Fortinet is getting into an area that will move it into more enterprise sales, where IT teams are more mature and the malware detection capabilities must be more robust, said Scott Fuhriman, vice president of sales and product development at St. Louis-based Tierpoint, a Fortinet partner. The appeal for alternative malware detection technologies is coming from financial services as well as pharmaceutical and healthcare organizations with strong incident response capabilities, Fuhriman said.
"I don't think we're at a point yet where just anybody is going to be adopting that kind of technology," Fuhriman said of malware sandboxing. "Fortinet historically has been somewhat cast as a small and medium-size business player, but especially since they have gone public, their exposure to the enterprise level has been much greater, and that's where there's an attraction to this kind of technology."
In addition to finance and healthcare, businesses in the technology, logistics and manufacturing sectors are also being highly targeted by APT actors using custom malware and zero-day exploits, according to FireEye. Rob Rachwald, senior director of market research at FireEye, told CRN that its technology is credited with discovering seven out of the nine zero-day exploits reported in 2013 and responsible for detailing at least a dozen sandbox evasion techniques used by hackers.
"Security isn't solely driven by price; rather, buyers look at effectiveness," Rachwald said.
Fortinet's Manky said his company's approach will inspect all potential attack vectors with one appliance, analyzing files in network traffic via FTP, HTTP, SMTP/IMAP/POP3. Email, instant messenger and other Web-based attacks will receive inspection with the dual-layer sandbox, he said.
It can be deployed in standalone mode in the company's data center, an approach that Fortinet said is ideal for scalable requirements. It can be set up integrated with inline protection at the enterprise core or arranged in a distributed mode for enterprises with branch offices or retail locations.
Standalone mode is ideal for companies trying out the sandboxing approach for the first time because it requires the least amount of infrastructure configuration changes, Manky said. Channel providers can also use this mode to demonstrate the new sandboxing approach, setting up the appliance to sniff network traffic and then generate a report on what is found.
"At first you won't be changing a lot of existing infrastructure," Manky said. "Once the proof is in the pudding, you can shift it into the integrated mode for full, inline protection."
The greatest value will be in providing closed loop protection, Manky said. It requires a configuration change, but once integrated with the central gateway or placed in line with distributed environments, full protection is provided, he said.
"We know that employees are getting infected and they're initially the first target of most attacks, so you want to provide full protection," Manky said. "Many businesses will realize that everything doesn't necessarily go back to the core data center."
Fortinet said the sandboxing approach will be ideal for existing FortiGate customers, generally FortiGate 600C appliances or above and those with multiple boxes. The appliances will likely attract interest from larger organizations starting at $500 million in revenue, typically with more than 2,000 employees.
PUBLISHED SEPT. 9, 2013