Whitepaper. Endpoint Strategy: Debunking Myths about Isolation

Similar documents
Garrison Technology HOW SECURE REMOTE BROWSING DELIVERS HIGH SECURITY EVEN FOR MAINSTREAM COMMERCIAL ORGANISATIONS

A Guide to Closing All Potential VDI Security Gaps

Rethinking VDI: The Role of Client-Hosted Virtual Desktops. White Paper Virtual Computer, Inc. All Rights Reserved.

Borderless security engineered for your elastic hybrid cloud. Kaspersky Hybrid Cloud Security. #truecybersecurity

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

THE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION BREACH & ATTACK SIMULATION

the SWIFT Customer Security

Isla Web Malware Isolation and Network Sandbox Solutions Security Technology Comparison and Integration Guide

Digital Workspace SHOWDOWN

THREAT PROTECTION FOR VIRTUAL SYSTEMS #ILTACON #ILTA156

SailPoint IdentityIQ Integration with the BeyondInsight Platform. Providing Complete Visibility and Auditing of Identities

A Mobile Security Checklist: The Top Ten Threats to Your Enterprise Today. White Paper

The McAfee MOVE Platform and Virtual Desktop Infrastructure

12/5/2013. work-life blur. more mobile. digital generation. multiple devices. tech. fast savvy

Automating the Top 20 CIS Critical Security Controls

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

BUFFERZONE Advanced Endpoint Security

Onapsis: The CISO Imperative Taking Control of SAP

3 Ways Businesses Use Network Virtualization. A Faster Path to Improved Security, Automated IT, and App Continuity

Mobility, Security Concerns, and Avoidance

Ceedo Client Family Products Security

Implementing Your BYOD Mobility Strategy An IT Checklist and Guide

Changing face of endpoint security

MEMORY AND BEHAVIORAL PROTECTION ENDPOINT SECURITY NETWORK SECURITY I ENDPOINT SECURITY I DATA SECURITY

Spotlight Report. Information Security. Presented by. Group Partner

Network Virtualization Business Case

Enabling Bring Your Own Device Working Policies with ThinScale ThinKiosk. Delivering Secure Working Environments W H I T E.

Stopping Advanced Persistent Threats In Cloud and DataCenters

Shavlik Protect: Simplifying Patch, Threat, and Power Management Date: October 2013 Author: Mike Leone, ESG Lab Analyst

NETWORKING &SECURITY SOLUTIONSPORTFOLIO

FOUR WAYS TO IMPROVE ENDPOINT SECURITY: MOVING BEYOND TRADITIONAL APPROACHES

BUFFERZONE Advanced Endpoint Security

Security for SIP-based VoIP Communications Solutions

6 KEY SECURITY REQUIREMENTS

eguide: Designing a Continuous Response Architecture 5 Steps to Reduce the Complexity of PCI Security Assessments

Debunking the Top 10 Cloud-Hosted Desktop Myths

Automated Security for the Real-time Enterprise with VMware NSX and Trend Micro Deep Security Chris Van Den Abbeele, Global Solution Architect, Trend

WHITE PAPER. AirGap. The Technology That Makes Isla a Powerful Web Malware Isolation System

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

BETTER Mobile Threat Defense (BMTD)

Joe Stocker, CISSP, MCITP, VTSP Patriot Consulting

Application Security Using Runtime Protection

8 Must Have. Features for Risk-Based Vulnerability Management and More

Ret h i n k i n g Security f o r V i r t u a l Envi r o n m e n t s

Transforming Security from Defense in Depth to Comprehensive Security Assurance

Datacenter Security: Protection Beyond OS LifeCycle

Virtualization Security & Audit. John Tannahill, CA, CISM, CGEIT, CRISC

Christopher Covert. Principal Product Manager Enterprise Solutions Group. Copyright 2016 Symantec Endpoint Protection Cloud

Next Generation Privilege Identity Management

NETWORK FORENSIC ANALYSIS IN THE AGE OF CLOUD COMPUTING.

MOVE BEYOND GPO FOR NEXT-LEVEL PRIVILEGE MANAGEMENT

Privilege Security & Next-Generation Technology. Morey J. Haber Chief Technology Officer

Effective Threat Modeling using TAM

SOLUTION BRIEF RSA NETWITNESS EVOLVED SIEM

Protect Your Endpoint, Keep Your Business Safe. White Paper. Exosphere, Inc. getexosphere.com

CA Security Management

Device Discovery for Vulnerability Assessment: Automating the Handoff

MITIGATE CYBER ATTACK RISK

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Xceedium Xio Framework: Securing Remote Out-of-band Access

Symantec Client Security. Integrated protection for network and remote clients.

