Check Point’s Sandblast Is a New Approach to the Sandbox
By Zeus Kerravala
Founder and Principal Analyst ZK Research
It’s been said that in life there are only two things that are inevitable – death and taxes. However, if you’re in the cyber security business, I’d like to add a third item to the list and that is that hackers will always find a way to stay ahead of security technology.
We build firewalls, now web apps are exploited to come in through the web ports. Anti-virus evolved so attackers turn to phishing. The latest security to come under fire has been sandboxing.
If you’re not familiar with how sandboxing works, it creates an extra layer of protection by diverting content or applications from untrusted entities, such as websites, application developers or suppliers into a secure “sandbox” where it can be inspected for malicious code.
If the content is deemed to be clean, it is then allowed to enter the enterprise network. If not, then the content is rejected and dropped or sent to another security device to be cleaned. Sandboxing has been around for several years and has been very effective at keeping bad content out.
However, as I stated earlier, attackers are getting smarter and have figured out how to thwart the sandbox. Malware can now be created that checks to see if it’s running on an actual host, like a users PC, or whether it’s running on a virtual machine.
If it is indeed running on a VM, the malware won’t be executed so it passes the sandbox check. Alternatively the malware can have a delay built into it so it passes through the sandbox and a number of days later the malicious code is executed. Obviously businesses can’t hold content in a sandbox for more than a few hours as it would be highly inconvenient to make workers wait days to get e-mail attachments.
Last month Check Point announced a technology called “Sandblast” to combat sandbox evasion. The technology comes to Check Point from its February 2015 acquisition of Hyperwise. The Sandblast technology looks for threats at the CPU or operating system level instead of in the application or document.
The solution is installed on an appliance or is available as a cloud service and acts as a gateway in front of the company’s email system, firewall. The solution inspects the content while it is being opened and tries to access the memory or CPU. If there is malware, it will cause anomalous behavior and Sandblast will block the activity and neutralize the threat.
Check Point also released a feature it calls Threat Extraction that enables documents to be opened immediately before it is processed through a sandbox. Threat Extraction quickly converts Word documents into PDF files, which neutralizes and malicious content in the file. This allows workers to view the content without the risk of unknowingly releasing malware into the business network.
Hackers have done an excellent job of keeping ahead of security technology like sandboxes. Check Points Sandblast is a unique way of isolating and inspecting files that puts the security technology one step ahead of cyber attackers. At least for now.