WHITE PAPER. AirGap. The Technology That Makes Isla a Powerful Web Malware Isolation System

Similar documents
Isla Web Malware Isolation and Network Sandbox Solutions Security Technology Comparison and Integration Guide

BUFFERZONE Advanced Endpoint Security

BUFFERZONE Advanced Endpoint Security

BUFFERZONE Advanced Endpoint Security

FIREWALL BEST PRACTICES TO BLOCK

PCI DSS Compliance. White Paper Parallels Remote Application Server

Author: Tonny Rabjerg Version: Company Presentation WSF 4.0 WSF 4.0

COMPUTER NETWORK SECURITY

CloudSOC and Security.cloud for Microsoft Office 365

Rethinking Security: The Need For A Security Delivery Platform

Chapter 9. Firewalls

ACS-3921/ Computer Security And Privacy. Chapter 9 Firewalls and Intrusion Prevention Systems

Network Security Protection Alternatives for the Cloud

Barracuda Advanced Threat Protection. Bringing a New Layer of Security for . White Paper

Identity-Based Cyber Defense. March 2017

How to Identify Advanced Persistent, Targeted Malware Threats with Multidimensional Analysis

GLOBALPROTECT. Key Usage Scenarios and Benefits. Remote Access VPN Provides secure access to internal and cloud-based business applications

trend micro smart Protection suites

Building Resilience in a Digital Enterprise

SECURING DEVICES IN THE INTERNET OF THINGS

Securing Your Microsoft Azure Virtual Networks

White Paper. New Gateway Anti-Malware Technology Sets the Bar for Web Threat Protection

Symantec Ransomware Protection

Securing Your Amazon Web Services Virtual Networks

SOLUTION BRIEF. Enabling and Securing Digital Business in API Economy. Protect APIs Serving Business Critical Applications

IBM Security Network Protection Solutions

The threat landscape is constantly

Rethinking Security CLOUDSEC2016. Ian Farquhar Distinguished Sales Engineer Field Lead for the Gigamon Security Virtual Team

SECURING DEVICES IN THE INTERNET OF THINGS

Securing Devices in the Internet of Things

The Next Generation Security Platform. Domenico Stranieri Pre- Sales Engineer Palo Alto Networks EMEA Italy

STRATEGIC WHITE PAPER. Securing cloud environments with Nuage Networks VSP: Policy-based security automation and microsegmentation overview

SteelGate Overview. Manage perimeter security and network traffic to ensure operational efficiency, and optimal Quality of Service (QoS)

Seqrite Endpoint Security

Zero Trust on the Endpoint. Extending the Zero Trust Model from Network to Endpoint with Advanced Endpoint Protection

SYMANTEC DATA CENTER SECURITY

McAfee Public Cloud Server Security Suite

DEFINING SECURITY FOR TODAY S CLOUD ENVIRONMENTS. Security Without Compromise

Securing the Software-Defined Data Center

WHITE PAPER. Applying Software-Defined Security to the Branch Office

Symantec Protection Suite Add-On for Hosted Security

Exam : Title : Security Solutions for Systems Engineers. Version : Demo

EXECUTIVE BRIEF: WHY NETWORK SANDBOXING IS REQUIRED TO STOP RANSOMWARE

Total Threat Protection. Whitepaper

Protect Your Endpoint, Keep Your Business Safe. White Paper. Exosphere, Inc. getexosphere.com

Cisco Advanced Malware Protection. May 2016

SentinelOne Technical Brief

Top Qualities of an Enterprise-Class Isolation Platform

McAfee Complete Endpoint Threat Protection Advanced threat protection for sophisticated attacks

TREND MICRO SMART PROTECTION SUITES

Mitigating Risks with Cloud Computing Dan Reis

Security

ein wichtiger Baustein im Security Ökosystem Dr. Christian Gayda (T-SEC) und Ingo Kruckewitt (Symantec)

Securing Your Most Sensitive Data

McAfee Endpoint Security

MAKING THE CLOUD A SECURE EXTENSION OF YOUR DATACENTER

SO YOU THINK YOU ARE PROTECTED? THINK AGAIN! NEXT GENERATION ENDPOINT SECURITY

How to Predict, Detect & Stop threats at the Edge and Behind the Perimeter even in encrypted traffic without decryption

SentinelOne Technical Brief

TREND MICRO SMART PROTECTION SUITES

EU GENERAL DATA PROTECTION: TIME TO ACT. Laurent Vanderschrick Channel Manager Belgium & Luxembourg Stefaan Van Hoornick Technical Manager BeNeLux

Security by Default: Enabling Transformation Through Cyber Resilience

Introduction. The Safe-T Solution

TIBCO Cloud Integration Security Overview

McAfee Virtual Network Security Platform 8.4 Revision A

Palo Alto Networks PAN-OS

Comprehensive Database Security

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

Privileged Account Security: A Balanced Approach to Securing Unix Environments

CS 356 Operating System Security. Fall 2013

Data Sheet: Endpoint Security Symantec Multi-tier Protection Trusted protection for endpoints and messaging environments

