Kaspersky sandboxing technology can now also be used in customer networks. The new on-premise solution Kaspersky Research Sandbox is aimed at organizations with strict data sharing restrictions.
With the sandbox technology, users are now able to set up internal security operations centers (SOCs) or computer emergency response teams (CERTs). The solution supports corporate security experts in discovering and analyzing targeted attacks, while at the same time ensuring that all scanned files remain within their own organization.
In the past year, around half of the companies (45 percent) experienced a targeted attack, as Kaspersky found out in an international survey of IT decision-makers. These threats are often designed to work only in a specific context within the targeted victim's organization: for example, a file will not do anything malicious until a specific application is opened or until a user scrolls through a document. In addition, some files can detect that they are not in the end user's environment - for example if there is no evidence that someone is working on the endpoint - and do not execute their malicious code. However, because a SOC typically receives numerous security alerts, analysts cannot manually examine each suspect to determine which is the most dangerous.
Sandbox simulates the system of the organization
To help companies analyze advanced threats more accurately and in a timely manner, Kaspersky sandboxing technologies can now be implemented in customer organizations. The Kaspersky Research Sandbox simulates the organization's system with random parameters such as user and computer name, IP address or the like, and imitates an actively used user environment so that malware cannot detect that it is running on a virtual machine.
Kaspersky Research Sandbox was developed out of the internal sandboxing system used by the company's anti-malware researchers. Now these technologies are also available to customers as an isolated on-site installation (on-premise). In this way, all analyzed files do not leave the company division; This makes the solution particularly suitable for companies and organizations with strict data release restrictions.
Files are automatically sent for analysis
Kaspersky Research Sandbox has a special API (programming interface) for integration with other security solutions so that a suspicious file can be automatically sent for analysis. The results of the analysis can also be exported to the task management system of a SOC. This automation of repetitive tasks reduces the time it takes to investigate incidents.
Because the solution is installed on the customer's network, it offers more options for mirroring its operating environment. Virtual machines from the Kaspersky Research Sandbox can now be connected to the internal network of an organization. This allows it to discover malware that only runs on a specific infrastructure and gain a better understanding of the intentions behind it. In addition, security analysts can use special pre-installed software to set up their version of Windows to fully simulate their corporate environment. It makes it easier for an organization to identify environmental threats, such as recently discovered malware that was used in attacks on industrial companies. Kaspersky Research Sandbox also supports Android OS for mobile malware detection.
Sandbox provides detailed reports on file execution
Kaspersky Research Sandbox provides detailed reports on file execution. The reports contain execution maps and an expanded list of the events executed by the analyzed object, including its network and system activities with screenshots and a list of downloaded and modified files. When incident response officers know exactly what each malware is doing, they can take the necessary steps to protect the company from the threat. In addition, SOC and CERT analysts can create YARA rules to compare analyzed files with them.
"Our Kaspersky Cloud Sandbox solution, which we launched in 2018, is perfect for companies that need to analyze complex threats without making additional investments in hardware infrastructure," said Veniamin Levtsov, VP, Corporate Business at Kaspersky . “However, organizations with internal SOCs and CERTs and strict data exchange restrictions need more control over the files they analyze. With Kaspersky Research Sandbox, they can now choose the deployment option that best suits their needs and adapt the sandbox images created on site to suit any corporate environment. "
Integration in the Kaspersky Private Security Network (KPSN)
The Kaspersky Research Sandbox can be integrated into the Kaspersky Private Security Network (KPSN). This gives companies insights into the behavior of an object. In addition, the Kaspersky Threat Intelligence database - installed in the customer's data center - provides them with information about the reputation of downloaded files or URLs with which the malware has communicated.
Kaspersky Research Sandbox is part of the Kaspersky product portfolio for security professionals. This includes Kaspersky Threat Attribution Engine, Kaspersky CyberTrace and Kaspersky Threat Data Feeds. This offering helps organizations validate and investigate advanced threats and facilitate incident response by providing relevant threat intelligence.
More on this at Kaspersky.com
About Kaspersky Kaspersky is an international cybersecurity company founded in 1997. Kaspersky's in-depth threat intelligence and security expertise serve as the basis for innovative security solutions and services to protect companies, critical infrastructures, governments and private users worldwide. The company's comprehensive security portfolio includes leading endpoint protection as well as a range of specialized security solutions and services to defend against complex and evolving cyber threats. Kaspersky technologies protect over 400 million users and 250.000 corporate customers. More information about Kaspersky can be found at www.kaspersky.com/