In our interview with Ilan Paretsky, CMO of Ericom Software (https://www.ericom.com/) we discussed his perspective on sandboxing as the ‘original’ isolation approach, the need to evolve beyond it, and how containers provide much more advanced and resilient isolation.
Can you explain how exactly sandboxing works?
IP: For over two decades, sandboxes have proven highly effective as a safe place in which files suspected of being malicious can be quarantined and if needed – destroyed. That’s why they are still utilized today in addition to firewalls, anti-virus, and other security solutions.
Cybersecurity sandboxes are enclosed environments on a user device or server where inbound files are evaluated to determine whether they’re safe and clean (or not). Software might run continuously within sandboxes, but more often, they serve as an interim waystation, where files and programs are isolated for testing until proven safe.
What updates have been made to sandboxing technology to increase protection of users and organizational networks?
IP: In recent years, significant improvements have been made to the sandboxing approach. Integration of behavioral analytics and artificial intelligence has reinforced this line of defense by enhancing the ability of sandboxes to recognize and eliminate files that may contain cyberthreats, before they are released within endpoints or the networks they’re linked to. This expedites the detection process and mitigates the human errors where users grant access to resources before testing is complete.
With that said, does the sandboxing approach still provide adequate protection against browser-borne threats (malware, ransomware, crypto-jacking, etc.)?
IP: Sandboxes are a serviceable security technology, with certain limitations. Awaiting the green light that indicates that all file activity is safe can often be a lengthy process. Users who need instant access cannot wait until the evaluation is complete.
Moreover, applications that require access to processes that reside outside of the sandbox, such as printing, are problematic. As users sometimes carelessly grant permission to use those processes – and they usually will – the “lid” is removed and malware can spread.
How do cybercriminals exploit these flaws?
IP: Hackers have been hard at work, creating malware that waits out the sandbox environment and delays malicious activity until files are released. Interpreting dormant files as harmless, sandboxes release the malware, triggering its activation and infiltration into endpoints and systems.
Security solution providers will continue to enhance their sandbox technology to better identify files that are malicious. Hackers too, will continue to improve their ability to outmaneuver sandboxes and clear a triumphant path to your infrastructure.
We are very much aware of threats from hackers and the danger of human error, especially in relation to phishing and malicious sites. Are there other significant threat vectors about which we are insufficiently mindful?
IP: Great question. In recent years, businesses have poured effort and resources into securing their network perimeters, while paying insufficient attention to the wide-open threat vector represented by endpoint browsers. As a result, smart hackers are focusing their attention and efforts on browser-borne threats. And sandboxes are simply no match.
Today’s browsers execute huge numbers of lines of website code instantaneously as sites are accessed and rendered. Browser-executable code brings outside activity from the Internet to the endpoint straightaway, without even downloading files – bypassing sandboxes entirely. This is why browsers are considered to be so powerful and so treacherous. And it’s how malware and fileless exploit kits quickly spread from infected sites to endpoints to servers, and across entire organizational networks.
How can organizations effectively protect their infrastructure and their users’ devices from malicious browser-executable code?
IP: The answer lies in achieving a level of isolation that is more complete and hermetic than sandboxes can ever achieve. Sandboxes act as quarantined waystations for files heading towards the endpoint or network, whereas containers symbolize the “end of the road” – a sealed environment where applications such as browsing execute, away from endpoints and organizational networks.
Can you explain more about browser isolation and the role containers play?
IP: With Remote Browser Isolation (RBI), websites are rendered in virtual browsers within dedicated containers located remotely from the endpoint. A clean stream of rendered images, sent from the container to the endpoint browser, enables the user to interact naturally with websites. Once the user exits a tab or leaves the browsing session idle, the container is destroyed along with all content – benign and malicious.
Like sandboxes, containers can also be created on endpoints or organizational networks, but truly secure solutions favor remote locations, such as the cloud or network DMZ. Significantly, unlike sandboxes, container-based RBI solutions do not rely on distinguishing between safe and unsafe content, but simply keep all web content away from browsers on endpoints, so no malware can get in.