Global Manufacturer MAUSER Realizes Dream of Interconnected, Adaptive Security a Reality

Wayward Wi-Fi. How Rogue Hotspots Can Hijack Your Data and Put Your Mobile Devices at Risk

Simple and Powerful Security for PCI DSS

The Top 6 WAF Essentials to Achieve Application Security Efficacy

Sun Mgt Bonus Lab 11: Auto-Tagging in PAN-OS 8.X

Multi-Layered Security Framework for Metro-Scale Wi-Fi Networks

Garrison Technology HOW SECURE REMOTE BROWSING DELIVERS HIGH SECURITY EVEN FOR MAINSTREAM COMMERCIAL ORGANISATIONS

Symantec Client Security. Integrated protection for network and remote clients.

Whitepaper. Endpoint Strategy: Debunking Myths about Isolation

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

App-ID. PALO ALTO NETWORKS: App-ID Technology Brief

SECURITY PLATFORM FOR HEALTHCARE PROVIDERS

3 Ways to Prevent and Protect Your Clients from a Cyber-Attack. George Anderson Product Marketing Director Business October 31 st 2017

SECURITY PRACTICES OVERVIEW

Achieving End-to-End Security in the Internet of Things (IoT)

Exam : Title : Security Solutions for Systems Engineers(SSSE) Version : Demo

Security: The Key to Affordable Unmanned Aircraft Systems

The McAfee MOVE Platform and Virtual Desktop Infrastructure

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

PROTECT WORKLOADS IN THE HYBRID CLOUD

Next Generation Endpoint Security Confused?

Analyzing Huge Data for Suspicious Traffic. Christian Landström, Airbus DS

Dynamic Datacenter Security Solidex, November 2009

Symantec Endpoint Protection

Contents. Is Rumpus Secure? 2. Use Care When Creating User Accounts 2. Managing Passwords 3. Watch Out For Symbolic Links 4. Deploy A Firewall 5

INSIDE. Symantec AntiVirus for Microsoft Internet Security and Acceleration (ISA) Server. Enhanced virus protection for Web and SMTP traffic

Gladiator Incident Alert

McAfee Advanced Threat Defense

HPE Intelligent Management Center

Transcription:

AirGap The Technology That Makes Isla a Powerful Web Malware Isolation System

Introduction Web browsers have become a primary target for cyber attacks on the enterprise. If you think about it, it makes perfect sense. The ubiquitous web browser is the only application on your desktop that regularly downloads and executes code from trusted and untrusted networks. And because ports 80 and 443 on corporate firewalls are always open, there is pretty much a direct connection between internal users and external web sites, even if it first passes through a web proxy. It s not surprising then, that hackers are able to develop and launch complex APTs, drive-by malware, polymorphic threats, and various zero-day attacks to exploit the inherent vulnerabilities associated with browser code and plug-ins. The traditional response to this never-ending security problem has been to augment the firewall with a multi-layer, defense-in-depth (DID) security architecture to protect the network perimeter and endpoint devices. The assumption is that if the first layer does not detect the attack, the second layer will, and so on. This DID architecture is typically based on various forms of detection technologies (signatures, heuristics, content analysis, etc.). Unfortunately, the headlines we see each week of new cyber attacks provide strong evidence that detection technology is no longer effective in protecting corporate networks. In fact, this was verified in research of more than 1,000 organizations published in 2015 by FireEye, which showed that 96% of these organizations had been breached even though all of them employed a DID security strategy 1. Clearly, detection 96% of the 1,000 organizations had been breached even though all of them employed a DID security strategy. technologies are failing miserably. Isolation Technology More recently, some vendors have begun to offer endpoint security products focused on software-based isolation through sandboxing. While this strategy represents a step forward, it also has inherent risks. For example, software sandbox technologies can be breached through targeted attacks, giving hackers full access to all files and resources on the endpoint and possibly inside the corporate network. Other vendors have tried hardware-assisted endpoint isolation, which also represents a step forward. However, it faces similar risks of vulnerabilities, plus the complexity of deployment, configuration, and updates on a broad scale makes it less attractive to enterprise customers. The safest, most effective solution to this problem is to apply isolation technology to the entire network, rather than individual endpoints. More specifically, what this means is that all external web content whether it is from trusted or untrusted web sites should be isolated and 1. FireEye, (2015) Maginot Revisited: More Real-World Results from Real-World Tests. Retrieved from: https://www2.fireeye.com/web- 2015RPTMaginotRevisited.html 2

