Sandbox technology and the ongoing effort to defend and protect against cyber threats continues. Independent testing offers organizations valuable insight into what solutions are best for their use case. Below we discuss this maturing technology and the role of testing with Fortinet’s David Finger.
Cyberattacks and breaches continue to be top of mind across organizations, and because of that, sandbox technology (or Breach Detection in NSS terms), which was covered in the recent test, is increasingly important. In fact, I view it as a “must-have” technology going forward. However, there are literally dozens of vendors in this market, each claiming to have the best solution. This can be bewildering for companies looking to spend their valuable security budget wisely. Which is why independent testing is so important for security in general (our founder has blogged about this previously), and for this particular solution area in particular. It helps take the guesswork out of the shortlist and selection process, and separates real functionality from marketing hype.
What I like about NSS Labs is that they have an open process to set each test methodology - encouraging feedback from vendors and collecting requirements from end user clients, in addition to leveraging the experience of their own test staff. They also test on a recurring basis, and invite public participation from any vendor that feels they have a product that meets the test requirements. Finally, their rating method is simple and data driven.
If you think about it, over the years we as a security industry have developed and deployed a lot of great technologies - signatures, heuristics, reputations, behavior analysis, and more - at many places in the organization to detect and block cyberattacks. However, they are almost all designed for in-line deployment, requiring them to be fast and accurate and to not impede business. Knowing this, cybercriminals are crafting attacks to pass quick inspection, or introduce a degree of doubt during analysis, to allow them to pass through traditional blocking technologies. By contrast, sandboxing is designed to inspect deeper and longer in order to detect those very threats. So it’s quite different than most of the security technology we have deployed to date. And based on its ability to detect sophisticated and previously unknown attacks, it has become absolutely necessary.
Personally, I am not a fan of sandboxes that work independently from the other security components already deployed by organizations and create that heavy investigation and response effort you mention. I encourage all folks that I speak with to not only make sure they have a sandbox, but to make sure their solution is well integrated into their overall security infrastructure. Ensuring that sandbox technology is a central service that shares objects and intelligence across multiple security components is something strategic for us, and I think it should be for most organizations. In fact, it’s a critical part of our Security Fabric vision.
A few items I found interesting, and a call-out of how Fortinet did in the testing:
You can read the detailed reports for our products here.
And our sandbox detection is now a part of our free Cyber Threat Assessment Program, making it easy for organizations to get a sense of its value.