BUFFERZONE Advanced Endpoint Security Enterprise-grade Containment, Bridging and Intelligence BUFFERZONE defends endpoints against a wide range of advanced and targeted threats with patented containment, bridging and intelligence. Employees enjoy frictionless access to the internet, mail and removable storage while the enterprise stays secure. 1
You Cannot Block Threats You Don t Understand As cyber threats grow increasingly sophisticated, it is now widely agreed that organizations must take a layered approach to protecting their networks and data. Even with the best perimeter defenses, malware is getting through and is infecting user endpoints the largest and most vulnerable attack surface in the organization. Unfortunately, traditional solutions such as signature-based anti-virus, HIPS and patch management are not effective in preventing many types of attacks, including phishing scams, zero-days, drive-by downloads, fileless malware and advanced threats that are constantly morphing. Detection as a means of blocking malware is an inherently limited approach As a result, some organizations have shifted their focus to post-breach detection, rather than prevention. While necessary, detection and remediation are generally far more expensive than prevention. Due to the large number of incidents and false positives, it is more important than ever to prevent as many infections as possible. Other organizations try to control the threat by restricting users access to the internet and risky applications. However, restriction is, and will remain, an uphill battle. Internet, email and removable storage are essential to business today, And organizations that try to control access inevitably impact productivity as well as employee satisfaction. And since the list of dangerous sites and sources is constantly changing, it is impossible to maintain a foolproof policy. Contain Threats, Not Employees It s simply not possible to detect every threat. It is equally impossible to control human behavior - and the more restrictive and inconvenient the security control, the more likely users are to circumvent it. Given these realities, containment is the key to keeping the organization safe without restricting employees. With patented containment and bridging technologies, BUFFERZONE protects organizations from a wide range of threats. Instead of blocking, BUFFERZONE isolates potentially malicious content that arrives from web browsers, email and removable storage and provides a secure bridge for safely transferring it to the native endpoint and the corporate network. BUFFERZONE maximizes user productivity with seamless, unrestricted access to information, while empowering IT with a simple, lightweight, centrally managed, enforceable and cost-effective solution for up to thousands of endpoints within and beyond the corporate network. 2
BUFFERZONE s advanced endpoint security solution features: Virtual Container: A secure, isolated environment for accessing content from any potentially risky source including browsers, removable media and email. Secure Bridge: A configurable process for extracting data from the container to enable collaboration between people and systems while ensuring security and compliance. Network Separation with Passport Enforcement: Enforced by the organizational proxy server, endpoint connections to the internet use separate networks from connections to internal, trusted resources. Upload Blocker: As part of an organizational DLP strategy, BUFFERZONE restricts browser uploads to be only from an isolated location that can t have any data from internal sources. Endpoint Intelligence: Detailed reporting and integration with SIEM and Big Data analytics to identify targeted attacks. The BUFFERZONE container gives employees an unrestricted and transparent environment for using internet applications and removable storage, including opening files in popular applications like Microsoft Office and PDF readers. If malware reaches the endpoint, it is stuck inside the container, where it can do no further harm to the rest of the endpoint or the enterprise. Container contents are wiped periodically to permanently remove malware from the computer. Most of the time, it is not necessary to remove files or data from the container. Users can freely save and reopen files any time, within the container, without risk to the organization. However, sometimes it is necessary to transfer downloaded files to other parts of the organization. For this purpose, BUFFERZONE includes a configurable bridge for transferring content and data safely between the isolated environment and trusted areas of the endpoint and the corporate network. It enables organizations to define and automate the procedures and disarming technologies that must be applied before the transfer. BUFFERZONE also provides critical intelligence for enterprise-wide security analytics to enable correlation of high risk events. A centrally-managed policy defines containment and bridging policies for all parts of the organization. Easy to deploy and configure, BUFFERZONE is a lightweight solution that is deployed and managed seamlessly from the BUFFERZONE Management Server or from leading endpoint management platforms including Ivanti (LANDESK), McAfee epo, and Microsoft Group Policy (GPO) to provide costeffective containment for up to thousands of endpoints. 3
How Does Containment Work? Rather than trying to detect or block, BUFFERZONE isolates application instances that come into contact with untrusted sources. From the user perspective, the application runs normally. But from the security perspective, the application is running in a separate, virtual container that is completely isolated from the rest of the endpoint. This creates a buffer that prevents malware from infecting the endpoint and your corporate network. BUFFERZONE s patented containment technology is transparent to both the application and the end-user, yet completely seals off threats from the rest of the computer. The concept is similar to Protected Memory, a core technology in modern operating systems that uses memory virtualization to isolate one application from another. BUFFERZONE takes a similar approach to isolating the entire application environment memory as well as files, registry and more. An infection attempt will be confined to the boundaries of the container. Windows applications must have read/write access to files and registry data. But it is also through the file system and registry that viruses, worms, Trojan horses, Spyware and Malware are installed. BUFFERZONE s patented containment technology solves this problem effectively using a kernel driver that resides as part of the operating system kernel and filters application-level I/O requests. Non-trusted applications are allowed to read from the file system and the registry; but as soon as they attempt to write or modify a file or registry key, it is performed on a different area on the disk. All future read/write operations from this non-trusted application are redirected to the container. This I/O redirection is completely transparent to both the application and the end user. As a result, any harm inflicted by malware is completely sealed off in the virtual environment. Neither the endpoint nor the corporate networks are infected. New threats with unpredictable behaviors are contained just as effectively as known malware. 4