ACTIONABLE SECURITY INTELLIGENCE

Deliver Office 365 Without Compromise Ensure successful deployment and ongoing manageability of Office 365 and other SaaS apps

Streamline IT with Secure Remote Connection and Password Management

McAfee Embedded Control

Say Yes to BYOD How Fortinet Enables You to Protect Your Network from the Risk of Mobile Devices WHITE PAPER

STRATEGIC WHITE PAPER. Securing cloud environments with Nuage Networks VSP: Policy-based security automation and microsegmentation overview

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

Optimizing Pulse Secure Access Suite with Pulse Secure Virtual Application Delivery Controller solution

Technical Review Managing Risk, Complexity, and Cost with SanerNow Endpoint Security and Management Platform

Google on BeyondCorp: Empowering employees with security for the cloud era

TRAPS ADVANCED ENDPOINT PROTECTION

Office 365 Buyers Guide: Best Practices for Securing Office 365

CLOUD WORKLOAD SECURITY

CYBER SECURITY EFFECTIVENESS FOR THE RESOURCE-CONSTRAINED ORGANIZATION

Deliver Office 365 Without Compromise

TREND MICRO SMART PROTECTION SUITES

Desktop virtualization for all

White Paper. Why IDS Can t Adequately Protect Your IoT Devices

Designing and Building a Cybersecurity Program

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

BUILDING A NEXT-GENERATION FIREWALL

G/On OS Security Model

Choosing the Right Security Assessment

MICRO-SEGMENTATION FOR CLOUD-SCALE SECURITY TECHNICAL WHITE PAPER

Cato Cloud. Software-defined and cloud-based secure enterprise network. Solution Brief

Data Privacy in Your Own Backyard

Expand Virtualization. Maintain Security.

Cyberspace : Privacy and Security Issues

BUFFERZONE Advanced Endpoint Security

Prevx 3.0 v Product Overview - Core Functionality. April, includes overviews of. MyPrevx, Prevx 3.0 Enterprise,

Cloud Security Whitepaper

Discover threats quickly, remediate immediately, and mitigate the impact of malware and breaches

Securing Dynamic Data Centers. Muhammad Wajahat Rajab, Pre-Sales Consultant Trend Micro, Pakistan &

Table of Contents Table of Contents...2 Introduction...3 Mission of IT...3 Primary Service Delivery Objectives...3 Availability of Systems...

9 Steps to Protect Against Ransomware

Comprehensive Database Security

2013 InterWorks, Page 1

PROTECT WORKLOADS IN THE HYBRID CLOUD

Transcription:

Whitepaper Endpoint Strategy: Debunking Myths about Isolation May 2018

Endpoint Strategy: Debunking Myths about Isolation Endpoints are, and have always been, a major cyberattack vector. Attackers, aiming at the enterprise s crown jewels, prove again and again that endpoints are the Achilles heel of an enterprise s security strategy. As endpoints are the most pervasive IT asset within the organization, any decision to change the endpoint security strategy is not to be taken lightly. In the past, endpoint security strategies all looked pretty much the same - a standard Windows machine with agents used for antivirus scanning and for enforcing policies restricting web browsing and controlling the use of external devices. That standard model is slowly on its way out - finally. Increasingly, prevention based on isolation is becoming more of a focus. Several approaches have emerged on this front: 1. Virtual Desktop Infrastructure (VDI) 2. Remote Browsing 3. Application Sandboxing 4. Virtual Air Gap 1. VDI It Only Appears to Solve the Problem Virtual Data Infrastructure (VDI) is based on accessing the corporate desktop image from a remote station - a thin or thick client with the screen view and keyboard / mouse input exchanged over the network. VDI gained traction based on its promise for simplicity in provisioning and management but is far from the holy grail when it comes to endpoint security. Using VDI does not protect the organization from internal or external threats. Malware can still compromise software on the VDI desktop image and lead to organizational risk - for example, a malicious email exploiting a vulnerability on the VDI OS. When VDI is used from thick clients or a personal device, attack vectors on that device - such as external hardware, Internet access, or other applications - can be exploited to compromise it and take control of the VDI session. There are other productivity aspects where VDI is lacking due to the fact that a VDI session requires an active network connection with sufficient bandwidth to the VDI server: It does not allow any offline work and, in many cases, provides a suboptimal user experience. 2

