Are the sands of time running out for sandboxing?

By Sam Hutton, CTO, Glasswall Solutions.

Ever received a message that the file you are desperately waiting to receive has been quarantined? If so, you know the frustration of sandboxing. As providers of information security and risk management solutions, we help business to be successful by managing risk. But if managing that risk creates security policies, controls and technology solutions that say ‘no’ too often or slow people down, users will find ways to circumvent processes or even disable information security products. The reality is that organisations demand information risk management solutions that deliver confidentiality and integrity but also preserve, not impact, availability of files and applications. Solutions must function at the speed of business which, in a period of tentative economic recovery, is faster than ever. This means the traditional techniques used for blocking and quarantining files have to move with the times and we believe we can help technology providers to do this. How?

We all spend much of our time at work sending and receiving documents. The files we use every day such as PDFs, MS Office and Image formats are a primary threat vector for zero day attacks and advanced persistent threats (APTs). Organisations need to manage this risk, but slowing down file collaboration is something that few business users will welcome – whatever the security benefits. But this is exactly what happens when organisations adopt sandboxing as part of their information security processes. Isolating and inspecting files takes time – time to move and quarantine the file, time to confirm something  ‘bad’ has executed, fix it or decide that it was fine all along, and then release it once this process is complete.

Although the principle of sandboxing – examining files in a safe environment – is a pragmatic approach, there is no avoiding the fact that it disrupts workflow and slows down business. This is perhaps why the majority of organisations choose not to run sandboxing applications in-line making them less of a proactive detection engine and more of an after the fact, incident response measure or forensics tool. The result is that sandboxing is not helping organisations actively tackle APT and zero day attacks – issues high on most organisations’ list of information security and risk priorities.

So how much time delay are we talking about? That depends on the sandboxing process. In our experience most sandboxing solutions rightly claim that a file’s time in the sandbox can range from a couple to thirty minutes. But the organisations we meet – who are looking for ways to respond to frustrated users, tired of document delays – tell us that this does not include the time it takes to fix the file in line with their remediation process. This means that files can easily be delayed by hours or even days. Industry dependent, this can range from inconvenient to unacceptable.

We believe that sandboxing, despite its increasingly apparent limitations of speed and cost, still has an important place in a best practice information security infrastructure but it needs to evolve by reducing the number of files it has to process. This is why we are talking to many technology vendors about how we can help them focus sandboxing in the right areas – allowing over 99% of files to be passed on to information hungry users in milliseconds, with complete security, based on our real-time forensic methodology without even needing to initiate the sandbox session. We are also showing them how our technology can support multiple sandboxes simultaneously, to improve performance and availability by reducing the volume the sandbox needs to process. The sands of time need not be running out for sandboxing but it is time to change.