The idea of “sandboxing” potentially malicious content and applications isn’t new but interest in this type of approach on Windows desktops is growing. Further, the increasing variety of virtualization and abstraction techniques available on Windows create isolation that can be used to provide security separation – aka “sandboxing”.
Given the innovation around virtualization techniques and the decreasing effectiveness of signature-based approaches to protect us from advanced targeted attacks and advanced persistent threats, we believe that there will be a renaissance in sandboxing/virtualization/container technologies on Windows and mobile devices.
The idea is compellingly simple: define a core set of OS and applications as “trusted”. Then, if you need to handle a piece of unknown content or application , by default treat it as untrusted and isolate its ability to damage the system, access enterprise data and launch attacks on other enterprise systems.
In reality, it is harder than this. There is no silver bullet in information security. Isolation can be powerful, but has its drawbacks.
One issue is that in the real world, in order to be useful, you can’t completely lock out all content and applications. There will be cases where trusted applications need to handle untrusted content. There will be cases where end users want to download and run new, untrusted applications and they will want these applications to handle trusted content. Untrusted content and applications may have a need to persist on the file system and survive a reboot. All of these use cases involve risk, especially if end users are called upon to make decisions as to when and where untrusted content and applications can be “trusted”. An analogy will make this clearer. Even the strongest prison needs doors in order to be useful and those same doors can be used to escape.
Another issue is that the hackers will target the containment mechanism itself (e.g. the prisoners cut a hole in the fence, tunnel out or someone from the outside flies a helicopter over the fence and gets them out). The highly publicized recent Java zero day was a direct result of a breach of containment. Bromium (one of the solution providers in the virtualization containment space) recently presented on this topic at Blackhat EU demonstrating how to break containment of several leading sandboxing solutions. Interestingly, rather than attack the walls/doors of the containment mechanism directly, their breaches originated by attacking the OS kernel underneath. In our analogy, it’s the equivalent of saying “I don’t care how thick your walls and roof are, or what they are made of — these containment structures are built on a foundation with a bunch of holes”.
To help clients cut through the hype, I’ve just published a research note for clients titled “Technology Overview for Virtualization and Containment Solutions for Advanced Targeted Attacks”. In the note, we provide a framework for evaluating these virtualization/containment/sandboxing solutions and the use the framework to take a close look at the pros/cons of Bromium’s solution.
There are many emerging alternatives at all layers in the stack. Make sure you understand the pros/cons of the solutions and approaches before you buy.
Category: Beyond Anti-Virus Endpoint Protection Platform Next-generation Security Infrastructure Virtualization Virtualization Security Tags: APTs, Beyond Anti-Virus, Browser Security, Defense-in-Depth, Endpoint Protection Platform, Lockdown, Virtualization, Virtualization Security, Whitelisting, Windows