If You Want a Sandbox, Why Not Hit the Beach?



Dear Ron,

I try to be a good C-level executive but am really getting fed up by my cyber security staff. Every time I ask them if we’re going to get hacked like everyone else, they ask me to buy a sandbox for them. I mean, seriously… a sandbox? I’m trying to keep my company safe and they want to build sand castles. What the hey?

Yours truly,


Dear Mr. or Ms. CxO,

Before I reply to your question, let me give you a some hacking history.

In the dawn of the personal computer revolution, 15-year-old Rich Skrenta pranked Apple II owners with a self-replicating program called “Elk Cloner.” This program spread itself on floppy disks. If an Apple II booted from an infected floppy disk, Elk Cloner became resident in the computer’s memory and wrote itself to any other floppy disk inserted into the machine.

The cure to Elk Cloner was to read any floppy disk inserted into the machine, look for the program, and delete it. Because there was one version of the program and programmers knew what to look for, it was obvious what to erase from the disk. In other words, the program had a “signature” that was easy to detect so that it could be isolated or erased.

As hobbyists and then criminals started writing more software like this for fun and profit, Norton, McAfee, and dozens of other companies sprung up with software written to detect malicious software (now dubbed malware) by their signatures. Each time a new piece of malware was detected, the anti-malware companies would update their signature list to detect it. But then more sophisticated criminals and governments got into the malware business. Not only did the volume of malware increase, but chameleon-like malware that didn’t have a fixed, detectable signature started to appear.

By the time a company realized that malware was running on its systems, confidential data could be long gone. As I wrote on a Forbes blog, many companies only learned that they were hacked after law enforcement told them that their confidential information was being sold on the black market.

With that out of the way, now I can answer your question. According to Wikipedia, a cyber sandbox is used to isolate and watch untrusted code to see what it is really up to. There are several types of sandboxes, from traditional Type 1 and Type 2 virtualization to a hardware emulation sandbox. To keep this short, I’m not going to go into the differences between virtualization and emulation or why one may be better than the other. I’ll just answer your question in a couple sentences:

Today’s volume and sophistication of malware leave signature-based detection in the dust. The only way to keep up is to understand the expected behavior of approved applications, then look for unexpected actions which may indicate the existence of malware on your systems. And since the only way to see what an application is really doing is to run it in a sandbox, that is why your engineers want you to buy one for them.

Post a Comment