Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Subscribe
Products & Solutions

Wait a Minute! There's More Than One Type of (Security) Sandbox?

image
AMY HENG
September 27, 2022 - 4 min read

Not every day can be a beach day. Instead of driving hours to build sandcastles, why not bring the beach to you? In a very literal sense, sandboxes are isolated structures with sand that emulate the beach – minus the water and waves. 

Similarly, in the digital world, a sandbox is an isolated environment that emulates real operating systems and functionality, creating a controlled environment to test software and detonate unknown or suspicious files and code without harming the network or other local appliances.

Hybrid workforce and the rise of BYOD increases the criticality of sandboxing as a protection layer for enterprises. As your attack surface expands beyond the perimeter, you need depth in your defenses to stop the sand – in this case, malware – from spilling over into your network. Yet, security and IT teams are steadfast in their vendor-provided sandboxes or endpoint “sandboxing” for complete protection instead of a layered approach with a network sandbox. We’re about to bust this myth.

 

What is an example of a vendor-provided sandbox?

Whether you’re scouring the internet for research nuggets to have in your report or casually browsing the internet on your own time, security has been instrumentally built into your experience. Google Safe Browsing protects users and devices using Chrome and Gmail. Working in real-time, users are notified when a website or file is considered dangerous to prevent phishing and malware. Another example is VirusTotal, a site users who are already in the possession of a potentially nefarious file or URL can use to manually analyze and detect malicious activities. 

Google and VirusTotal automatically share threat intelligence to the security community and antivirus scanners to protect users and their internet experience. Detecting known threats becomes a walk in the park because they’re blocked instantly. Unfortunately, detecting and stopping unknown threats may need a little more help. 

 

Why you need a cloud-gen sandbox at the network level

Threat actors are actively developing malware that can bury itself deep in the sand, obfuscating known mitigation techniques and delivering malicious payloads in encrypted traffic. Preventing unknown and zero-day threats is not only a priority, it’s required. 

Modern enterprises need modern sandboxing. Zscaler Cloud Sandbox sits inline between the user and the network to deliver protection across web and file transfer protocols, including SSL/TLS. Advanced AI and ML models drive the malware prevention engine, automatically quarantining and analyzing unknown or suspicious files while providing instant verdicts for benign files. As a true zero trust sandbox, Zscaler Cloud Sandbox quickly adapts to policy changes and further minimizes attack surfaces by blocking threats across all users once they’ve been identified. This is unlike other network sandboxes that rely on a passthrough architecture that allow files to reach the user before providing protection.

 

Better together: Zero-day detection and remediation with EDR and cloud-gen sandbox 

Endpoint detection and response (EDR) solutions sit at the endpoint to continuously monitor code behavior of a device and protect against threats while accelerating investigations and enabling decisive remediation. Threat actors expect to go head-to-head with an EDR solution as they attempt to obtain access to a network through compromising users or devices. 

By using zero-day malware and targeting multiple users and devices at a time, agentless or unmanaged devices with access to corporate resources are at risk of compromise. Without the ability to sandbox and quarantine every file in real-time on every device for all users, well-designed, never-before-detected malware can lead to a breach.

To combat this, EDRs like CrowdStrike offer sandboxing functions when an end user or device comes across a file their AI or algorithm deems suspicious. Combined with a cloud-gen sandbox at the network level, security and IT teams can leverage the Swiss Cheese Model to significantly reduce their risk posture. Now with tighter closed-loop integrations through CrowdStrike, newly detected threats or suspicious activity found within CrowdStrike Falcon Insight XDR will trigger workflows to change user group membership and apply adaptive access control policies through Zscaler. Network telemetry from Zscaler provides rich, continuous context for investigations. Instead of competing with one another, the bidirectional threat intelligence enables network and endpoint sandboxes to complement each other.

When Zscaler Cloud Sandbox’s AI-driven quarantine returns a malicious verdict the file is blocked across the network and shared with the EDR so it can block across all endpoints. Together, CrowdStrike and Zscaler provide early detection and visibility into potential exploits, enabling them to act faster, with more context and efficacy.

Today’s adversaries are throwing themselves a party. Enterprises relying on traditional security measures or a single layer of protection are finding that modern malware development cycles are agile and polymorphic. Simply put, without defense in depth that includes a network, cloud-gen sandbox with AI-driven quarantine on top of an EDR and vendor sandboxing, your overall risk posture remains high. Find out more by joining our live webinar with CrowdStrike on November 2nd at 10 a.m. PT / 1 p.m. ET, “Private Property, No Trespassing: Stop Threats from Gaining Access”.

form submtited
Thank you for reading

Was this post useful?

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.