Dump the Sandbox

Technology becomes obsolete quickly in a variety of industries as “newer” and “more innovative” options crop up on what feels like an almost daily basis. The same is true for the pace of technological innovation in the information security space.

Traditional antivirus vendors spurred on by waning detection rates and unhappy customers have been acquiring companies that offer potential solutions to the satisfactory prevention of the latest threat of the day, that currently pose enormous risks to its already languishing and disgruntled customers.

Sandboxes grew in popularity as a stop gap because organisations needed to apply reasonable levels of certainty to security controls in the absence of confidence in endpoint AV to protect the organisation. But, at what cost?

Apart from being hideously expensive because they knew about “Chinese” attackers, sandboxes identified thousands of Indicators of Compromise (IoCs), that had every security analyst chasing every instance to determine if the attack only detonated in the sandbox, or if it also ran on the endpoint. And, if so, did it successfully communicate with its command-and-control infrastructure? If it did that, then they had to determine what it actually did to the endpoint.


This Pyrrhic victory in malware defence has been the reality for many organisations for the past few years. The lack of efficiency in the sandbox has forced organizations to consume intel feeds and hope that an IoC somewhere might turn up in the environment at some point, only to find out that the level of false positive reduction in that feed was not satisfactory.

Here’s What the CISO Needs to Know About the Sandbox

If you are about to renew a really expensive purchase order for sandboxes… don´t sign the renewal agreement without first considering alternative approaches.

It´s time to get rid of high maintenance security technology. It´s time to stop shouldering the burden of proof of what might occur at the endpoint, based on what was detected on the network.

Even a leading sandbox vendor admits: “the endpoint has always been the most reliable source of truth.” The endpoint is ground-zero for the organization, and as such it should be the most accurate and least costly source of security escalation.

Microsoft operates 12 security operation centres, they found IoC led investigations have a negative value to security. Instead they base their analysis of threats on observed behaviours in their environment, behaviour analysis is responsible for tracking nearly 100% of the active threats at Microsoft.

Total Cost of Risk Ownership

Information security controls are placed into an organisation to manage risk. The big questions to ask:

  • Does the capital and operational burden of sandboxes actually reduce the risk?
  • What is the delta in risk between running sandbox technology and not running it?
  • Further, what is the savings in expenditure and operational costs?

The quantitative answer is determined by how many threats are detected in the sandbox that would not have been detected by other security controls. For example, if you have a system that monitors the actual behaviour of the endpoint, then the risk delta value of the sandbox is zero. In addition the cost savings are enormous because the wild goose chases of analyst time disappears too. Instrumenting the endpoint with behavioural modeling instead of using sandboxes reduces the Total Cost of Ownership massively, as the expenditure drops while the residual risk remains the same.