What is a Trusted Source? BUFFERZONE provides a secure, virtual environment for accessing content from web browsers, email, Skype, FTP, removable storage and any other potentially insecure source. It enables you to define very granular policies that determine precisely what is trusted and untrusted according to network segment, file location or file tag, File Digital signature, and URL/IP source. BUFFERZONE offers location awareness, which automatically detects an endpoint that has moved to an insecure location (such as a public wi-fi hot spot) where stricter policies are required. BUFFERZONE provides this same level of intelligence to defining secure zones. So, for example, a SharePoint server can be defined as secure. When the user visits the server from his web browser, it will open outside the container, so any files that are uploaded will be from trusted sources. Providing a Transparent User Experience BUFFERZONE contains applications instead of employees. IT security defines untrusted and trusted sources. When users access an untrusted source using a web browser, instant messenger, email client or desktop application, they automatically begin to work in the BUFFERZONE container. Isolated applications have a red border,as the web browser above. When the user accesses a trusted source, the browser opens outside the container and its border is green. In every other respect, the user experience is completely transparent. BUFFERZONE has a small footprint and virtually no impact on performance. It does not require hardware or operating system upgrades. 5
Building a Bridge between the Endpoint and the Enterprise Experience has shown that the majority of the web pages and files that employees access from web browsers or email do not need to be saved on the enterprise network. They can safely and conveniently be stored and viewed within the BUFFERZONE container. This significantly reduces the attack surface of the organization as a whole. Nonetheless, there are situations where files and data must be made available for use in a wider organizational context. Therefore, a Secure Bridge is an essential part of a containment strategy. BUFFERZONE provides organizations with a configurable bridge for extracting and disinfecting files that leave the container. It enables every organization to establish their own process in line with industry best practices and enterprise security policies. The bridge defines a process for where and how files are saved, as well as the procedures that will be performed in order to disarm data and remove any potential threats. Enforcable Network Separation Endpoint connections from within the BUFFERZONE container use separate networks than connections from outside the container, ensuring that no application can access both trusted and untrusted resources. The separation is enforceable by the organizational proxy, which can be configured to allow internet access only to connections clearly identified as originating within the container. Upload Blocker for DLP BUFFERZONE can restrict browser uploads to be only from a specified, contained location (for example, the Downloads folder). When configured along with BUFFERZONE s Hidden Files feature, which prevents contained applications from accessing locations that could contain sensitive data, BUFFERZONE contributes to a wider organizational DLP strategy, by ensuring that potentially sensitive information cannot be uploaded to the internet. 6
Correlating Information across the Enterprise Advanced malware is highly distributed it communicates with a network of hosts via a Command and Control server and often will infect a number of endpoints in your organization, especially if it is a targeted attack. Therefore, it is essential to correlate threat information across the organization. BUFFERZONE collects information about suspicious software such as registry alterations, file system activity, network activity and more, and shares it directly with SIEM and other Big Data analytics platforms for effective organization-wide event correlation. Scaling for Thousands of Endpoints Since organizations have thousands of physical and virtual endpoints running different operating systems at distributed sites and off-premises, central deployment and policy management is a critical factor for endpoint security. BUFFERZONE is easy to deploy using the provided BUFFERZONE Management Server or other, third-party endpoint management systems including Ivanti (LANDESK), McAfee epolicy Orchestrator (epo), and Microsoft Group Policy (GPO). BUFFERZONE is supported on most Windows versions, microprocessors and physical/virtual deployments. It also supports most standard browsers, plugins and applications. BUFFERZONE is a cost-effective solution with a very small footprint and little impact on endpoint performance. Once policies are configured, BUFFERZONE requires little ongoing management, resulting in very low total cost of ownership for the organization. Summary When it comes to protecting endpoints against modern threats, the most effective approach is Containment First. BUFFERZONE s patented container technology enables employees to freely access information from anywhere without compromising the organization. It provides a safe place to run internet-exposed applications and removable storage, and collects information that can be vital for attack detection and event correlation. BUFFERZONE provides a complete solution for successfully integrating containment into the enterprise, including a secure bridge for transferring files according to industry best practices and advanced file disarming technologies. It has minimal hardware requirements, is easy to deploy and manage, and offers a very low total cost of ownership. With BUFFERZONE, organizations of all sizes can defend their endpoints against malware while giving employees seamless internet access to increase productivity and user satisfaction. 7
The BUFFERZONE Advantage: Enable employees to access the internet freely to maximize productivity and satisfaction Effectively defend the network against APTs, zero-day attacks and advanced malware Prevent malware from infecting user endpoints Protect access to removable storage Protect all windows devices and users both on-site and outside of the corporate network Safely transfer information into the organization without compromising security Enforce organizational policies and processes seamlessly Deployment within hours, very easy to manage with leading endpoint management platforms Minimal resource utilization 2014-2017 BUFFERZONE Security Ltd. All rights reserved. BUFFERZONE is a registered trademark of BUFFERZONE Security Ltd. 8