Using Sandboxes? Beware of False Positives
Sandboxing can be a valuable resource to any security team that puts the time and resources into it. If not, returning a bunch of false positives could just be a waste of your company’s resources. Below are some common steps that should be taken to ensure your sandbox is working properly for your company.
Identify all the applications in your business
Knowing your applications and what could be a possible vulnerability is great way to lure in the malicious threats. By implementing outdate code, programs and software that might coincide with your app, you are creating that easy attack vector hackers are looking for to infiltrate your systems. Really what you want to do here is set them up for failure. By not implementing security best practices on your sandbox applications, the attacker will feel like a kid in a candy store once they gain access to the sandbox.
Replicate you production environment
Now attackers are not stupid, they know what to look for and where it should be. Making a sandbox can be time consuming, so leaving some details out may seem like a time savor now but not if no one is hitting your sandbox in the long run. Replicate every last detail about your production environment in your sandbox to ensure quality.
Network isolation
Your sandbox should be buried deep, just like you would have your production environment set up. By not implementing outside perimeters to isolate your sandbox like your network, the attacker will notice and not just walk right in (at least the smart ones). Stay away from the cloud if possible, try to get a virtual machine server that can act like the real thing to help replicate environments.
Eliminate the false positive immediately
Once you feel you have a good sandbox up and running, start monitoring the traffic with industry leading tools. You will start seeing malicious content and can identify the false-positives, filter them out immediately. You don’t want to keep bogging your resources down by continually searching for these false positives, you only want the good stuff.
Use multiple sandbox environments to lure in the big fish
For enterprise level companies that have remote sites with multiple entry points, utilizing more than one sandbox will greatly benefit your company. This way you will be able to monitor per application level and grab the attacks that may only be specific per the application. You will be able to view behavior this way as well, being able to compare what is normal to what is ab-normal is the key win by this approach.
Overall, having good monitoring and updated details around your sandbox will ensure that you are getting the best bang for your buck when looking to trap and filter out malicious attacks.