Posted by Mumbai: Kaspersky sandboxing technology is now available to enterprise customers to can use it in theirs networks. The on-premise Kaspersky Research Sandbox product is designed for organisations with strict restrictions on data sharing, to enable them to build their internal security operations centers (SOCs) or computer emergency response teams (CERTs).
The sandboxing technology solution helps them to detect and analyse targeted threats while also being sure that all the examined files are kept inside the organisation.
Last year, about half (45%) of enterprises experienced a targeted attack, a Kaspersky survey of IT decision-makers (ITMDs) revealed. These threats are often designed to only work in a specific context within the victim’s organisation.
For example, a file may perform nothing malicious until an exact application is opened, or unless a user scrolls through the document. In addition, some files can identify that they are not in the end-user environment – for instance, if there is no sign that anybody is working on the endpoint – and won’t run the malicious code.
However, as a SOC usually receives numerous security alerts, analysts cannot manually investigate all of them to identify which one is the most dangerous.
To help companies analyse advanced threats more accurately and timely, Kaspersky sandboxing technology can now be implemented inside a customer’s organisation.
The Kaspersky Research Sandbox emulates the organisation’s system with random parameters (such as user and computer name, IP address, etc.) and imitates an actively-used environment so that malware cannot distinguish that it is running on a virtual machine.
Kaspersky Research Sandbox product has evolved from the internal sandboxing technology use for the company’s anti-malware researchers. Now these technologies are available for customers as a Headline isolated on-premises installation.
Therefore, all the analysed files will not leave the company perimeter, making the solution suitable for organisations with tight data sharing restrictions.
Kaspersky Research Sandbox has a special API for integration with other security solutions, so that a suspicious file can be automatically sent for analysis. The results of analysis can also be exported to a SOC’s task management system. This automation of repetitive tasks cuts down the time required for incident investigation.
As the solution is installed in the customers’ network, it provides more capabilities to mirror its operating environment. Now, virtual machines from the Kaspersky Research Sandbox can be connected to an organisation’s internal network.
As a result, it can reveal malware designed to run only in a certain infrastructure and get an understanding of its intentions. In addition, analysts can set up their Windows version with specific pre-installed software to completely emulate their enterprise environment.
It simplifies an organisation’s detection of environment-aware threats such as the recently discovered malware that was used in attacks against industrial companies. Kaspersky Research Sandbox also supports Android OS to detect mobile malware.
Kaspersky Research Sandbox provides detailed reports on file execution. The reports contain execution maps and an extended list of events performed by the analyzed object, including its network and systems activities with screenshots, as well as a list of downloaded and modified files.
By knowing exactly what each malware does, incident responders can come up with the required measures to protect the organisation from the threat. SOC and CERT analysts will also be able to create their YARA rules to check analyzed files against them.
“Our Kaspersky Cloud Sandbox, launched in 2018, works perfectly for organisations who need to analyze complex threats without additional investment in hardware infrastructure,” said Veniamin Levtsov, VP -Corporate Business, Kaspersky.
However, organisations with internal SOCs and CERTs and strict restrictions on data sharing require more control over files they analyze, according to Levtsov.
“Now, with Kaspersky Research Sandbox they can choose the deployment option that suits them the most as well as being able to customise on-premises sandboxing images to any enterprise environment,” added Levtsov.
Kaspersky Research Sandbox can be integrated with Kaspersky Private Security Network. It allows organisations to gain insights on an object’s behavior and also receive reputation information of downloaded files or URLs the malware communicated with from the Kaspersky threat intelligence database installed within a customer’s datacentre.
Kaspersky Research Sandbox is a part of the Kaspersky product portfolio for security researchers. It includes the Kaspersky Threat Attribution Engine, Kaspersky CyberTrace and Kaspersky Threat Data Feeds.
This offering helps organisations to validate and investigate advanced threats and facilitates incident response by providing relevant threat information.
(Image source – Kaspersky)