White Paper. Advantage FireEye. Debunking the Myth of Sandbox Security

Transcription

1 White Paper Advantage FireEye Debunking the Myth of Sandbox Security

2 White Paper Contents The Myth of Sandbox Security 3 Commercial sandbox evasion 3 Lack of multi-flow analysis and exploit detection 3 Lack of multi-vector analysis 4 Nonexistent or outdated information-sharing infrastructure 4 Privacy, compliance and latency concerns of cloud 4 FireEye Platform Overview 4 Summary 6 About FireEye, Inc. 6 FireEye, Inc. Advantage FireEye: Debunking the Myth of Sandbox Security 2

3 The Myth of Sandbox Security Organizations are under assault by a new generation of cyber attacks that easily evade traditional defenses. These coordinated campaigns are targeted. They are stealthy. And they are persistent. Many exploit zero-day vulnerabilities and orchestrate attacks across multiple vectors. The threat actors behind these attacks are dead set on finding your weaknesses, targeting their way into your systems, and stealing your data. Guarding against these advanced threats demands a fundamentally different approach. Organizations need a defense that does not rely on mere malware signatures. Aware that their backward-facing defenses fall short, several IT security vendors are touting their sandbox products. But rather than adopting a truly fresh approach, most are merely grafting a sandbox onto their legacy strategies, which routinely fail to catch these attacks. While sandboxing advances the signature-based approach of the past, these new attempts fail due to the same old flaws. Simply put, the underlying architecture does not lend itself to catching the zero-day, stealthy, and persistent malware. Commercial sandbox evasion First, many sandbox approaches rely on widely available hypervisors. Threat actors have access to these hypervisors including source code in some cases and write their malware to exploit or evade them. 1 Using a variety of evasion techniques, sandbox-aware malware simply lies dormant when executing in a sandbox environment. Detecting no unusual activity, many sandboxes let the malware pass. Lack of multi-flow analysis and exploit detection Second, most sandbox approaches use file-level analysis. This approach has several flaws. Targeted malware is programmed to activate on specific system configurations. File analysis in a generic system may miss such malware, leading to a false sense of security. In other cases, malware files package and morph themselves to evade simple file analysis. A typical attack follows this cycle: a) exploit b) callback c) malware download d) data exfiltration Detecting the exploit is critical to catching advanced threats because the subsequent phases can be hidden or obscured. File-level analysis focuses on downloaded files and may miss the exploit phase, resulting in false negatives. An effective threat protection platform must be able to catch exploits even when the ensuing file download occurs over obfuscated channels. 1 FireEye, Inc. Advantage FireEye: Debunking the Myth of Sandbox Security 3

4 Lack of multi-vector analysis Third, exploits often use a combination of vectors to lure unsuspecting targets for example, phishing s with Web links. If a security product cannot capture the exploit across this spectrum, the target remains vulnerable and the insights incomplete. Effective protection involves not just tracking attacks across vectors, but also sharing this information in real time across systems to guard against multivector attacks. Nonexistent or outdated information-sharing infrastructure Fourth, sandboxes lack the detailed insights that integrate information gathered from around the globe. Many advanced attacks are part of a broader campaign against similar targets elsewhere. Without the benefit of real-time information about these quickly evolving campaigns and morphing attacks, sandbox analysis gets only part of the story. Privacy, compliance and latency concerns of cloud Finally, several vendors are hawking cloud-based sandboxes. This approach tends to create privacy, compliance, and regulatory challenges. Cloud-based defenses also increase load to the WAN infrastructure and due to added latency response times. These failings make cloud-based sandboxes impractical against today s advanced cyber attacks. FireEye Platform Overview The FireEye threat protection platform forms a cross-enterprise fabric to guard enterprises, small and medium businesses, and governments from a new generation of cyber attacks. The FireEye platform combines these pieces for truly effective security: Virtual-execution based detection engine Cloud-based dynamic threat intelligence Intra-enterprise intelligence sharing among FireEye nodes and an ecosystem of partners FireEye products use a hypervisor built for the sole purpose of detecting and blocking threats. The FireEye Multi-Vector Virtual Execution (MVX) engine explicitly isolates data in a proprietary hypervisor to prevent malware from detecting and escaping from the virtual execution engine. This multi-vector, multi-flow virtual execution model also extracts a rich layer of information about the attack. This detail ensures global protection with near-zero false positives and false negatives. With the FireEye Dynamic Threat Intelligence (DTI) cloud, participating FireEye nodes across the world also share malware intelligence in real time. Nodes within and across enterprises are automatically updated so that they are prepared to combat new modes and variants of attacks. To maintain customer privacy, any data shared with the DTI cloud is anonymized and optional. This powerful combination secures major threat vectors and closes the gap left by traditional defenses. The growing sophistication of today s attacks demands enhancing security with this fundamentally new security model. FireEye, Inc. Advantage FireEye: Debunking the Myth of Sandbox Security 4

