spikes security isla isolation
Post on 22-Jan-2018
793 Views
Preview:
TRANSCRIPT
Drive-by Downloads,
Malvertising, and Web ExploitsWeb-based isolation is now possible
Paul MisnerFederal Business DevelopmentSpikes Securitypmisner@spikes.com410-740-3490
Scott MartinChief Information OfficerSpikes Securitysmartin@spikes.com408-755-5713
THE WEB BROWSER IS THE MOST STRATEGICALLY
IMPORTANT APPLICATION IN TODAY’S INTERNET-
POWERED ENTERPRISE.
Browsers and the web
• Most strategically important application
• Most insecure and vulnerable to cyber attacks
• Most expensive business application to secure
Public Information 3
The web malware problem
• 81% say web browsers are the primary attack vector
• 55% of malware attacks coming through the browser
• 86% patch/update browsers to keep them secure
• 74% say detection-based tools no longer effective
• 51 average number of successful attacks in 2014
• $3.1M average annual cost to clean up attacks
Public Information 4
The problem grows…
We can’t keep up with the numerous security flaws
detected every day.
Known Malware Java Applets
Flash Server-side scripts
Bad Websites Zero-Day attacks
Internal resources with approved access can
breach confidentiality – intentionally or not.
Public Information 5
• Data Loss Prevention is only as effective as what it knows about.
• Almost 1,000,000 new malicious code signatures every day!
• Each click of the mouse opens a clear, undetectable path
for data to exit our computers and networks.
• We simply can’t detect what we don’t know to look for.
Detection is not sustainable
Public Information 9
• Human Nature is to “Accept and Continue.”
• Can’t change the user’s experience.
• Access blocks don’t work.
• End users to find ways to circumvent
existing limited protections.
Human Behavior and the Browser
Public Information 10
Browsing solutions must evolve
to maintain network integrity
with minimal effort.
Public Information 11
Without Isolation
URL Filtering
Network AV
IDS/IPS
DLP
• Browsers download and execute program code from trusted and untrusted sites
• Even defense-in-depth detection can’t stop unknown attacks
• Once in, they can send your intellectual property to the world through the tiniest holes
Public Information
80 443
12
13
Software-Based Browser Isolation
• Browser is isolated from
operating system with micro-
hypervisor.
• Micro-hypervisor is mini virtual
machine.
• If the browser is compromised,
in theory, the hypervisor will
block access to the OS and
other programs.
Public Information
• Software sandboxes can be penetrated
• Need to manage each system
• More powerful processors may be needed
• Additional endpoint memory and disk usage
• If something becomes resident, it’s on the internal network
• If something does get out, it’s on the user’s system
Issues with software based isolation
Public Information 14
Hardware Isolation
URL Filtering
Network AV
IDS/IPS
Sandbox
80 443
• Physically separate and isolate the browser from the endpoint.
• Place the browser in an isolated network (DMZ).
• Users enjoy complete web freedom and security while keeping your data secure
• A highly managed user experience provides oversight into web-based activities
1200-
1299
1200-
1299
Public Information 16
Isolate™ Architecture
1) Architectural Isolation
Separation and isolation of
Layer 1 physical components
between browser and users
2) Resource Isolation
Isla server and endpoint Memory,
CPU, Storage, and Peripherals
are isolated from each other –
and from malware
Public Information
1200-
1299
1200-
1299
17
Isolate™ Architecture
3) Session Isolation
Each user session is
protected in its own VM,
hardware-isolated with Intel
VT extensions
4) Task Isolation
Within a single session, each
tab, or task, use processes
isolated from each other
1200-
1299
1200-
1299
Public Information 18
Isolate™ Architecture
5) Connection Isolation
AES 256-bit encrypted
communication between
appliance and each
individual user
6) Content Isolation
Proprietary command,
control and display
communication format
that malware cannot
compromise
1200-
1299
1200-
1299
Public Information 19
Isolate™ Architecture
7) Malware Isolation
Any malware activity is
isolated and contained within
the appliance
VMs are completely destroyed
after each use and never have
access to internal networks
1200-
1299
1200-
1299
Public Information 20
How it Works Provide an isolation area to render content
in a secure network
Malicious websites become harmless by rendering the content in the isolated area. You can now provide clean web content to your users with true hardware and network separation.
21
THE INTERNET
• Isla sits in a DMZ/isolated network
Basic Deployment
• Encrypted client toControl Center and appliance communications
• Isolated VM for each user
Interactive, Secure, Encrypted Viewer Streams
• On command updates
• Centralized reports andconfigurations
SPIKES SECURITYSYSTEMS AND
CONTROL CENTER
Public Information 22
Interactive, Secure, Encrypted Viewer Streams
THE INTERNET
Control Center Communications
• SSL Web-enabled Interface
• Maintains user and group information
• Retains log and usage information
• Holds your primary copy of your appliance configurations (Can only be pulled down by your appliances and is only activated by administrators)
• Can be isolated on-premises for additional security. SPIKES SECURITY
SYSTEMS AND
CONTROL CENTER
Public Information 23
Issues with Hardware Based Isolation
• Compatibility issues between browsing environmentand the actual user environment
– Proprietary Browser
• Web Applications try to use local OS resources
– Silverlight/SharePoint
• Use of webcam, microphone, printing, anddownloads breaks the principle of isolation
– Bypass Mode
• Additional Hardware Required
Public Information 24
• The race to save the end point isn’t working.
• Hardware based isolation removes 100% the possibility of malware or spyware entering a network.
• With hardware based isolation, the need to capture browser based attacks on the endpoint is negated.
Isolation Synopsis
Public Information 25
Conclusion
Hardware Based Isolation
1. Eliminates the web browser as a primary attack vector
2. Reduces unnecessary IT costs for forensics, remediation
3. Simplifies endpoint security complexity and admin
4. Restores secure web freedom for all employees
Public Information 26
MOST COMMON DEPLOYMENT
• Isla sits in a DMZ/isolated network
• Only authorized users can connect
• Encrypted client to server communications
• Centralizes the source of all web requests
Public Information 34
IN-LINE TOOLS DEPLOYMENT
• Used with existing Content Filteringor other Information Security tools
• Isla sits the network before egress through the existing InfoSec tools
• Encrypted client to appliance communications
• Outbound web requests routethrough the existing InfoSectools at the perimeter
Other In-line Security
tools
Public Information 35
MULTIPLE SITES
• Isla sits in a DMZ/isolated network
• Only authorized users can connect
• Encrypted client to server communications
• Centralizes the source of all web requests
Public Information 36
top related