The Value of Sandboxes

Posted on September 23, 2013 by 

There’s been a lot of talk about malware sandboxing as a form of protection against advanced persistent threats (APTs).

The idea behind malware sandboxing is that you can drop suspicious binaries into a virtualized environment, execute them, and observe what happens without posing any risk to your production systems.  After the malicious code wreaks its havoc, you’re left with a treasure trove of data to analyze in order to understand the attack and protect yourself from similar threats in the future.

Now, malware sandboxing isn’t a panacea–for instance, classes of malware are smart enough to know that they’re in a sandbox and will stay dormant–but it’s a tremendous step forward for handling APTs.

The Authorization Sandbox

Much like executing known-harmful code on production systems is generally a VERY BAD IDEA, there are other things that you’d only want to do in a sandbox, namely: authorization changes, or permissions changes.

We’ve seen time and time again—IT admins are trying to do the right thing by revoking whatappear to be excessive privileges.  Perhaps the “Everyone” group is applied to an ACL or a service account looks like it’s a member of one too many security groups.

But authorization is far more complex than it appears on the surface—the whole idea of effective permissions illustrates that point.  So what happens?  We make a change, it looks fine, and then we get the phone call: an entire department of senior level people can’t access files they need to do their jobs or, worse yet, you bring a revenue generating application to a screeching halt because it can no longer read its config file (that’s what we’d call a career-limiting move).

Sandboxes to the rescue!

One of the most amazing features of DatAdvantage is that it lets you model permissions changes in a sandbox and shows you the outcome before you execute the change in production.  DatAdvantage will not only show you every object that will be affected, it correlates the permissions changes with actual access activity, which lets you pinpoint users who would have been affected by that change had it already been made.

You can keep simulating until you’re confident that your permissions changes will not disturb anyone’s work. If you have the credentials to be able to make changes, DatAdvantage lets you commit all permissions and group changes right through the interface (over all platforms: Windows, NAS, Exchange, SharePoint, UNIX/Linux), either immediately or at a scheduled time to occur inside a change management window.

The authorization sandbox eliminates the risks of manually cleaning up excessive permissions and group memberships, since IT is able to simulate fixing problems without ever impacting legitimate use.  Most IT departments have faced the consequences of trying to fix access controls manually: lots of broken ACLs, broken applications, and annoyed users. It’s a lot of fun to show them a better way.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s