Sandbox Solutions: What to Consider Before Adopting One

So ,you decided you need to purchase a sandbox solution to improve your organization’s cyber security posture.  And why not? Sandbox is regarded as the most advanced solution, perhaps even the only solution, against sophisticated malware and APT campaigns.

But before you commit to this technology, please take a few moments to think about the additional implications of diving into such project:

  1. Unanticipated setup and ongoing costs

Sandbox is an expensive solution to purchase, but it is also generates a lot of unforeseen additional costs, such as:

  • Dedicated hardware
  • Specific OS
  • Training of personnel
  • Maintenance

When you look at a sandbox solution from a TCO (Total Cost of Ownership) point of view, over the span of 3 years, these other costs can nearly double or more of the initial, costly investment.

  1. Dedicated manpower tied to this task

Sandbox is an advanced, complex solution that needs constant tending to. This means that you would have some of your organization’s most qualified IT and security personnel tied to the daily operation of the system. Moreover, these people will require special training in malware analysis to conclude whether the file is really malicious. Simply capable people won’t do – you need experienced professionals, which are hard to come by and costly to maintain.

  1. Headache factor
    With great power comes great responsibility…and liability.

This is true not only for Spiderman but also for the security personnel operating the Sandbox. They have to determine the maliciousness of a file according to its behavior profile, which is not easy to do when most malware types expect this and do their best to evade detection. And the technology won’t help you much. It simply gives an ambiguous score that the analyst (and ultimately, the CISO) can you use as a factor when choosing to pass the file onto its destination or move it to the quarantine.

  1. Gatekeeper syndrome

Hi IT department, where’s that email from my client?
I’ve should’ve gotten this three days ago!

You want me to do what? Verify that I know this guy and that I expect a certain file?

Yes, as the gatekeeper, people will complain to you, regardless of the fact that you are merely doing your job ( and protecting them in the process). But bear in mind, you will create additional friction and slow the flow of incoming files, and often, people will resent you for it.

If you’ve factored these four points and decide to move forward with the implementation, there’s one more thing to bear in mind. By the time you complete the implementation, there will be many more types of sandboxing-evading malware that you will not be able to stop using this technology. This will undermine the promise of flawless security (especially when you consider that there are additional ways to insert malware into your organization that a sandbox does not mitigate).


About the Author:

Michelle Handelman is Head of Marketing at ReSec.