Whitepaper. Endpoint Strategy: Debunking Myths about Isolation

Transcription

1 Whitepaper Endpoint Strategy: Debunking Myths about Isolation May 2018

2 Endpoint Strategy: Debunking Myths about Isolation Endpoints are, and have always been, a major cyberattack vector. Attackers, aiming at the enterprise s crown jewels, prove again and again that endpoints are the Achilles heel of an enterprise s security strategy. As endpoints are the most pervasive IT asset within the organization, any decision to change the endpoint security strategy is not to be taken lightly. In the past, endpoint security strategies all looked pretty much the same - a standard Windows machine with agents used for antivirus scanning and for enforcing policies restricting web browsing and controlling the use of external devices. That standard model is slowly on its way out - finally. Increasingly, prevention based on isolation is becoming more of a focus. Several approaches have emerged on this front: 1. Virtual Desktop Infrastructure (VDI) 2. Remote Browsing 3. Application Sandboxing 4. Virtual Air Gap 1. VDI It Only Appears to Solve the Problem Virtual Data Infrastructure (VDI) is based on accessing the corporate desktop image from a remote station - a thin or thick client with the screen view and keyboard / mouse input exchanged over the network. VDI gained traction based on its promise for simplicity in provisioning and management but is far from the holy grail when it comes to endpoint security. Using VDI does not protect the organization from internal or external threats. Malware can still compromise software on the VDI desktop image and lead to organizational risk - for example, a malicious exploiting a vulnerability on the VDI OS. When VDI is used from thick clients or a personal device, attack vectors on that device - such as external hardware, Internet access, or other applications - can be exploited to compromise it and take control of the VDI session. There are other productivity aspects where VDI is lacking due to the fact that a VDI session requires an active network connection with sufficient bandwidth to the VDI server: It does not allow any offline work and, in many cases, provides a suboptimal user experience. 2

3 2. Remote Browsing Not Quite a Comprehensive Solution Remote Browsing, technologically similar to VDI, allows browsing the Internet only via a browser application running on an isolated, locked-down virtual machine in the cloud (which prevents exploitation of browser-based vulnerabilities on the local machine). Remote browsing provides the end user with a slower and less interactive browsing experience, as content is displayed as an image or a video stream on the local workstation. Remote browsing is limited to Internet browsing (as the name suggests ); therefore this approach does not cover attack vectors that are still present on the local machine. Attack vectors such as applications, external hardware, OS vulnerabilities, and additional weaknesses can give an attacker full control of the local machine. Other disadvantages are related to user experience - both compatibility and performance. Browser interoperability and other applications browser plugins are not addressed in many cases, which can seriously affect user productivity. Many leading conferencing applications, for example, do not work well in such an environment. The fact that the Internet connection always goes through an additional network hop adds latency to website interactions, further degrading the user experience. 3. Application Sandboxing - Limited in Coverage and Full of Hassles Application Sandboxing isolates a few common applications known as prominent attack vectors, by executing each application in its own sandbox, using VMs or other app isolation techniques. This approach contains threats coming from the application within the sandbox and prevents them from affecting the operating system. While avoiding the network-associated overhead of remote browsing, app isolation imposes a significant performance overhead, as each instance of the application (could be even separate tabs on a browser) is running in a separate VM (or other type of containerization solution). As there are quite a few applications running on a typical user s endpoint, this can lead to degraded machine performance and poor user experience. Other complications with this approach are related to interoperability and compatibility. Separating applications into VMs creates inherent interoperability issues among applications that are used to interacting within a single operating system. As every application is specifically customized to run in the sandbox VM operating system, each new version has to be explicitly adapted to work with the sandbox platform. This creates a problem of keeping applications up to date - costing money, time and delaying security application patches (thereby increasing exposure to vulnerabilities). Furthermore, application sandboxing does not protect against any attack vector beyond the few supported applications - such as vulnerabilities in unsupported applications (the abundance of applications makes it impossible to cover all of them with this approach), the underlying OS, middleware, malicious external hardware, malicious external networks, etc. While a great thing to do in theory, sandboxing applications causes more problems than it solves. 3

4 4. Virtual Air Gap - Full Control and Uncompromising User Experience An emerging approach, Virtual Air Gap, borrows its concept from the physical air gap approach used in highly classified organizations, where there are separate physical machines dedicated for classified usage. Virtual Air Gap uses a single physical machine to deliver the top-grade security of the air gap solution, while improving user productivity. A Virtual Air Gap copes with the threat of compromise from a completely different perspective. This new architecture creates a security platform that runs below the OS on the hardware itself. It runs a few operating systems simultaneously inside segregated virtual machines, one per security zone, such as Highly Secure, Enterprise Network, and Personal. A Virtual Air Gap creates full separation, similar to a physical air gap, between a VM with an operating system potentially exposed to any threat vector - an OS attack vector, Internet, external devices or any application - and a VM running a restricted operating system with access exclusively to the organization's privileged resources. The fact that multiple VMs are used behind the scenes is transparent to the user, who has an experience of a single desktop and a single operating system. Security-wise, a Virtual Air Gap guarantees that a compromise taking place in the exposed VM, via any attack vector, will remain contained in that VM, while the other VMs are unaffected. All applications within each operating system run as is, reducing compatibility issues; interactions that involve multiple VMs, such as content transfer, are granularly controlled via policy. Furthermore using only two or three VMs does not impose any noticeable performance impact on enterprise usage. As a result, users are free to do their jobs without any restrictions hampering productivity, while security teams are confident that they have not left their organization exposed to any endpoint-based attack vector. 4

5 Key Principles for Developing a Practical and Secure Endpoint Strategy The endpoint is here to stay Even in the age of the cloud, knowledge workers will continue to use thick endpoints, and legacy applications will prevail. Design for failure People will always make errors, a bloated OS will always have vulnerabilities, and breaches will happen. You need to remain vigilant and prepare for the worst, by making these breaches a non-issue. Free your users Today s users demand more and more flexibility. An organization cannot afford to adopt a security strategy that blocks its users from doing their jobs. Create a security strategy that lets them work anywhere and use any OS and application. Security and productivity can work together. It s just a matter of getting the right technology in place. Find out more 5