An Advanced Approach to On-Prem Sandboxing

How large organizations and agencies keep their sensitive data on-premises ("on-prem").

Sandboxing allows large organizations and agencies to keep their sensitive data on-premises ("on-prem"). This brief examines an advanced on-prem sandboxing approach for organizations that cannot leverage cloud-based offerings. On-prem sandboxing is fast, highly accurate, and cost-effective.

Why You Must Have Sandboxing

Traditional network security technology detects known threats via definitions and signatures but can't detect new and refreshed advanced threats like custom malware and zero-day exploits. To allow malicious behavior to remain hidden, modern malware writers implement advanced techniques, including custom encryption, obfuscation, packing, and acting benign within sandbox environments. These techniques often hide the most sophisticated weaponry, which is only exposed when run dynamically.

In most cases, these are impossible to analyze in real-time using static detection techniques. To better detect unknown threats, security professionals deploy advanced threat detection technologies, such as sandboxes, that analyze suspicious files' behavior and uncover hidden malware. Network sandbox engines execute files, log the resulting activity, and then, after execution, look for and attempt to correlate malicious behavior.

With many attack types only revealing their weaponry within memory, a memory-based approach is required to detect and stop attacks before they reach endpoint devices.

Challenges with Sandboxing

Cloud-based sandboxing creates the lowest barrier to entry when it comes to detecting new and updated attack variants. Even if security efficacy is perfect, there are two challenges with this model:

  • This model relies on points of presence (PoPs) where security appliances/services and threat hunters can send files for analysis. Latency is introduced into the equation when the Internet speeds are slow, or the distance between the service and the sender becomes great.
  • Many regulation-intense organizations and government agencies that deal with sensitive data are not allowed to let data leave their organization (or, in some cases, country or region) and therefore cannot send suspicious files to cloud-based sandboxes for analysis.

To counter these objections, these organizations and agencies will leverage an on-premise network sandbox within the confines of their datacenter. Unfortunately, this sandboxing model tends to be very expensive, and just like most cloud-based sandboxes, their evasion tactics are well documented.

In both models, the correlation and scoring of sandbox activities and behaviors can be prone to false positives.

This report explores the SonicWall Capture Security appliance (CSa) as an on-premises file analysis and malware detection solution featuring patent-pending Real-Time Deep Memory Inspection (RTDMI™) technology. RTDMI adds protection against malware that eludes other detection methods while delivering far more than half of all verdicts in under five seconds.

For more information, please download this report.