“Payload Detonators”: Understanding Security Sandbox Risks

Endpoint modeling represents a less explosive alternative.

Last fall, we published an article on technology trends that favor endpoint modeling. One of those trends is data encryption, which is quickly evolving beyond a trend to become a core component of any business’ security framework. But, encryption is introducing new challenges for corporate security. Specifically, how do IT professionals maintain their current IT security profile in the presence of encryption? Or could the complications associated with encryption outweigh the potential rewards?

Take for example payload detonators — or network security sandboxes that are designed to “detonate” attachments in network payloads to attempt to detect if malware is present. On the surface, payload detonators seem to present a valuable asset among the security professional’s tools, should there be an indication of malware, but what about encrypted traffic – do detonators still work?  Without additional effort and technology, the answer is “no.” Payload detonators rely on deep packet inspection, which can’t monitor encrypted traffic

Here are some questions you should consider before investing in these devices:

Could payload detonators themselves present a security risk? We recently wrote a blog article to show that some payload detonators contain vulnerabilities that could lead to them becoming targets themselves. If all traffic is funneled through a payload detonator, you suddenly have a target for malicious actors to focus their attention.

Do you want to add another solution? Adding more technology to your infrastructure brings with it additional considerations: the cost to purchase, install, and support as well as the required skill sets to maintain and troubleshoot. Of course these considerations should be a factor with any decision to invest in new security technology. 

Is payload detonation really the right thing to do? You’ve invested in core technology designed to encrypt data prior to entering and exiting your network traffic. Unfortunately, to use network security sandboxes, you need to first decrypt the data, run it through the sandbox, and then re-encrypt it. There are a number of reasons why this “man-in-the-middle” approach to defeating encryption is a bad idea. We’ll cover them in another blog post.

Download Today’s Security Landscape - Examining Why Endpoint Modeling is the Most Effective Security Solution Whitepaper.

Download White Paper

A less explosive alternative

Endpoint modeling represents a safer way to monitor all traffic, including encrypted network traffic. Endpoint modeling does not require the installation of agents on end hosts or decrypting network traffic, but instead, operates by instrumenting the network, collecting metadata from switches representing network communication by devices to and from the Internet and between local devices, and analyzing this data for suspicious events based on a model of normal for each individual device, which is dynamically built from its network metadata.

Metadata is compressed, encrypted, and pulled back to our cloud-based modeling and reporting infrastructure. Dynamic Endpoint Modeling then tracks the role of each device on your network through passive observation of network metadata, and it does so as a cloud-delivered service. 

You can learn more about from Observable Networks founder, Patrick Crowley, and his recent column in InfoWorld magazine.

Experience Dynamic Endpoint Modeling on Your Own Network

Getting better visibility into your network and improving your security couldn’t be easier. Sign up for a free, no-risk trial of Observable’s Endpoint Modeling solution, and change the way you see security.

Detect Threats Faster – Start Your Free, No-Risk Trial