Magic exist by Marta Loveguard - presentation.pptx
Spikes Security Isla Isolation
1. Drive-by Downloads,
Malvertising, and Web Exploits
Web-based isolation is now possible
Paul Misner
Federal Business Development
Spikes Security
pmisner@spikes.com
410-740-3490
Scott Martin
Chief Information Officer
Spikes Security
smartin@spikes.com
408-755-5713
2. THE WEB BROWSER IS THE MOST STRATEGICALLY
IMPORTANT APPLICATION IN TODAY’S INTERNET-
POWERED ENTERPRISE.
3. Browsers and the web
• Most strategically important application
• Most insecure and vulnerable to cyber attacks
• Most expensive business application to secure
Public Information 3
4. The web malware problem
• 81% say web browsers are the primary attack vector
• 55% of malware attacks coming through the browser
• 86% patch/update browsers to keep them secure
• 74% say detection-based tools no longer effective
• 51 average number of successful attacks in 2014
• $3.1M average annual cost to clean up attacks
Public Information 4
5. The problem grows…
We can’t keep up with the numerous security flaws
detected every day.
Known Malware Java Applets
Flash Server-side scripts
Bad Websites Zero-Day attacks
Internal resources with approved access can
breach confidentiality – intentionally or not.
Public Information 5
7. How many of your users…
Click Here???
Public Information 7
8. How many of your users…
can spot a Fake??
Public Information 8
9. • Data Loss Prevention is only as effective as what it knows about.
• Almost 1,000,000 new malicious code signatures every day!
• Each click of the mouse opens a clear, undetectable path
for data to exit our computers and networks.
• We simply can’t detect what we don’t know to look for.
Detection is not sustainable
Public Information 9
10. • Human Nature is to “Accept and Continue.”
• Can’t change the user’s experience.
• Access blocks don’t work.
• End users to find ways to circumvent
existing limited protections.
Human Behavior and the Browser
Public Information 10
11. Browsing solutions must evolve
to maintain network integrity
with minimal effort.
Public Information 11
12. Without Isolation
URL Filtering
Network AV
IDS/IPS
DLP
• Browsers download and
execute program code from
trusted and untrusted sites
• Even defense-in-depth
detection can’t stop
unknown attacks
• Once in, they can send
your intellectual property to
the world through the tiniest
holes
Public Information
80 443
12
13. 13
Software-Based Browser Isolation
• Browser is isolated from
operating system with micro-
hypervisor.
• Micro-hypervisor is mini virtual
machine.
• If the browser is compromised,
in theory, the hypervisor will
block access to the OS and
other programs.
Public Information
14. • Software sandboxes can be penetrated
• Need to manage each system
• More powerful processors may be needed
• Additional endpoint memory and disk usage
• If something becomes resident, it’s on the internal network
• If something does get out, it’s on the user’s system
Issues with software based isolation
Public Information 14
16. Hardware Isolation
URL Filtering
Network AV
IDS/IPS
Sandbox
80 443
• Physically separate and isolate
the browser from the endpoint.
• Place the browser in an
isolated network (DMZ).
• Users enjoy complete web
freedom and security while
keeping your data secure
• A highly managed user
experience provides oversight
into web-based activities
1200-
1299
1200-
1299
Public Information 16
17. Isolate™ Architecture
1) Architectural Isolation
Separation and isolation of
Layer 1 physical components
between browser and users
2) Resource Isolation
Isla server and endpoint Memory,
CPU, Storage, and Peripherals
are isolated from each other –
and from malware
Public Information
1200-
1299
1200-
1299
17
18. Isolate™ Architecture
3) Session Isolation
Each user session is
protected in its own VM,
hardware-isolated with Intel
VT extensions
4) Task Isolation
Within a single session, each
tab, or task, use processes
isolated from each other
1200-
1299
1200-
1299
Public Information 18
19. Isolate™ Architecture
5) Connection Isolation
AES 256-bit encrypted
communication between
appliance and each
individual user
6) Content Isolation
Proprietary command,
control and display
communication format
that malware cannot
compromise
1200-
1299
1200-
1299
Public Information 19
20. Isolate™ Architecture
7) Malware Isolation
Any malware activity is
isolated and contained within
the appliance
VMs are completely destroyed
after each use and never have
access to internal networks
1200-
1299
1200-
1299
Public Information 20
21. How it Works Provide an isolation
area to render content
in a secure network
Malicious websites become
harmless by rendering the
content in the isolated area. You
can now provide clean web
content to your users with true
hardware and network
separation.
21
22. THE INTERNET
• Isla sits in a DMZ/
isolated network
Basic Deployment
• Encrypted client to
Control Center and
appliance communications
• Isolated VM for each user
Interactive, Secure, Encrypted
Viewer Streams
• On command updates
• Centralized reports and
configurations
SPIKES SECURITY
SYSTEMS AND
CONTROL CENTER
Public Information 22
23. Interactive, Secure, Encrypted
Viewer Streams
THE INTERNET
Control Center Communications
• SSL Web-enabled Interface
• Maintains user and group
information
• Retains log and usage
information
• Holds your primary copy of
your appliance configurations
(Can only be pulled down by your appliances
and is only activated by administrators)
• Can be isolated on-premises
for additional security. SPIKES SECURITY
SYSTEMS AND
CONTROL CENTER
Public Information 23
24. Issues with Hardware Based Isolation
• Compatibility issues between browsing environment
and the actual user environment
– Proprietary Browser
• Web Applications try to use local OS resources
– Silverlight/SharePoint
• Use of webcam, microphone, printing, and
downloads breaks the principle of isolation
– Bypass Mode
• Additional Hardware Required
Public Information 24
25. • The race to save the end point isn’t working.
• Hardware based isolation removes 100% the possibility of
malware or spyware entering a network.
• With hardware based isolation, the need to capture browser
based attacks on the endpoint is negated.
Isolation Synopsis
Public Information 25
26. Conclusion
Hardware Based Isolation
1. Eliminates the web browser as a primary attack vector
2. Reduces unnecessary IT costs for forensics, remediation
3. Simplifies endpoint security complexity and admin
4. Restores secure web freedom for all employees
Public Information 26
31. MOST COMMON DEPLOYMENT
• Isla sits in a DMZ/isolated network
• Only authorized users can connect
• Encrypted client to server
communications
• Centralizes the source of all
web requests
Public Information 34
32. IN-LINE TOOLS DEPLOYMENT
• Used with existing Content Filtering
or other Information Security tools
• Isla sits the network before egress
through the existing InfoSec tools
• Encrypted client to appliance
communications
• Outbound web requests route
through the existing InfoSec
tools at the perimeter
Other In-line
Security
tools
Public Information 35
33. MULTIPLE SITES
• Isla sits in a DMZ/isolated
network
• Only authorized users can
connect
• Encrypted client to server
communications
• Centralizes the source of all
web requests
Public Information 36