Analyst & Research Reports

O'Reilly Modern Defense in Depth

Issue link:

Contents of this Issue


Page 13 of 53

exploits of system and application vulnerabilities that often find their way past the border firewalls. However, unknown exploits that can infect users' computers often pass right through intrusion pre‐ vention systems quite easily. When potentially suspect traffic makes it past next generation fire‐ walls and advanced intrusion prevention systems, the traffic next finds its way to a sandbox technology deployed downstream, usually at the periphery of the internal network. Because most sandbox technologies are deployed out-of-band, they capture copies of net‐ work traffic destined to a user computer, ingest the traffic, and try to make some sense out of what the traffic entails. How Sandboxes Work When an internal user mistakenly clicks on a link or downloads executable code from the internet, sandbox technology captures a copy of the downloaded code and executes it in the same fashion as the user's computer would. The whole idea here is to execute the code within a sandbox container to observe the code's intention without allowing it to spread an infection elsewhere. Because the code has already found its way to the user's computer, this after-the- fact execution of the code serves to alert security personnel that an infection might have already taken place. The next line of defense most organizations deploy is endpoint mal‐ ware detection and protection software (antimalware) on the users' computers themselves. Understanding that there are millions of dis‐ crete variants of malware found on the internet today, these software-based solutions are limited in their ability to defend against every known malware strain, due to computer processing limitations and malware-signature storage. Surrounding all the security technologies deployed, organizations often deploy peripheral solutions to address data loss prevention, network access control, identity and access management, automated patching, and a long list of other independent technologies designed to detect and/or block internal and external malicious activity. Most would agree that there is an abundance of technologies and solutions that make up the various lines of defense deployed in most enterprises, just to protect internal users from attackers on the inter‐ 4 | Chapter 1: What's Not Working, and Why?

Articles in this issue

view archives of Analyst & Research Reports - O'Reilly Modern Defense in Depth