infoTECH Feature

September 12, 2016

Why Three Sandboxes Are Better than One

By Special Guest
Dmitriy Ayrapetov, Director of Product Management for Dell SonicWALL

Today’s companies are hyper-aware of the importance of security, conditioned by years of disastrous, high-profile data breaches in the news. Still, because of the heightened awareness among corporate IT departments, it’s rare that a business gets breached due to a total absence of security systems. More often, it’s small holes in their security programs that lead to data compromise.

One such hole exists when companies utilize adaptive threat technologies that leverage a single-layer sandbox technique to detect and respond to advanced threats. While this approach is clearly preferable to a total absence of adaptive threat technology, it’s much more effective to use a multi-engine and adaptive approach to sandboxing.

The Shortcomings of the Single Sandbox

Think about virus scanners you’ve used in the past. Each one has its limitations and may miss viruses the others will recognize. But if you put several virus scanners together that use different detection techniques, they’ll catch virtually everything.

The same can be said of sandboxing technologies. When you only have one active sandbox technology, you stand a much greater chance of missing important threat information.

Deploying two or even three sandboxes with complementary strengths can give you a much stronger defense against today’s advanced threats.

Why More Sandboxes Are Better

The different efficacy levels of sandboxes usually relate to a difference in either the way they capture suspicious behavior or analyze it. For example, one sandbox might acquire behavior information from within the operating system, another might emulate the whole hardware, while a third might leverage the hypervisor layer.

Because of these different acquisition methods, each sandbox might capture certain behaviors but miss others, and some malware may be able to detect one sandbox while difficult to detect others. Likewise, one sandbox might analyze a behavior and determine it’s benign, possibly due to obfuscation or misdirection tactics on behalf of the virus, while another might be able to appropriately analyze the same behavior. Deploying multiple sandboxes enables companies to hedge their bets and spread the burden of virus acquisition and analysis among multiple technologies.

Deploying Multiple Sandboxes

While you can theoretically set up multiple sandboxes in an on-premise environment, it is much easier to deploy and manage this configuration in the cloud. Cloud-based deployments enable you to submit files to as many engines as you want and get reports through APIs.

When choosing an adaptive threat technology service, it’s important to keep a few best practices in mind:

  • Dig deeper. Evaluate the adaptive threat technology vendor’s approach in more depth by asking whether they use multiple sandboxes or a single-sandbox approach.
  • Play in the sandbox. Run a verification test to see whether the vendor’s product works against threats entering your environment.
  • Look for holes in your fortress. Ensure the sandboxes you’re using complement each other as much as possible based on their acquisition and analysis methods. Overlap is inevitable, but diversity is the key to recognizing and preventing threats.

While using multiple sandboxes can help any company avoid data breaches, it’s worth mentioning that this approach may be more attainable for mid-sized and large businesses, due to budgetary limitations. Still, threat prevention is a line item that companies of any size may decide not to skimp on. After all, as we’ve seen in the news, the results can be costly.

About the Author

Dmitriy Ayrapetov is the Director of Product Management for Dell SonicWALL (News - Alert) network security products, covering firewalls, wireless and the associated security services. Prior to this position, Dmitriy worked in product management and software engineering roles at SonicWALL and as an engineer at enKoo Inc., an SSL VPN startup acquired by SonicWALL in 2005. Dmitriy holds an MBA from the Haas School of Business at U.C. Berkeley and a BA in Cognitive Science at UC Berkeley.




Edited by Alicia Young
FOLLOW US

Subscribe to InfoTECH Spotlight eNews

InfoTECH Spotlight eNews delivers the latest news impacting technology in the IT industry each week. Sign up to receive FREE breaking news today!
FREE eNewsletter

infoTECH Whitepapers