A Practical Guide for not drowning in Sandboxes Hendrik Parmentier
For years, you were happy with your email gateway. It threw out spam and malware like a nightclub bouncer on meth. But things started to slip through. Clever viruses got in and all of a sudden, things went pear-shaped. You either got ransomware in your network, or even worse, found out a backdoor was installed and you’ve been leaking data faster than the Trump administration. You called your security provider, righteously pissed. They informed you that upgrading your security was your best shot of keeping this sort of things from happening again. Now what? What’s this sandbox thingamajig and what does it do? And which one to pick?
I started my career in aviation security. Between the luggage drop-off and the airplane, there’s x-ray scanners and chemical detectors and sniffing dogs. But after all the scanning and detecting and sniffing, there’s a security guard whose name is usually Frank. Frank gets a bag that contains what might or might not be a bomb. The only way to be sure is to open it. Frank, being no fool and wanting to see his wife and kids again, puts the bag in a big pressure tank and lets technology take over. Kaboom or no kaboom, the tank can handle it. ‘Thank you, tank’, says Frank.
This is precisely what a sandbox does. After all the scanning is done, you’re stuck with an email that might or might not contain a threat. So you open it. A sandbox service offers you a safe environment to do so, away from your network. The attachment is opened or the link followed. Does it do anything fishy? Yes: block. No: carry on.
But why is this so expensive? And why isn’t it just integrated in the existing service? Well, sandboxing is pretty heavy technology. It requires huge processing power, a lot of hardware to generate it and a big dedicated team to keep it working. This makes it even more expensive than the email gateway itself. Can’t be helped.
Alright then. Which one to choose? First off, check for bare metal. If ’Dieselgate’ thought us anything, it’s that bad stuff knows when it’s being tested. A bare metal sandbox is an actual functioning endpoint upon which the potential threat is released. If it doesn’t move on that endpoint it won’t move on your endpoint. Virtual testing only goes that far. Plus, it sounds pretty badass. Bare Metal. Yeah.
Secondly, make sure there’s a URL rewriter in there. A cybercrook will send an email with a safe weblink on Sunday night, activate the malware on the destination website AFTER it was delivered, and your email gateway can’t help you once it’s in your mailbox. A decent security upgrade will rewrite the links on every inbound email, so that it is checked again every time a user clicks on them.
Thirdly, local firewall or cloud? Well, as I said: these are heavy processes. Using a cloud data center guarantees the necessary processing speed. Upgrading your firewall so it can do this AND keep up with all the rest it’s doing usually makes it 2-3 times more expensive than the cloud option at comparable performance.
If you cover these bases and stick to the brands that have proven themselves over the years, you’re good to go. No use in complaining that cybercrime exists and never stops evolving. Denial never helped business continuity one bit. Just take that suspicious email and have it detonated far away, just like Frank the security guard would. Frank is smart. Be like Frank.