By Jonathan Gold-Shalev, Senior Product Manager, Threat Prevention
Organizations use security products to either detect or prevent known and unknown threats. Most threats enter a network via web browsing, web file downloads, phishing emails, and email attachments. Known file-based attacks are quickly validated by running files against a large database of signatures.
Detecting and preventing unknown file-based attacks (or zero-day attacks) is more challenging. Sandbox technology is used to run the file on various operating systems, tricking an embedded exploit to execute. Once it executes, it is measured and classified by multiple machine learning-based engines. This provides incident response teams with information needed to investigate, remediate and block the malicious file.
Sandboxes differ greatly in their ability to detect malware evasion. The goal is to keep false positives low and to deliver a fast verdict. It’s also key to maintain a high catch rate (see the latest NSS Breach Prevention System (BPS) test results).
Download our report “Maximum Zero-Day Prevention Without Compromising Productivity” to learn more about hybrid prevention using sandboxing.
Productivity, the price organizations need to pay
The biggest drawback to sandboxes is latency. Running a simulated environment and exploit takes time; up to several minutes in some cases. Receiving an email with a several minute delay is tolerable. However, waiting minutes for a file to start downloading is unacceptable. Even though 80 percent of the files processed by the sandbox are completed in a couple of seconds, users see this as a performance issue. And with low perceived performance, security becomes a business problem.
So what do organizations do?
One solution is to downgrade security from prevention mode, where malicious files are blocked, to detection mode, where alerts are sent to security teams to investigate potentially malicious files entering the network.
Is there a better way?
File Sanitization (CDR) in a nutshell
File sanitization (or Content Disarm and Reconstruct) is a leaner approach to sandboxing. With CDR, the security gateway removes the active parts and embedded objects from files that come through the gateway before the file is delivered to the user.
The user gets a file without malware, which to the naked eye looks the same as the original file. Most documents do not contain macros and java scripts, but with CDR users typically receive these documents within one to three seconds.
CDR has two drawbacks. Users do not receive the original file, which some users see as a problem. For instance, it becomes a real problem when a user needs a macro that has been removed from an Excel file. The second drawback is a perception problem: some users simply want the original file, not a cleaned one, fearing that it has been denigrated in some way. So once again, improving security comes at the expense of usability and frustration.
A hybrid solution: the best of both worlds
Fusing CDR and sandboxing with the same solution allows organizations to enjoy the benefits and eliminate the drawbacks of each. It sends every downloaded file to the sandbox (a.k.a. file emulation) and in parallel, “sanitizes” it via CDR. By the time the user requests the original file, the sandbox scanning is completed and if not found malicious, the user gets his/her file immediately.
Bonus: Moving from detection to prevention
The CDR-Sandbox hybrid solution eliminates latency security. This means organizations do not need to settle for keeping their systems in detection mode and do not need incident-response teams to clean up the mess. Instead, they can automatically prevent malware from reaching end users.
To learn more, download the whitepaper “Practical prevention: Maximum zero-day prevention without compromising productivity.”