The Sandbox Wars, They Have Begun

Since writing “What’s in the Sandbox?” I’ve been waiting for the sandbox shootout: “Zscaler vs FireEye – Insights from the experts at Miercom Labs.” Now its here: According to Miercom Zscaler is 64% better at catching zero-day threats, 40% better at catching malicious documents and 50x faster at overall threat protection than FireEye. In the age of APTs, anti-malware sandboxes – which emulate or execute documents, programs or scripts in a virtual environment – are becoming valuable commodities. 

As a Gartner anti-malware analyst from 2010 through 2013, I often recommended clients consider FireEye, whose sandbox slew many a malware. Now its good to see  Zscaler giving the first mover a run for its money, and doing so with an innovative architecture.

Everyone can read the report at the link below, so I won’t go into the test results today but instead focus on the architecture. Let’s compare: Whereas Zscaler is a cloud-based security solution, FireEye is a network appliance. In general, and all else being equal, a cloud-based sandbox has the following advantages over an appliance-based one:

• Lower cost: No capital costs for appliances distributed throughout the enterprise network, just a pay-as-you-go sandbox in the cloud. Zscaler is priced lower than FireEye.
• Easier to deploy: No shipping, handling or cabling. Network traffic to be analyzed passes through Zscaler on the way to the network, or gets diverted through an encrypted tunnel from your firewall.
• More scalable: Virtual sandboxes are created dynamically with the load, no need to buy more or larger appliances.

But the cloud-based sandbox format also has disadvantages:

• Internal protection challenges: Tunneling content out from a restricted zone to a cloud-based sandbox is more problematic than just dropping an appliance into a heavily-isolated subnetwork (e.g. hosting PCI or HIPAA-protected content).
• Privacy (or confidentiality) concerns: Traffic and executables have to leave your private network and/or be decrypted and exposed in the cloud for analysis.
• Less local context: An appliance-based sandbox within the network may be tightly-integrated with internal SIEM and endpoint security solutions. FireEye enhances malware detection by integrating with application whitelisting vendor Bit9’s local change detection on endpoints, for example. 

Back in October, I drove deep into San Jose – past Fortran Dr. and Disk Dr. (seriously) – for a meeting at Zscaler headquarters. I was a bit mystified at the receptionist’s cyberpunk chic, but when Zscaler CMO Dan Drucker wandered into the conference room in soccer coach regalia it dawned on me: Happy Halloween Day. No tricks, just treats as Dan insisted Zscaler has designed its architecture to prevent clients’ private executables and data from leaking out of the gateways and sandboxes to hackers, or even to Zscaler’s own administrators. I didn’t get any details, but Dan said Zscaler had audits or security reviews that had proved convincing even to tough, privacy-conscious European customers.

I’d really like to get FireEye’s response to the Miercom test. Is it even possible to get a fair test of a cloud versus a box? I’d also like to get Zscaler’s opinion on how it, or other cloud access security brokers (CASBs) can tie deeper into clients’ local security context. Thoughts, anyone?

Links: Webcast recording and Analysis of Zscaler Internet Security vs  FireEye Web MPS report  (registration required).