cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted
Iron

Difference between Signature based protection (IPS, Antivirus, Anti-bot) Versus Sandboxing

Hi all,

I am trying to build a business case for CheckPoint Sandboxing solution (i.e. ThreatCloud or TX appliances)

The question i have is what's the extra value that Sandboxing brings?

As in, when my security gateways already have IPS, Anti-virus, Anti-Spam, these protections are all based on signatures automatically released and download to my CheckPoint Security Gateways from CheckPoint.  And with these, I thought they can scan any incoming/outgoing files on email attachments, files sending to and from my sFTP server etc.

Being the devil's advocate, why would i need to spend more to get Sandboxing? I know Sandboxing does provide protection for zero-day attacks (aka anything that is "unknown").  But if Checkpoint research and release a new signature and automatically push to my Security Gateways, what's the point of getting Sandboxing?

Cheers,

Hunt

 

0 Kudos
1 Reply
Highlighted
Admin
Admin

Re: Difference between Signature based protection (IPS, Antivirus, Anti-bot) Versus Sandboxing

You're running the risk of potentially getting compromised by a zero-day before there is a signature available to prevent the relevant threat, assuming it is even possible to write a signature.
Whereas with SandBlast, the threat can be prevented in your environment before there is a signature for it.
Further, you have the benefit of Threat Extraction where your users can be provided safe versions of documents they download or receive in email while the real document is sandboxed to ensure it is safe.

A couple of competing vendors have sandboxing solutions similar to what we have.
However, their sandboxing solution cannot block threats in real time the way ours can.
One vendor is able to generate signatures automatically based on what their sandbox says and update signatures on all their gateways every five minutes.
Meanwhile, five minutes is plenty of time for patient zero to begin infecting other systems in your environment.
Another vendor doesn't even make block based on their sandboxing technology, which makes you wonder what the point of having it is.

0 Kudos