2. Remote Browsing Not Quite a Comprehensive Solution Remote Browsing, technologically similar to VDI, allows browsing the Internet only via a browser application running on an isolated, locked-down virtual machine in the cloud (which prevents exploitation of browser-based vulnerabilities on the local machine). Remote browsing provides the end user with a slower and less interactive browsing experience, as content is displayed as an image or a video stream on the local workstation. Remote browsing is limited to Internet browsing (as the name suggests ); therefore this approach does not cover attack vectors that are still present on the local machine. Attack vectors such as applications, external hardware, OS vulnerabilities, and additional weaknesses can give an attacker full control of the local machine. Other disadvantages are related to user experience - both compatibility and performance. Browser interoperability and other applications browser plugins are not addressed in many cases, which can seriously affect user productivity. Many leading conferencing applications, for example, do not work well in such an environment. The fact that the Internet connection always goes through an additional network hop adds latency to website interactions, further degrading the user experience. 3. Application Sandboxing - Limited in Coverage and Full of Hassles Application Sandboxing isolates a few common applications known as prominent attack vectors, by executing each application in its own sandbox, using VMs or other app isolation techniques. This approach contains threats coming from the application within the sandbox and prevents them from affecting the operating system. While avoiding the network-associated overhead of remote browsing, app isolation imposes a significant performance overhead, as each instance of the application (could be even separate tabs on a browser) is running in a separate VM (or other type of containerization solution). As there are quite a few applications running on a typical user s endpoint, this can lead to degraded machine performance and poor user experience. Other complications with this approach are related to interoperability and compatibility. Separating applications into VMs creates inherent interoperability issues among applications that are used to interacting within a single operating system. As every application is specifically customized to run in the sandbox VM operating system, each new version has to be explicitly adapted to work with the sandbox platform. This creates a problem of keeping applications up to date - costing money, time and delaying security application patches (thereby increasing exposure to vulnerabilities). Furthermore, application sandboxing does not protect against any attack vector beyond the few supported applications - such as vulnerabilities in unsupported applications (the abundance of applications makes it impossible to cover all of them with this approach), the underlying OS, middleware, malicious external hardware, malicious external networks, etc. While a great thing to do in theory, sandboxing applications causes more problems than it solves. 3

4. Virtual Air Gap - Full Control and Uncompromising User Experience An emerging approach, Virtual Air Gap, borrows its concept from the physical air gap approach used in highly classified organizations, where there are separate physical machines dedicated for classified usage. Virtual Air Gap uses a single physical machine to deliver the top-grade security of the air gap solution, while improving user productivity. A Virtual Air Gap copes with the threat of compromise from a completely different perspective. This new architecture creates a security platform that runs below the OS on the hardware itself. It runs a few operating systems simultaneously inside segregated virtual machines, one per security zone, such as Highly Secure, Enterprise Network, and Personal. A Virtual Air Gap creates full separation, similar to a physical air gap, between a VM with an operating system potentially exposed to any threat vector - an OS attack vector, Internet, external devices or any application - and a VM running a restricted operating system with access exclusively to the organization's privileged resources. The fact that multiple VMs are used behind the scenes is transparent to the user, who has an experience of a single desktop and a single operating system. Security-wise, a Virtual Air Gap guarantees that a compromise taking place in the exposed VM, via any attack vector, will remain contained in that VM, while the other VMs are unaffected. All applications within each operating system run as is, reducing compatibility issues; interactions that involve multiple VMs, such as content transfer, are granularly controlled via policy. Furthermore using only two or three VMs does not impose any noticeable performance impact on enterprise usage. As a result, users are free to do their jobs without any restrictions hampering productivity, while security teams are confident that they have not left their organization exposed to any endpoint-based attack vector. 4

Key Principles for Developing a Practical and Secure Endpoint Strategy The endpoint is here to stay Even in the age of the cloud, knowledge workers will continue to use thick endpoints, and legacy applications will prevail. Design for failure People will always make errors, a bloated OS will always have vulnerabilities, and breaches will happen. You need to remain vigilant and prepare for the worst, by making these breaches a non-issue. Free your users Today s users demand more and more flexibility. An organization cannot afford to adopt a security strategy that blocks its users from doing their jobs. Create a security strategy that lets them work anywhere and use any OS and application. Security and productivity can work together. It s just a matter of getting the right technology in place. Find out more www.hysolate.com 5

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback