysis and testing. The truth is the line grows thin, but there remains a critical difference.
VMs: Vulnerability to host
Virtual machines are computers that can be installed within a host computer system like any other application. This presents the starkest difference between VMs and sandboxes because virtual machines aren’t inherently designed for malware analysis. Depending on the security features of the VM and hypervisor, a malicious program executed on a VM could communicate within the VM’s OS and beyond to the host’s hard disk.
Sandboxing: Designed to be isolated
Sandboxes, by comparison, are designed to be completely isolated from the host. As touched on, a sandbox should resemble a user’s OS and applications, but only to bypass the malware’s potential anti-analysis capabilities.
Also Read: How VMI Can Improve Cloud Security
Why should you use sandboxing?
Sandboxing can detect the newest and most critical threats, foster collaboration, minimize risks, and facilitate IT governance.
Malware isn’t going away and even advanced monitoring and antivirus software can’t always catch what a malicious program will do when executed. Antivirus software is notable for its ability to scan programs being transferred, downloaded, and stored. However, a general scan of a program’s binary only tells so much. By processing programs in a sandbox environment, we fill the security gap that existing solutions miss.
Also Read: Types of Malware & Best Malware Protection Practices
Antivirus Coverage Isn’t Enough
Malware today is so advanced that security precautions taken just a few years ago won’t be enough. One reason why sandboxing is a needed tool is because antivirus solutions proved to be ineffective against advanced malware strains.
Depending on the antivirus software, and the possibility of a zero-day threat, the malware can pass every scan and appear like any other file. Even in instances where the malware isn’t executed by the user, the lingering presence could be a detriment to the device or network.
Anti-Analysis Features Grow
Advanced malware can now detect if it’s being analyzed in a sandbox environment. Luckily, this anti-analysis feature is resolvable by ensuring the sandbox environment resembles a typical computer system. This means configuring the sandbox to contain faux programs and files that won’t be missed if corrupted in the process.
Also Read: Advanced Threat Detection Buying Guide
Sandbox use cases
Sandboxes are especially important to cybersecurity and software development. Sandboxing is a critical technique for analyzing the suspicious code of the world. Not testing software before downloading, executing, and deploying is a recipe for disaster. Generally, testing existing software from time to time to analyze potential changes is also a prudent decision.
Sandbox | Description |
Development | Simplest environment for testing implementations |
Project integration | Environment for collaboration between developers |
Demo | Environment for stakeholders to test the software |
Testing environment | Simulates production environment and tests software |
Production environment | The actual system where the program will be deployed |
Policy control for sandboxing
When personnel rely on sandbox technology for security, collaboration, and more, there needs to be appropriate policies surrounding use. For their own sandbox environments, AWS encourages organizations to cover five areas of usage:
- Data classification: What data classifications are allowed in sandbox environments?
- Network connectivity: Can the sandbox connect with other network environments?
- Access control: Who has access to the sandbox environment?
- Tagging policy: Are you tagging resources for automated identification and allocation?
- Resource lifecycle policy: How long can a resource stay in a sandbox environment?
When employed for cybersecurity, sandbox management is yet another segment of the organization that needs checks and balances. The risk of leaking the virus to the home network or placing PII in a sandbox by accident is too great to play loose.
Network sandboxing market
According to MarketWatch, the global network sandbox market is expected to grow at CAGR of 14.4%, jumping from $2.97B in 2019 to near $5.1B by 2025. As malware adapts to more robust security, sandbox technology for anti-malware analysis will only become more important.
Also Read: BigID Wins RSA Innovation Sandbox 2018 Contest
Sandbox Vendors
Enterprise sandbox solutions
Vendor | Product | Established |
Crowdstrike | Falcon Sandbox | 2011 |
FireEye | Malware Analysis | 2004 |
Fortinet | FortiSandbox Cloud | 2000 |
McAfee | Advanced Threat Defense | 1987 |
Palo Alto Networks | WildFire | 2016 |
Proofpoint | Targeted Attack Prevention | 2002 |
Trend Micro | Deep Discovery Analyzer | 1988 |
Zscaler | Cloud Sandbox | 2007 |
Also Read: 10 Vendors Set to Innovate at RSA Conference 2019
Free sandbox solutions
There are also a number of free sandbox solutions that may not offer all the features and integration of an enterprise solution.
- Avast Internet Security
- Cameyo
- Comodo Internet Security
- Evalaze
- Malwarebytes
- Sandboxie
- Shade Sandbox
- Time Freeze
- VMWare or VirtualBox
Sandboxing: Malware’s Worst Enemy
Cybersecurity is a constant cat-and-mouse game between threat actors attempting to break in and security staff and solutions ensuring they stay out. Over the years, identified malware and system vulnerabilities have informed the industry cybersecurity brain trust on how best to defend against future attacks, but how do we guard against advanced and unknown threats?
There is no easy fix and a holistic approach to cybersecurity remains the most reliable path to staying protected–including the use of a sandbox solution. Sandboxes offer the necessary tools and isolation to give suspicious programs the attention they deserve before deploying on the production environment. By testing potential malware in a pseudo-production environment, network analysts obtain more visibility into how a program can operate and rest assured knowing how it will impact the network and other applications.