Security

Review: Stop Advanced Threats with the FortiSandbox 1000D Security Appliance

We found the ideal defense against cybercriminals who have learned how to get around basic network protections.

Twitter

John Breeden II is an award-winning reviewer and public speaker with 20 years of experience covering technology.

State and local governments now fall victim to many of the same advanced cyberattacks that target large enterprises and the federal government. The smaller size of agency networks is no longer a deterrent to advanced threats, whether attackers are trying to steal citizens’ personal information, hack into government financial data or unleash a ransomware scam.

The FortiSandbox 1000D security appliance may provide a solution. It offers advanced protection and sandboxing in a hardware platform suitable for entry-level deployments that IT departments can later expand and integrate into a whole line of Fortinet security appliances. The device can sandbox up to 160 files per hour; advanced models, more than 1,200.

Everything that the 1000D eventually sandboxes first goes through a gauntlet of other protections built into the appliance. Files are subjected to a virus scan, which can weed out many low-level attacks. There is no need to sandbox a file already flagged as a virus.

If a file passes that test, the device checks it against the latest threat information collected by the company’s FortiGuard Labs, which includes anything found by other customers’ FortiSandboxes. Then the 1000D subjects the file to code emulation to see what it would do if released by the sandbox.

An Appliance that Can Identify All Threats

The appliance completes all of that before the actual sandboxing begins, which is why the 1000D model can serve a moderately sized network with a 160-file-per-hour sandboxing file cap. Very little makes it to the final, most resource-intensive step. At that point, the FortiSandbox deploys the file inside a virtual environment and analyzes its behavior.

I ran 25 malicious files from a malware zoo through the FortiSandbox, including a few with advanced polymorphic characteristics and some protected by encryption. Only two made it all the way to the sandbox process; the appliance pinpointed all the others as threats.

Once the 1000D identified a threat, it protected the test network and provided details to help with future threat mitigation, such as captured packets, the original file, a tracer log and screenshots.

State and local governments today require the same advanced protection as much larger enterprise networks. The FortiSandbox 1000D offers a great first step to achieve much better security.

Continuing a Strong Tradition of Fortinet Security

While the FortiSandbox 1000D adds excellent layered protection to a network as a single appliance, the device also works in conjunction with a line of appliances from Fortinet, including firewalls and mail appliances.

In my original test, the 1000D alone stopped the identified threats, but the network could still fall victim to similar attacks in the future. If the system had had other appliances, the FortiSandbox would have automatically locked down the threats and required little manual labor or programming.

With a whole family of products working together, an IT team can easily build a database of the unique threats, actors and techniques that target a state or local government. Once the FortiSandbox identifies malicious code, an analyzer program within the appliance automatically develops a mitigation and future protection plan based on the other tools that exist in the network. It sends signatures and characteristics to all registered devices and clients so that they all maintain future visibility and protection from the same or similar threats.

For example, if threats arrive by email, such as phishing scams, the appliance sends their signatures and characteristics to an attached FortiMail appliance. A FortiWeb appliance blocks the associated websites, and a FortiGate firewall bans related files from entering the network.

Without that protection, the FortiSandbox might still catch new, similar threats. But that way they can be blocked earlier in the chain and away from your critical assets. The system cuts down on potential sandboxing time and frees up resources for truly unknown files and code.

That process works the other way too. Each of those devices reports back to the sandbox when they encounter a threat, to further build your unique protection database, and tune your defenses against hackers who target your organization.