Fortinet engineers are readying a new approach integrated within its next-generation firewall appliances that will use sandboxing technology to improve detection of custom malware and zero-day exploits associated with targeted attacks.
The company gave CRN a preview of what it calls a dual-level sandbox to isolate suspicious files and monitor their behavior before they can become a danger to the business. The firm said the process begins with code emulation at the first layer to identify malicious code prior to full execution in a virtual environment. If the file cannot be identified and needs further inspection, it is sent to Fortinet's level-2 sandbox where code is executed, logged and analyzed. A risk rating is assigned to the file, and if it is dangerous, it can be deleted or incident responders are warned and can take further measures.
Some Fortinet competitors, including Palo Alto Networks, FireEye, Lastline, Sourcefire and other vendors, have already rolled out the latest antimalware approach. The security firms are gaining widespread attention with file detonation technology, executing suspicious files in a controlled virtual container to examine their behavior and determine whether it is a threat to the environment. The approach is still emerging but gaining interest at large enterprises that are seeking new ways of identifying advanced persistent threats (APTs) designed to bypass most traditional security technologies and remain stealthy on systems for months and sometimes years, said Paula Musich, principal analyst at Washington, D.C.-based research firm, Current Analysis.
[Related: Tech 10: Hot Antivirus Alternatives For 2013]
Musich said that proper deployment to effectively detect APTs can be expensive and require a lengthy deployment time. Appliances are deployed for email, Web and at every ingress point in the network, as well as central sandboxing appliances where suspicious files are isolated and examined, Musich said.
"It addresses a very specific type of threat, which is not very easily discovered by pattern matching; you are creating an overlay of advanced threat protection infrastructure on top of your existing threat protection infrastructure," Musich said. "You are looking at an expensive deployment, which limits its addressable market."
Businesses looking for alternative approaches can consider behavioral anomaly detection, big data security analytics and closely monitoring security information and event management (SIEM) systems to address the issue, Musich said. The technologies typically appeal to larger firms with mature IT security programs and security budgets, say security experts.
Fortinet said its approach is more efficient and cost effective for its current customer base, since it can capture and filter out financially motivated malware and other widespread, known threats. Zero-day exploits and other custom malware not captured in the first layer are sent for full analysis in the virtual sandbox, said Derek Manky, a senior security strategist at Fortinet's FortiGuard Labs.
NEXT: Fortinet Sandboxing Approach Could Appeal to Larger Enterprises, Say Channel Providers