rendered outside the network, and never be allowed to access endpoint devices. This network isolation strategy effectively eliminates the web browser as the primary vector for cyber attacks on businesses. AirGap Isolation Technology Spikes Security provides network-level, browser malware isolation through its patent-pending AirGap isolation technology. This breakthrough technology has been integrated into the Isla family of security appliances, which are deployed in the DMZ outside the corporate firewall. The appliances prevent all browser malware from entering the corporate network and infecting endpoint devices, while providing end users with a safe and secure browsing experience. This paper summarizes the underlying architecture and components of the AirGap technology. https://www VM VM Off-Premise Users On-Premise Users Physical Isolation The value of the AirGap technology and architecture begins with its ability to create literal physical separation and isolation between untrusted content and a secure network. Specifically, what this means is that while end users are located inside the network, the active web browser is located on the Isla appliance outside the network. End users inside the network can continue to use their favorite web browser (or a lightweight Isla client viewer), but they no longer have direct access to the web. Instead, desktop browsers connect directly to Isla, which processes all web requests from end users, then fully renders the original web content on the appliance never on the endpoint inside the secure network. Isla then actively and continuously transforms all audio, video, text, and graphics and delivers that to the browser on the desktop (which essentially becomes a viewer ). From a security perspective, this isolation ensures that any malware-infested web content stays on the appliance outside the network. 3

Resource Isolation One of the obvious benefits of isolating the browser outside the network is the resulting isolation of the endpoint (OS, applications, and files) from all browser-borne malware. As a result, cyber criminals can no longer exploit vulnerabilities of the internal browser to gain access to the operating system or any other internal resources on endpoint devices. Instead, malware-infected web sessions are terminated outside the firewall on the Isla appliance. The appliance is designed for maximum security, and only runs SE-Linux, a Type 1 hypervisor, and a specialized browser there are no other sensitive files or personally identifiable information stored on the appliance. Essentially, the Isla appliance is an empty room with no doors, no windows, no information, and no opportunity for malware to access the network and infect the organization. It is where malware goes to die. Session Isolation When end users inside the network initiate an external web session (via a web content request using their normal browser), Each user always enjoys a clean, secure, high performance browsing session. the AirGap technology on Isla automatically creates and launches each user web session within its own isolated VM, administered using a fast, efficient, and secure Type 1 hypervisor. The software VM combined with hardware-assisted isolation enforced with the Intel Virtualization Technology (VT) processor extensions ensure that each user session is completely isolated from all other user sessions. Memory, disk, and CPU resources are not shared between users, thus preventing any form of malicious activity or cross-contamination between user sessions. When a user completes a session, each VM is completely destroyed along with malware that may have been downloaded into that VM. The Isla appliance also destroys any stored data, session cookies, and residual data. This ensures that each user always enjoys a clean, secure, high performance browsing session. Content Isolation As noted above, when original web content is rendered within the Isla VM, it is possible that it could contain malware, and thus should not be delivered to the endpoint in that state. For that reason, the AirGap technology actively and continuously transforms all web content audio, video, text, and graphics to benign multimedia streams. Think of it as a digital distillation process where all content is purified. In this process, all data streams carrying requested content are automatically cleansed of potentially malicious payloads, making it impossible for cyber criminals to inject malformed activity commands within the content. In terms of content delivery to the internal network, all data streams are isolated and kept private with strong AES-256 encryption, which uses 256-bit symmetric key pairs that are generated when a client registers (or re-registers) with the Isla 4

appliance. These keys are used to establish a uniquely encrypted communication path for each individual client to provide complete privacy for each user session. This strategy is far more secure than traditional SSL connectivity. Isolating Attackers Even with the AirGap s complete, end-to-end focus on security through isolation, it is important to be prepared to isolate any suspicious traffic that may target the Isla appliance. To isolate potential intruders, AirGap technology includes active monitoring with trip wires that instantly identify and isolate any malicious traffic. This is actually fairly easy to do on Isla because, remember, the system is purpose-built for specific functions. So if any unauthorized activity, non-standard system states, or blocked processes are found, AirGap technology automatically isolates the out-of-bounds activity and can immediately destroy the VM session (and all malware it may contain). Summary The only effective way to prevent all browser-borne malware attacks known or unknown is to shift the focus from detection to isolation. Specifically, web browser isolation deployed at the gateway outside the firewall is the most secure, most scalable, and least complex way to eliminate the primary threat vector for cyber attacks on the enterprise. And the best solution available is the Isla browser isolation system based on patent-pending AirGap technology from Spikes Security. Learn more or request a demo at www.spikes.com. Spikes Security, 536 N. Santa Cruz Ave., Los Gatos, CA 95030 Tel: +1 855-287-7453 Email: sales@spikes.com www.spikes.com 2015 Spikes, Inc. All rights reserved. Portions of Spikes products are protected under Spikes patents, as well as patents pending. Spikes, AirGap, Isla, and the Spikes Security logo are trademarks or registered trademarks of Spikes, Inc. Linux is the registered trademark of Linus Torvalds in the U.S. and other countries. Intel is a trademark of Intel Corp. in the U.S. and/ or other countries. All other trademarks used or mentioned herein belong to their respective owners. Part# M1008-002US 5

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback