We frequently get questions around endpoint detection and response (EDR) and sandboxes and how the technologies are different. Sandboxes are restricted environments where you can open files you’ve received to a) inhibit their impact on your endpoint, or b) see how they behave before you open them in a “real” environment. Sandboxes fall into a number of categories, including:
sandboxing vs containerization
Network sandboxes. Network sandboxes generally integrate with email and Web proxies, and as files enter your environment from the Internet, they open up unknown files and see how they behave. Based on what they see, network sandboxes will block, allow or quarantine the files.
Endpoint sandboxes. Endpoint sandboxes use the same principle as network sandboxes, except that they run on the endpoint, and will only allow files to open “normally” on the endpoint once they’re confident the file is not malicious.
Containerization. In containerization solutions, the application runs in the sandbox environment for as long as you’re using it. You set policies based on what you’re sandboxing around what system resources it can access and what it can communicate with.
The drawbacks of sandbox solutions
While useful, there are a few problems with sandbox solutions. First, with network sandboxes, they only work for Web traffic that passes through their proxy. For mobile workers, unless you’re back-hauling all network traffic through a corporate network - which is expensive and intrusive - then you’re not going to see the files you need to block. Even when they do see the files, network sandbox solutions tend to be very noisy since they can’t really emulate your environment with the right patch levels, so they alert on threats that wouldn’t affect you.
Second, since sandboxing is a common technique, many attacks have become sandbox aware. Attackers build logic into malware to work out if it’s executing in a sandbox, and if it is, the program won’t execute any malicious activities , allowing it to evade detection.
With sandboxes, there’s always a tradeoff between how much inspection you can perform and how much you can impact the user. Sandboxing introduces delays and overhead on the endpoint while files get inspected, and this impacts the user trying to view or use the files they’re downloading. Containerization doesn’t necessarily introduce delays, but keeping track of all the policies of which applications are allowed to access what can become extremely onerous, and severely impact users if you get it wrong. Also many applications simply won’t work properly in a containerization environment, and they create massive integration testing overhead every time you roll out an upgrade.
Finally, sandbox solutions generally only concentrate on one part of an attack. Apart from containerization solutions, they don’t give visibility and context around all malicious activities. That means you need another solution to understand how all the parts of the attack fit together, including any lateral movement or command-and-control activity.
What makes the Cybereason EDR platform different from sandboxes
Sandboxing is an important protection layer, but it will not protect you completely, and can unduly impact the end user. Many of our customers use Cybereason as a primary threat detection tool instead of a sandbox technology. Other customers use the platform to fill the gaps when their sandbox technology does not detect a threat. Sandboxes are also used by our customers to get additional information about the behavior of a file identified by Cybereason as either malicious or suspicious. This is because Cybereason gives you:
Visibility everywhere. Cybereason’s Endpoint Sensors monitor – in real time – every process, every connection, every user on every endpoint across an enterprise, whether it’s a server at your corporate headquarters or a laptop in a coffee shop accessing a SaaS application. This gives you an unparalleled understanding of everything that’s going on across your environment.
Easy deployment - even in a BYOD environment. Cybereason’s Endpoint Sensors run in user space, eliminating the risk of causing a “blue screen.” This means that you can deploy it everywhere - including on contractors’ machines and BYOD devices - without worrying about Cybereason conflicting with some other software a BYOD user has installed.
Automatic detection of previously unknown threats - even sandbox aware. Cybereason’s Hunting Engine collects all the endpoint sensor data and uses a purpose-built, in-memory graph to identify threats. The Hunting Engine analyzes all endpoints, constantly asking intelligent questions to understand exactly what’s happening in your environment. This gives you unparalleled detection of all attack elements, especially those threats that have ever been seen before.
Automatically presents all aspects of a malicious operation (or Malop). Cybereason automatically pulls together all attack context associated with a malicious operation, and visualizes the data for an analyst. This gives even a relatively junior analyst the information needed to shut down an attack. Cybereason also comes preconfigured with behavioral models so when a sensor is rolled out, you get immediate value.
Automated response to all stages of the attack. Sandbox tools can prevent a file from opening in an unrestricted way. However, with Cybereason, once you identify a threat you can automatically shut it down, prevent it from spreading elsewhere, isolate it and perform full-blown remote forensics on the machine.
