New Kaspersky Sandbox automates protection from advanced threats
January 2020 by Marc Jacob
Kaspersky has launched its new Kaspersky Sandbox, built to help organizations combat advanced threats designed to evade detection by endpoint protection platforms (EPP). The solution automatically analyses new suspicious files and sends the decision to the installed EPP. As a result, organizations strengthen their protection from previously unknown threats even if they lack teams of experienced threat analysts or have limited resources.
According to a Kaspersky survey of IT decision-makers, 47% of SMBs and 51% of enterprises say that it is becoming more difficult to differentiate between generic and advanced attacks. This means security analysts have to spend time evaluating numerous suspicious files instead of focusing on investigating, and responding to, the most critical threats. This could be even more challenging, as larger SMBs and small enterprises face an IT security talent shortage, so all the responsibilities of managing security fall on the shoulders of IT departments. Nonetheless, these companies face pretty much the same threats as fully established enterprises, including advanced attacks.
Unlike many threat intelligence services targeted at experienced security analysts, Kaspersky Sandbox doesn’t require manual operations to examine the impact of risky objects. When Kaspersky Endpoint Security for Business, or other endpoint protection solutions, detect a suspicious object that cannot be categorized as malicious without deeply analyzing its behavior, they automatically send it to run in Kaspersky Sandbox.
To detect the malicious intent of an object, Kaspersky Sandbox carries out behavioral analysis, collects and analyses all artefacts, and if the object performs malicious actions, such as encrypting or downloading a malicious payload using a zero-day exploit, the Sandbox recognizes it as malware and reports it to the endpoint protection solution for further actions. For Kaspersky Endpoint Security for Business possible automated actions may include: object quarantine, user notifications, scans of critical areas of the operating system or searching for the detected object on other machines within an organization to prevent the threat from spreading.
In addition, Kaspersky Sandbox stores the decision on whether or not the object is a threat in the operational cache located on the Kaspersky Sandbox server. Thanks to this, if the analysis of the file that has already been run in the Sandbox is requested by another endpoint within the managed network, the EPP gets the decision from this shared knowledge base without having to re-scan the file. This speeds up the response and reduces workload on servers of virtual machines.
Kaspersky Sandbox is designed to complement the level of protection offered by Kaspersky Endpoint Security for Business with an additional security layer enabling automated response to advanced threats. However, with the provided API, Kaspersky Sandbox can be integrated with other EPP solutions as well.