Nov 9, 2021
0 0

Is Sandboxing Dead?

Written by

Sandboxing was the wonderchild of security a decade ago. Today, it is widely used by security researchers, embedded in modern security solutions like endpoint detection and response (EDR) and next-generation antivirus (NGAV), used as part of software development workflows, and employed by many end users to test unknown or untrusted software in a safe environment. The sandboxing market is expected to grow to $9 billion in 2022 from $2.9 billion in 2016.
However, sandboxing never really did deliver on its promise: to turn the unknown into the known. Too often, sandboxing misses threats, and in doing so gives organizations a false sense of security. In this article, I’ll discuss the story of security sandboxing, how sandboxes evolved into what they are today, what’s wrong with the sandboxing concept, and why we shouldn’t rely on sandboxing today as a viable security solution.
How Does Sandbox Security Work?
Sandboxes prevent applications from gaining access to all system resources and user data, and thus provide proactive malware detection. A sandboxing test executes or detonates code in a safe and isolated environment, where the behavior of the code and output activity can be safely observed.
Sandbox solutions claim to add another layer of security that can help detect unknown or evasive threats. Sandboxing can detect threats that were missed by other tools, and help admins quickly remove these threats from production environments.
There are several sandboxing methods, including:
Common types of sandboxing solutions include:

  • Browser sandboxes like those built into Google Chrome, Firefox, and Safari.
  • Browser EDR, which gives security teams visibility into attacks on endpoint browsers and lets them isolate threats using a sandbox.
  • General purpose virtual machines (VMs) like VirtualBox can also be used to isolate suspected malicious software.

5 Reasons Sandboxing Is (Almost) Dead
At the onset of the sandboxing era — about a decade ago, sandboxes were treated as a near-magical solution for many security problems. However, like any popular security control, they have come under the focus of attackers, and they’re now just as susceptible to exploits as the software they were intended to protect.
Here are five reasons sandboxes are no longer secure, and cannot be used as an effective security control in enterprise environments:
Can Theses Issues Be Addressed by More Advanced Sandboxes?
The sad answer is no. In the ongoing “arms race” between attackers and sandbox developers, one side develops more sophisticated measures to evade or escape the sandbox, while the other side improves measures to detect and contain such attacks. However, sandbox developers are at a strong disadvantage.
Malware runs only once, and can, theoretically, use any number of resources to evade or break the sandbox. However, sandboxes must be highly efficient because they need to perform a large number of scans. As sandboxes become more sophisticated, they also become heavier and more resource-intensive — making them less practical for ongoing production use.
The battle is not yet lost — but it soon will be, and organizations should start to evaluate other security measures to replace or complement the once-venerable security sandbox.
Copyright © 2021 Informa PLC Informa UK Limited is a company registered in England and Wales with company number 1072954 whose registered office is 5 Howick Place, London, SW1P 1WG.


Article Categories:
Cloud Security

Comments are closed.