If you’ve ever had the chance to ride the London Underground, you’d be familiar with the phrase, “Please mind the gap.” The public alert, which resounds at the approach of every train, is a cautious reminder to step carefully over the gap between the train and the platform when boarding.
The London Transit Authority’s diligence is a good reminder to us all that even the smallest of gaps can present a hazard. This is certainly true in cybersecurity. We spend so much time focusing on big-ticket items that we often lose sight of the small gaps in our defenses that can potentially cause the most harm.
All aboard the zero-day express
With the barrage of headline-topping breaches, we all know that sandboxing is necessary for stopping zero-day attacks. The sandbox, which delivers powerful behavioral analysis to suspicious inbound files and content, can help close gaps left by other less predictive signature-based protections. Organizations have wisely invested significantly in sandbox technology to protect their users from zero-days and the harmful effects of malicious files.
The market for sandbox appliances is enormous and growing. Meanwhile, the breaches continue, which raises the question: are appliances the best implementation for sandboxing technology? Are we providing the best protection from advanced threats? As with many technologies, the way you implement sandboxing is as important as why you implement it. As we look at today’s network and security stack of appliances, let’s explore why organizations should be “minding the gap” in their zero-day protection strategies.
Up ahead: a bad case of tunnel vision
While sandboxing can help deliver zero-day protection, traditional approaches to sandboxing all have a fatal security gap: you can’t sandbox what you can’t see. Although sandbox appliances seem to sit at the center of the universe— the data center—you still end up with massive gaps in visibility. Here’s why.
Although the data center used to be the nervous center through which all traffic flowed, much has changed in the last few years. Your users are increasingly mobile and they use the cloud to work wherever they want, whenever they want. Good for them, bad for your sandbox. Their traffic has left your network, and with it the precious visibility your sandbox needs to do its job. In addition, the applications in your data center have hopped on the express train to the cloud. This move has increased your agility and efficiency, but it has robbed your network once again of visibility.
If your visibility has been hampered by users and apps leaving your network, the rise of SSL has surely made things worse. According to Google, nearly 80 percent of pages loaded by Chrome in 2017 were over HTTPS, which creates a significant problem for most organizations. Inspecting SSL is difficult and performance intensive, and most sandbox architectures just aren’t built for it. Although there are third-party SSL inspection options, most companies don’t have the budget or personnel to fully build out an SSL inspection overlay across the network. Given the fact that a majority of malware now hides in SSL, size of the gap in your protection strategy grows as your sandbox appliance runs blind.
Enter the correlation station
To hunt for emerging threats in your network, you need to look at threat correlation—using the aggregated data from multiple security techniques. For this reason, many organizations either buy and staff a SIEM with expensive security analysts or embrace a subscription service like Mandiant for investigation and response.
The problem is that although you have a sandbox that can contribute valuable information to the hunt for budding advanced threats, your appliance-based sandbox can tell only part of the story. As we have just seen, there’s a whole world happening off your network, and your mobile users, cloud apps, and encrypted traffic all have a story to tell. As a result of the sandbox’s limited visibility, the security analysts you’re paying for are missing a huge piece of the puzzle, slowing and often impeding the investigative process.
So where do we go from here?
Sandboxing is a valuable tool for increased visibility and it certainly has its place in today’s data center. How do organizations that have invested in the technology leverage their investments and close security gaps? The answer, once again, is in the cloud.
Zscaler Cloud Sandbox is the perfect solution to close the gaps on your existing sandbox architecture. Delivery from the cloud guarantees always-on and inline sandbox protection as your mobile users access their cloud apps off your network. Unlimited capacity to inspect SSL means Zscaler can help you peel back the inspection barriers on your encrypted traffic, and help you bring more comprehensive threat data to your correlation activities and threat hunting.
To learn how Zscaler can help you mind the gap, jump over to our product page, or give this video a watch. You also might be interested in our TCO calculator that helps you quantify just how costly those gaps in your sandbox strategy might be.