Over the last couple of years, cyberattacks have evolved in both scale and effectiveness, affecting organizations across all industries and geographic regions. Successful cyberattacks are a growing industry-wide problem in spite of billions being spent on cybersecurity solutions. Part of the reason is that new techniques- and in fact a mature supporting cybercrime ecosystem- for penetration and evading detection have reduced the effectiveness of many traditional defenses.
The lingering effects of a successful attack often have devastating consequences, impacting business continuity, brand, customer confidence, company value, and the bottom line. These consequences are forcing organizations to look at new security architectures and solutions designed to tackle these threats, as well as ways to upgrade traditional protections. And now that new regulations hold executive management, including the board of directors, accountable, the imperative to find a solution is more urgent than ever. What these organizations can’t afford to do, however, is invest more resources into the same solutions that have failed to provide the protection today’s networks require.
The concept of a sandbox has been around for nearly a decade, often developed by threat research labs to analyze the huge volume of threats out in the wild. This technology provides a virtual environment to safely examine, monitor, detonate, and report the behavior of new threats. Because they can provide immediate and deep analysis, they have been proven effective at detecting zero-day as well as advanced malware.
A fitting example of this is found in our FortiGuard Labs, which originally developed FortiSandbox as an industrial threat research tool. As a result, it was designed to process and analyze the most vicious and sophisticated threats at a volume few, if any enterprises ever experience. The resulting data became a critical component of our threat intelligence feed shared with millions of security devices deployed around the world, so results had to be both accurate and time-sensitive. In any given 24-hour period, our sandbox infrastructure identifies thousands of previously unknown (by traditional means) attacks.
What’s new about sandbox technology in recent years is the move from a threat research tool to a customer security measure, which is a critical supplement to the traditional signature-based security approach that most organizations use to detect known threats.
However, sandboxing has been out of reach for a majority of organizations for a number of reasons.
Complexity: The sandbox solutions generally available are advanced security tools that require experienced security professionals to operate and perform threat analysis. However, maintaining adequate security resource staffing is an obstacle for many organizations due to the ongoing shortage of cybersecurity IT talent in the industry.
Manual response: Once a sandbox has examined and validated previously unknown malware, the IoCs (indicators of compromise) often have to be manually fed back into the mitigation phase across all security controls in the organization in order to take appropriate action. With the evolution of automated attacks and the advancement of malware- and ransomware-as-service, even common cybercriminals are able to easily package and instantaneously deliver highly malicious malware at digital speeds. This makes the cumbersome manual response process ineffective, thereby widening the gap between detection and response.
TCO: Not only is the sandbox considered to be a costly investment, but also the larger concern is the lack of consistency or consensus surrounding the actual security effectiveness across the various vendors offering sandbox and sandbox-like solutions. Part of that reason is common to all new technologies, as there was little initial consensus on what a sandbox should be able to do, and there are few third-party labs providing side-by-side testing for ranking and comparison purposes.
Recently, integrated sandbox offerings have changed the rate and dynamics of sandbox adoption, but many of these tools still suffer from shortcomings such as a lack of a coordinated response across an organization’s distributed security architecture.
That’s because rapid outbreaks of malware, like WannaCry, necessitate that every organization have a sandbox deployed as an automated analysis tool and intelligence hub for their security infrastructure. Because standards and industry consensus is still evolving around these tools, it is critical that organizations look for solutions built around high standards of accuracy and performance and that have been designed for real-world environments, including over-taxed IT staff.
When analyzing sandbox solutions, it is critical that you look for the following characteristics:
Intelligence hub: To secure a broad attack surface against threats, the ability to share threat awareness in real time, including advanced threat detection, between different security controls is a foundational requirement. For effective defense, a sandbox solution should operate as part of a larger security framework or fabric that allows native bi-directional sharing of information generated by the sandbox across a wide range of security products, including enterprise firewalls, secure mail gateways, web application firewalls, and endpoint security solutions. They should also allow third-party vendors to participate in the sharing and consumption of intelligence using open APIs, while enabling strategic partners to provide zero-touch integration to secure networks from IoT to the Cloud.
Automated: Automation, following the dissemination of new intelligence described above, is another important criterion as it helps solve the challenge of the growing scarcity of security expertise. It enables a coordinated response to automated attacks, and shortens time to response.
Here is an illustration of automating a threat response:
- Step 1: An email with an unknown or unrecognized attachment is blocked by a Secure Email Gateway and passed along to the sandbox for further inspection.
- Step 2: The attachment is then analyzed, and if a threat such as ransomware is detected, the sandbox returns those results in real-time back to the Email Gateway in order to quarantine the email and generate relevant threat IoCs.
- Step 3: This threat intelligence, consisting of ransomware IoCs, including any malicious C2 domains, is also shared with the Enterprise Firewall to automatically block the network destination.
- Step 4: At the same time, a hash of the ransomware executable is shared with Endpoint Security tools to automatically prevent dropping or executing the file.
- Step 5: This threat intelligence feed is not limited to the local network, but is also shared in real-time across connected geo-locations and across time zones to immunize the entire distributed organization against this new threat.
- Step 6: At Fortinet, this new threat intelligence is also shared back to our FortiGuard malware research team for additional analysis, and any subsequent intelligence is pushed to all customers everywhere, as well as to security organizations such as the Cyber Threat Alliance (CTA).
Independent Certification: A best practice for identifying the effectiveness of sandbox solutions is to insist on independent, third party testing. Such test results not only provide a snapshot into the efficacy and value of a solution, but some testing can also provide insight into how a specific sandbox will perform in real-world conditions once deployed within your unique security architecture. These advantages are why Fortinet is committed to the ongoing public testing of our products and solutions. We actively participate in various independent test labs that publicize test methodologies and act in a fair and unbiased manner throughout the test cycle. And we actively encourage all other vendors to do the same in order to provide consumers with a common set of information so they can compare and select those tools appropriate for their environment and circumstances.
This approach to addressing advanced security threats shifts the paradigm of maintaining a large SOC team, which is increasingly difficult to staff given the growing demand for limited cyber-skilled professionals, to the transformation of an organization’s security infrastructure into a single, integrated entity. As more organizations adopt an automated, intelligence-driven security architecture, they will not only quickly realize an improvement to their overall security posture, but will be given an opportunity to re-prioritize security resources while confidently supporting business initiatives.
Original article published in CSO Brandpost and can be seen here.