Fortinet engineers are readying a new approach integrated within its next-generation firewall appliances that will use sandboxing technology to improve detection of custom malware and zero-day exploits associated with targeted attacks.
The company gave CRN a preview of what it calls a dual-level sandbox to isolate suspicious files and monitor their behavior before they can become a danger to the business. The firm said the process begins with code emulation at the first layer to identify malicious code prior to full execution in a virtual environment. If the file cannot be identified and needs further inspection, it is sent to Fortinet's level-2 sandbox where code is executed, logged and analyzed. A risk rating is assigned to the file, and if it is dangerous, it can be deleted or incident responders are warned and can take further measures.
Some Fortinet competitors, including Palo Alto Networks, FireEye, Lastline, Sourcefire and other vendors, have already rolled out the latest antimalware approach. The security firms are gaining widespread attention with file detonation technology, executing suspicious files in a controlled virtual container to examine their behavior and determine whether it is a threat to the environment. The approach is still emerging but gaining interest at large enterprises that are seeking new ways of identifying advanced persistent threats (APTs) designed to bypass most traditional security technologies and remain stealthy on systems for months and sometimes years, said Paula Musich, principal analyst at Washington, D.C.-based research firm, Current Analysis.
[Related: Tech 10: Hot Antivirus Alternatives For 2013]
Musich said that proper deployment to effectively detect APTs can be expensive and require a lengthy deployment time. Appliances are deployed for email, Web and at every ingress point in the network, as well as central sandboxing appliances where suspicious files are isolated and examined, Musich said.
"It addresses a very specific type of threat, which is not very easily discovered by pattern matching; you are creating an overlay of advanced threat protection infrastructure on top of your existing threat protection infrastructure," Musich said. "You are looking at an expensive deployment, which limits its addressable market."
Businesses looking for alternative approaches can consider behavioral anomaly detection, big data security analytics and closely monitoring security information and event management (SIEM) systems to address the issue, Musich said. The technologies typically appeal to larger firms with mature IT security programs and security budgets, say security experts.
Fortinet said its approach is more efficient and cost effective for its current customer base, since it can capture and filter out financially motivated malware and other widespread, known threats. Zero-day exploits and other custom malware not captured in the first layer are sent for full analysis in the virtual sandbox, said Derek Manky, a senior security strategist at Fortinet's FortiGuard Labs.
NEXT: Fortinet Sandboxing Approach Could Appeal to Larger Enterprises, Say Channel ProvidersFortinet is getting into an area that will move it into more enterprise sales, where IT teams are more mature and the malware detection capabilities must be more robust, said Scott Fuhriman, vice president of sales and product development at St. Louis-based Tierpoint, a Fortinet partner. The appeal for alternative malware detection technologies is coming from financial services as well as pharmaceutical and healthcare organizations with strong incident response capabilities, Fuhriman said.
"I don't think we're at a point yet where just anybody is going to be adopting that kind of technology," Fuhriman said of malware sandboxing. "Fortinet historically has been somewhat cast as a small and medium-size business player, but especially since they have gone public, their exposure to the enterprise level has been much greater, and that's where there's an attraction to this kind of technology."
In addition to finance and healthcare, businesses in the technology, logistics and manufacturing sectors are also being highly targeted by APT actors using custom malware and zero-day exploits, according to FireEye. Rob Rachwald, senior director of market research at FireEye, told CRN that its technology is credited with discovering seven out of the nine zero-day exploits reported in 2013 and responsible for detailing at least a dozen sandbox evasion techniques used by hackers.
"Security isn't solely driven by price; rather, buyers look at effectiveness," Rachwald said.
Fortinet's Manky said his company's approach will inspect all potential attack vectors with one appliance, analyzing files in network traffic via FTP, HTTP, SMTP/IMAP/POP3. Email, instant messenger and other Web-based attacks will receive inspection with the dual-layer sandbox, he said.
It can be deployed in standalone mode in the company's data center, an approach that Fortinet said is ideal for scalable requirements. It can be set up integrated with inline protection at the enterprise core or arranged in a distributed mode for enterprises with branch offices or retail locations.
Standalone mode is ideal for companies trying out the sandboxing approach for the first time because it requires the least amount of infrastructure configuration changes, Manky said. Channel providers can also use this mode to demonstrate the new sandboxing approach, setting up the appliance to sniff network traffic and then generate a report on what is found.
"At first you won't be changing a lot of existing infrastructure," Manky said. "Once the proof is in the pudding, you can shift it into the integrated mode for full, inline protection."
The greatest value will be in providing closed loop protection, Manky said. It requires a configuration change, but once integrated with the central gateway or placed in line with distributed environments, full protection is provided, he said.
"We know that employees are getting infected and they're initially the first target of most attacks, so you want to provide full protection," Manky said. "Many businesses will realize that everything doesn't necessarily go back to the core data center."
Fortinet said the sandboxing approach will be ideal for existing FortiGate customers, generally FortiGate 600C appliances or above and those with multiple boxes. The appliances will likely attract interest from larger organizations starting at $500 million in revenue, typically with more than 2,000 employees.
PUBLISHED SEPT. 9, 2013