5 The FireEye platform, illustrated in Figure 1, is a new model of security against known and unknown attacks. It uses the groundbreaking MVX engine coupled with the FireEye DTI cloud, FireEye DTI Enterprise, with an ecosystem of partners to enrich the security framework of any organization. The FireEye MVX engine automates discovery and forensic analysis of malicious code with dynamically generated threat intelligence. This intelligence protects against inbound exploits, blocks outbound data exfiltration, and provides detailed forensics on malware and its impact on end systems. The FireEye MVX technology is also highly adaptable, protecting against a variety of threat vectors to stop web-, -, and file-based attacks. The FireEye MVX infrastructure also generates and shares structured threat intelligence in a machine-accessible format for real-time, automated threat responses by FireEye and third-party security solutions. Using the FireEye MVX engine, organizations can identify a threat using one vector (such as ) and automatically block subsequent stages of the attack in another vector (such as exfiltration over the Web). And unlike traditional defenses, FireEye correlates these individual incidents for greater situational awareness. The FireEye platform enables security professionals to discover zero-day, stealthy, and persistent malware. With FireEye, organizations have the power to block infiltration attempts in real-time and neutralize cyber attacks before they cause catastrophic damage. Figure 1: FireEye Platform FireEye, Inc. Advantage FireEye: Debunking the Myth of Sandbox Security 5

6 Summary Competitive sandbox solutions fall short on various fronts for today s new generation of cyber attacks because of the following: Commercial sandbox evasion Lack of exploit detection Lack of multi-flow and multi-vector analysis, and Non-existent or legacy information sharing infrastructure Cloud-based sandboxes add further constraints that render them impractical to protect against the new generation of cyber attacks because of the following: Privacy, regulations, and compliance constraints in sending files off-premises Increased load on WAN infrastructure Added latency in responsiveness The FireEye platform serves as a new model for threat protection with the following: Groundbreaking Multi-Vector Virtual Execution (MVX) technology that monitors an attack throughout its life cycle A purpose-built hypervisor to detect and block threats Multi-vector, multi-flow model to guard against stealthy, zero-day, and persistent threats Dynamic Threat Intelligence (DTI) cloud to enable cross-enterprise security Intra-enterprise intelligence sharing among FireEye nodes and ecosystem of alliance partners to enable multi-layered security About FireEye, Inc. FireEye has invented a purpose-built, virtual machine-based security platform that provides real-time threat protection to enterprises and governments worldwide against the next generation of cyber attacks. These highly sophisticated cyber attacks easily circumvent traditional signature-based defenses, such as next-generation firewalls, IPS, anti-virus, and gateways. The FireEye platform provides real-time, dynamic threat protection without the use of signatures to protect an organization across the primary threat vectors, including Web, , and files and across the different stages of an attack life cycle. The core of the FireEye platform is a virtual execution engine, complemented by dynamic threat intelligence, to identify and block cyber attacks in real time. FireEye has over 1,000 customers across more than 40 countries, including over 100 of the Fortune FireEye, Inc. All rights reserved. FireEye is a registered trademark of FireEye, Inc. All other brands, products, or service names are or may be trademarks or service marks of their respective owners. WP.DMSS.EN-US FireEye, Inc. Advantage FireEye: Debunking the Myth of Sandbox Security 6 FireEye, Inc McCarthy Blvd. Milpitas, CA FIREEYE ( ) info@fireeye.com