spikes security isla isolation

Drive-by Downloads,

Malvertising, and Web ExploitsWeb-based isolation is now possible

Paul MisnerFederal Business DevelopmentSpikes [email protected]

Scott MartinChief Information OfficerSpikes [email protected]

THE WEB BROWSER IS THE MOST STRATEGICALLY

IMPORTANT APPLICATION IN TODAY’S INTERNET-

POWERED ENTERPRISE.

Browsers and the web

• Most strategically important application

• Most insecure and vulnerable to cyber attacks

• Most expensive business application to secure

Public Information 3

The web malware problem

• 81% say web browsers are the primary attack vector

• 55% of malware attacks coming through the browser

• 86% patch/update browsers to keep them secure

• 74% say detection-based tools no longer effective

• 51 average number of successful attacks in 2014

• $3.1M average annual cost to clean up attacks


The problem grows…

We can’t keep up with the numerous security flaws

detected every day.

Known Malware Java Applets

Flash Server-side scripts

Bad Websites Zero-Day attacks

Internal resources with approved access can

breach confidentiality – intentionally or not.


IT Security Prevention


How many of your users…

Click Here???Public Information 7

How many of your users…

can spot a Fake??


• Data Loss Prevention is only as effective as what it knows about.

• Almost 1,000,000 new malicious code signatures every day!

• Each click of the mouse opens a clear, undetectable path

for data to exit our computers and networks.

• We simply can’t detect what we don’t know to look for.

Detection is not sustainable


• Human Nature is to “Accept and Continue.”

• Can’t change the user’s experience.

• Access blocks don’t work.

• End users to find ways to circumvent

existing limited protections.

Human Behavior and the Browser


Browsing solutions must evolve

to maintain network integrity

with minimal effort.


Without Isolation

URL Filtering

Network AV

IDS/IPS

DLP

• Browsers download and execute program code from trusted and untrusted sites

• Even defense-in-depth detection can’t stop unknown attacks

• Once in, they can send your intellectual property to the world through the tiniest holes

Public Information

80 443

12

13

Software-Based Browser Isolation

• Browser is isolated from

operating system with micro-

hypervisor.

• Micro-hypervisor is mini virtual

machine.

• If the browser is compromised,

in theory, the hypervisor will

block access to the OS and

other programs.

Public Information

• Software sandboxes can be penetrated

• Need to manage each system

• More powerful processors may be needed

• Additional endpoint memory and disk usage

• If something becomes resident, it’s on the internal network

• If something does get out, it’s on the user’s system

Issues with software based isolation


A New Approach.

Hardware-Based Browser Isolation


Hardware Isolation

URL Filtering

Network AV

IDS/IPS

Sandbox

80 443

• Physically separate and isolate the browser from the endpoint.

• Place the browser in an isolated network (DMZ).

• Users enjoy complete web freedom and security while keeping your data secure

• A highly managed user experience provides oversight into web-based activities

1200-

1299

1200-

1299


Isolate™ Architecture

1) Architectural Isolation

Separation and isolation of

Layer 1 physical components

between browser and users

2) Resource Isolation

Isla server and endpoint Memory,

CPU, Storage, and Peripherals

are isolated from each other –

and from malware

Public Information

1200-

1299

1200-

1299

17


3) Session Isolation

Each user session is

protected in its own VM,

hardware-isolated with Intel

VT extensions

4) Task Isolation

Within a single session, each

tab, or task, use processes

isolated from each other

1200-

1299

1200-

1299



5) Connection Isolation

AES 256-bit encrypted

communication between

appliance and each

individual user

6) Content Isolation

Proprietary command,

control and display

communication format

that malware cannot

compromise

1200-

1299

1200-

1299



7) Malware Isolation

Any malware activity is

isolated and contained within

the appliance

VMs are completely destroyed

after each use and never have

access to internal networks

1200-

1299

1200-

1299


How it Works Provide an isolation area to render content

in a secure network

Malicious websites become harmless by rendering the content in the isolated area. You can now provide clean web content to your users with true hardware and network separation.

21

THE INTERNET

• Isla sits in a DMZ/isolated network

Basic Deployment

• Encrypted client toControl Center and appliance communications

• Isolated VM for each user

Interactive, Secure, Encrypted Viewer Streams

• On command updates

• Centralized reports andconfigurations

SPIKES SECURITYSYSTEMS AND

CONTROL CENTER


Interactive, Secure, Encrypted Viewer Streams

THE INTERNET

Control Center Communications

• SSL Web-enabled Interface

• Maintains user and group information

• Retains log and usage information

• Holds your primary copy of your appliance configurations (Can only be pulled down by your appliances and is only activated by administrators)

• Can be isolated on-premises for additional security. SPIKES SECURITY

SYSTEMS AND

CONTROL CENTER


Issues with Hardware Based Isolation

• Compatibility issues between browsing environmentand the actual user environment

– Proprietary Browser

• Web Applications try to use local OS resources

– Silverlight/SharePoint

• Use of webcam, microphone, printing, anddownloads breaks the principle of isolation

– Bypass Mode

• Additional Hardware Required


• The race to save the end point isn’t working.

• Hardware based isolation removes 100% the possibility of malware or spyware entering a network.

• With hardware based isolation, the need to capture browser based attacks on the endpoint is negated.

Isolation Synopsis


Conclusion

Hardware Based Isolation

1. Eliminates the web browser as a primary attack vector

2. Reduces unnecessary IT costs for forensics, remediation

3. Simplifies endpoint security complexity and admin

4. Restores secure web freedom for all employees


ISLA

Deploying in the real world

Multiple Use Cases


EXAMPLES

Typical Installation Scenarios

Basic Deployment


MOST COMMON DEPLOYMENT


• Only authorized users can connect

• Encrypted client to server communications

• Centralizes the source of all web requests


IN-LINE TOOLS DEPLOYMENT

• Used with existing Content Filteringor other Information Security tools

• Isla sits the network before egress through the existing InfoSec tools

• Encrypted client to appliance communications

• Outbound web requests routethrough the existing InfoSectools at the perimeter

Other In-line Security

tools


MULTIPLE SITES


• Only authorized users can connect

• Encrypted client to server communications

• Centralizes the source of all web requests


THANK YOU

Spikes Security

www.spikes.com

spikes security isla isolation

Internet