Spikes Security Isla Isolation
0 likes1,301 views
This document discusses the risks of web browsers and how hardware-based browser isolation can help address them. It notes that browsers are the most common attack vector but also the most important application. Current detection-based tools are ineffective against unknown attacks. The document proposes hardware-based browser isolation using a separate physical network to isolate the browser from endpoints. This would eliminate browsers as an attack vector and reduce costs while restoring secure web access. It describes the Isla isolation architecture and deployment scenarios like using Isla in a DMZ or in-line with other security tools.
Spikes Security Isla Isolation
- 1. Drive-by Downloads, Malvertising, and Web Exploits Web-based isolation is now possible Paul Misner Federal Business Development Spikes Security pmisner@spikes.com 410-740-3490 Scott Martin Chief Information Officer Spikes Security smartin@spikes.com 408-755-5713
- 2. THE WEB BROWSER IS THE MOST STRATEGICALLY IMPORTANT APPLICATION IN TODAY’S INTERNET- POWERED ENTERPRISE.
- 3. Browsers and the web • Most strategically important application • Most insecure and vulnerable to cyber attacks • Most expensive business application to secure Public Information 3
- 4. The web malware problem • 81% say web browsers are the primary attack vector • 55% of malware attacks coming through the browser • 86% patch/update browsers to keep them secure • 74% say detection-based tools no longer effective • 51 average number of successful attacks in 2014 • $3.1M average annual cost to clean up attacks Public Information 4
- 5. The problem grows… We can’t keep up with the numerous security flaws detected every day. Known Malware Java Applets Flash Server-side scripts Bad Websites Zero-Day attacks Internal resources with approved access can breach confidentiality – intentionally or not. Public Information 5
- 6. IT Security Prevention Public Information 6
- 7. How many of your users… Click Here??? Public Information 7
- 8. How many of your users… can spot a Fake?? Public Information 8
- 9. • Data Loss Prevention is only as effective as what it knows about. • Almost 1,000,000 new malicious code signatures every day! • Each click of the mouse opens a clear, undetectable path for data to exit our computers and networks. • We simply can’t detect what we don’t know to look for. Detection is not sustainable Public Information 9
- 10. • Human Nature is to “Accept and Continue.” • Can’t change the user’s experience. • Access blocks don’t work. • End users to find ways to circumvent existing limited protections. Human Behavior and the Browser Public Information 10
- 11. Browsing solutions must evolve to maintain network integrity with minimal effort. Public Information 11
- 12. Without Isolation URL Filtering Network AV IDS/IPS DLP • Browsers download and execute program code from trusted and untrusted sites • Even defense-in-depth detection can’t stop unknown attacks • Once in, they can send your intellectual property to the world through the tiniest holes Public Information 80 443 12
- 13. 13 Software-Based Browser Isolation • Browser is isolated from operating system with micro- hypervisor. • Micro-hypervisor is mini virtual machine. • If the browser is compromised, in theory, the hypervisor will block access to the OS and other programs. Public Information
- 14. • Software sandboxes can be penetrated • Need to manage each system • More powerful processors may be needed • Additional endpoint memory and disk usage • If something becomes resident, it’s on the internal network • If something does get out, it’s on the user’s system Issues with software based isolation Public Information 14
- 15. A New Approach. Hardware-Based Browser Isolation Public Information 15
- 16. Hardware Isolation URL Filtering Network AV IDS/IPS Sandbox 80 443 • Physically separate and isolate the browser from the endpoint. • Place the browser in an isolated network (DMZ). • Users enjoy complete web freedom and security while keeping your data secure • A highly managed user experience provides oversight into web-based activities 1200- 1299 1200- 1299 Public Information 16
- 17. Isolate™ Architecture 1) Architectural Isolation Separation and isolation of Layer 1 physical components between browser and users 2) Resource Isolation Isla server and endpoint Memory, CPU, Storage, and Peripherals are isolated from each other – and from malware Public Information 1200- 1299 1200- 1299 17
- 18. Isolate™ Architecture 3) Session Isolation Each user session is protected in its own VM, hardware-isolated with Intel VT extensions 4) Task Isolation Within a single session, each tab, or task, use processes isolated from each other 1200- 1299 1200- 1299 Public Information 18
- 19. Isolate™ Architecture 5) Connection Isolation AES 256-bit encrypted communication between appliance and each individual user 6) Content Isolation Proprietary command, control and display communication format that malware cannot compromise 1200- 1299 1200- 1299 Public Information 19
- 20. Isolate™ Architecture 7) Malware Isolation Any malware activity is isolated and contained within the appliance VMs are completely destroyed after each use and never have access to internal networks 1200- 1299 1200- 1299 Public Information 20
- 21. How it Works Provide an isolation area to render content in a secure network Malicious websites become harmless by rendering the content in the isolated area. You can now provide clean web content to your users with true hardware and network separation. 21
- 22. THE INTERNET • Isla sits in a DMZ/ isolated network Basic Deployment • Encrypted client to Control Center and appliance communications • Isolated VM for each user Interactive, Secure, Encrypted Viewer Streams • On command updates • Centralized reports and configurations SPIKES SECURITY SYSTEMS AND CONTROL CENTER Public Information 22
- 23. Interactive, Secure, Encrypted Viewer Streams THE INTERNET Control Center Communications • SSL Web-enabled Interface • Maintains user and group information • Retains log and usage information • Holds your primary copy of your appliance configurations (Can only be pulled down by your appliances and is only activated by administrators) • Can be isolated on-premises for additional security. SPIKES SECURITY SYSTEMS AND CONTROL CENTER Public Information 23
- 24. Issues with Hardware Based Isolation • Compatibility issues between browsing environment and the actual user environment – Proprietary Browser • Web Applications try to use local OS resources – Silverlight/SharePoint • Use of webcam, microphone, printing, and downloads breaks the principle of isolation – Bypass Mode • Additional Hardware Required Public Information 24
- 25. • The race to save the end point isn’t working. • Hardware based isolation removes 100% the possibility of malware or spyware entering a network. • With hardware based isolation, the need to capture browser based attacks on the endpoint is negated. Isolation Synopsis Public Information 25
- 26. Conclusion Hardware Based Isolation 1. Eliminates the web browser as a primary attack vector 2. Reduces unnecessary IT costs for forensics, remediation 3. Simplifies endpoint security complexity and admin 4. Restores secure web freedom for all employees Public Information 26
- 27. ISLA Deploying in the real world
- 28. Multiple Use Cases Public Information 29
- 31. MOST COMMON DEPLOYMENT • Isla sits in a DMZ/isolated network • Only authorized users can connect • Encrypted client to server communications • Centralizes the source of all web requests Public Information 34
- 32. IN-LINE TOOLS DEPLOYMENT • Used with existing Content Filtering or other Information Security tools • Isla sits the network before egress through the existing InfoSec tools • Encrypted client to appliance communications • Outbound web requests route through the existing InfoSec tools at the perimeter Other In-line Security tools Public Information 35
- 33. MULTIPLE SITES • Isla sits in a DMZ/isolated network • Only authorized users can connect • Encrypted client to server communications • Centralizes the source of all web requests Public Information 36