In my first post on the Seven Myths of Advanced Malware, I addressed the myth that “the challenge is, I can’t find advanced malware.” We decided that the myth is false, because you can find advanced malware, but simply finding malware doesn’t fully solve the problem. The real problem is that you must block advanced malware and any damage must be remediated.
We also noted that the only way to achieve all three of these security objectives – finding, blocking and remediating – is to have an integrated, federated security solution that addresses all the various aspects of the advanced malware problem.
Sandboxing is a great offline discovery tool that isolates unknown or suspicious files in a virtual environment where they can be examined in greater detail. The analysis is complex and it takes time to complete, so sandboxing is not a real-time technology. In fact, most sandboxes only analyze a copy of the file, while the original file is sent on its way to the target endpoint. So even if a suspicious file is found to be malicious, the actual file has already reached the endpoint and is doing its damage.
In this respect, sandboxing does identify that the suspected file is malicious, but it’s not really blocking it.
Additionally, because sandboxing is expensive, it is typically rolled in slowly, usually starting with one point of ingress into the environment. It is not even seeing advanced malware that slips into other ingress points. A truly secure technology must be able to identify and block malware at any point in the network, hopefully without requiring additional hardware at each of these points.
So, how do you get to that level of security?
Clearly, you need a presence at every ingress point and some technology there to block blacklisted files. If your sandboxing solution has some bolt-on file blocking capabilities, and assuming they are mature, you have two options. You can deploy this technology at every ingress point – a potentially expensive undertaking – or you can use a solution that centrally pulls suspect files for analysis from existing security products that are already at these ingress points.
If it could be done, this second approach offers multiple economies of scale, ultimately costing less and providing a tighter net.
At the end of day, unlike traditional defenses that analyze and block malware in real time, sandboxing does not operate in real time. It can find, but it does not block or remediate.
To be truly useful in the face of advanced threats, sandboxing must be deployed as part of a highly integrated or federated security environment that addresses multiple ingress points and is capable of communicating back out to the operating environment, to warn it of the existence of this new malware and, if possible, block and remediate any damage done before discovery.
Sandboxing is a feature, not a complete product. A real solution requires deep integration with other security technologies and products to identify, block and remediate advanced malware throughout the enterprise. Without these additional critical capabilities, advanced malware will continue to present a significant threat.
To learn more of the Seven Myths of Advanced Malware, subscribe to this blog or follow me on Twitter.