Kaspersky has recently announced that its sandboxing technology is now available for use in customer networks. The on-premises Kaspersky Research Sandbox is designed for organizations with strict restrictions on data sharing to enable them to build their internal security operations centers (SOCs) or computer emergency response teams (CERTs). The solution allows these teams to detect and analyze targeted threats while also being sure that all the examined files are kept inside the organization.
Last year, about half (45%) of enterprises experienced a targeted attack according to a Kaspersky survey of IT decision makers. These threats are often designed to only work in a specific context within the victim’s organization.
- To help companies analyze advanced threats more accurately and efficiently, Kaspersky’s sandboxing technologies can now be implemented inside a customer’s organization. This also takes the organization’s system with random parameters, such as user and computer name, IP address, etc., and imitates an actively-used environment so that malware cannot distinguish that it is running on a virtual machine.
- Kaspersky Research Sandbox has evolved from the internal sandboxing complex used by the company’s own anti-malware researchers. Now these technologies are available for customers as an isolated on-premises installation. Therefore, all the analyzed files will not leave the company perimeter, making the solution suitable for organizations with tight data sharing restrictions.
- Sandbox has a special API for integration with other security solutions so that a suspicious file can be automatically sent for analysis. The results of analysis can also be exported to a SOC’s task management system. This automation of repetitive tasks cuts down the time required for incident investigation.
- As the solution is installed in the customers’ network, it provides more capabilities to mirror its operating environment. Now, virtual machines from the Kaspersky Research Sandbox can be connected to an organization’s internal network. As a result, it can reveal malware designed to run only in a certain infrastructure and get an understanding of its intentions. In addition, analysts can set up their Windows version with specific pre-installed software to completely emulate their enterprise environment.
- It simplifies an organization’s detection of environment-aware threats such as the recently discovered malware that was used in attacks against industrial companies. Kaspersky Research Sandbox also supports Android OS to detect mobile malware.
- It also provides detailed reports on file execution. The reports contain execution maps and an extended list of events performed by the analyzed object, including its network and systems activities with screenshots, as well as a list of downloaded and modified files. By knowing exactly what each malware does, incident responders can come up with the required measures to protect the organization from the threat. SOC and CERT analysts will also be able to create their YARA rules to check analyzed files against them.
- Kaspersky Research Sandbox can be integrated with Kaspersky Private Security Network. It allows organizations to not only gain insights on an object’s behavior, but also receive information on the reputation of downloaded files or URLs the malware communicated with from the Kaspersky threat intelligence database installed within a customer’s data center.
Veniamin Levtsov, vice president of corporate business at Kaspersky. Said “Kaspersky Research Sandbox organization can choose the deployment option that suits them the most as well as being able to customize on-premises sandboxing images to any enterprise environment.”
(Image Courtesy: www.cdn.guidingtech.com)