Sandboxing in Cyber Security: How Does It Fit In Your Stack?

February 6, 2020
App Sandboxing

There’s no shortage of options when it comes to protecting corporate information from malware. A typical security stack includes everything from antivirus, firewalls, and data loss prevention (DLP), to network security and endpoint detection and response (EDR) tools. However, as we know all too well, while these tools provide some needed protection, they don’t stop determined cybercriminals from pushing malicious code onto endpoints via phishing, web downloads, email breaches, and more.  

To protect against more sophisticated zero-day threats and advanced persistent threats, many enterprises add sandboxing to their cybersecurity arsenal. When something is put in a sandbox environment, it’s essentially in a virtual machine that’s isolated from the rest of the endpoint. For instance, companies who use application sandboxing execute specified apps in a virtual machine, which lives within an operating system on the physical device. Any malware that infiltrates the virtualized application is contained and can’t access the device’s system resources or data. 

The same concept goes for web browsers. In this case, the end-user accesses a specified browser, such as Google Chrome, via an application running on a virtual machine in the cloud. This blocks malicious web content from the endpoint device. 

There is a downside to sandboxing solutions like browser and application virtualization, however. Neither stops cybercriminals from exploiting other vulnerabilities, like email downloads, other applications or browsers, USBs, and the device operating system.

Operating System Sandboxing

Operating system sandboxing is the next step in the sandboxing evolution. It’s similar to application and browser approaches in that they all assume cybercriminals will penetrate devices. Therefore, their focus is on containing malware. However, unlike browser and application solutions, OS sandboxing protects sensitive information against all attack vectors. This is what distinguishes it from all other tools in the endpoint security stack.

I won’t blame you if you’re a bit skeptical about its ability to safeguard sensitive resources. After all, how many times have we been told that a security tool provides the missing link in the endpoint security stack?  

If we dip into how operating system virtualization works, however, you’ll get a better sense of why it’s so effective. 

OS sandboxing technology runs below the endpoint device’s operating system on bare-metal hardware. It splits each device into multiple, local virtual machines, each with its own operating system. Everything end-users do happens in different operating systems, which run side-by-side with full separation. None of the virtual environments can access the corporate network directly. Instead, they each connect through an invisible network virtualization layer that applies network segmentation on the endpoint.  

Keeping Advanced Malware Away from Sensitive Resources

Keeping cyber threats at bay with OS sandboxing is as simple as this: 

  • Deliver two sandboxed OS environments to each end-user’s device: one that’s fully locked-down and dedicated to sensitive corporate information, and one that’s open to the internet and enables full web browsing, installing applications, using external devices, etc. 
  • If you’d like, run a third semi-locked-down VM for accessing standard corporate applications, e.g., office documents, corporate email, internal services.
  • Create a security policy that ensures end-users always use the correct virtual OS. If they try to perform tasks in the wrong VM, they will be automatically redirected to the right one. 

Any cyber attack that infiltrates the VM that’s open to the internet will be stopped in its tracks. Cybercriminals can’t leave that sandboxed environment. They can’t reach the VM that contains your sensitive information. They can’t even see that other VMs exist on end-user’s device. 

Getting back to the endpoint security stack I mentioned at the start of this blog… You don’t need those tools on your locked-down VM. If you’re running Windows 10, it has strong built-in security tools. By combining them with operating system sandboxing, you’ve covered the bases. In terms of the unlocked VM, if you already have licenses for EDR, DLP, and other tools, go ahead and use them there. They may help slow cyber attackers. 

And if, or when, malware infects the open VM, there’s one more step you can take. The Hysolate Platform, which brought OS sandboxing to the endpoint, makes it easy to wipe even advanced malware away. You can program the open VM to be non-persistent so that it’s automatically wiped clean at prescribed intervals. Malware can also be remotely wiped clean when required via the Hyoslate management console.  

Want to future proof your security stack? Learn how Hysolate blocks cyber attackers with the world’s only OS sandboxing for endpoints. Start your free trial here.