WHITE PAPER. AirGap. The Technology That Makes Isla a Powerful Web Malware Isolation System



Similar documents
Sophistication of attacks will keep improving, especially APT and zero-day exploits

Steelcape Product Overview and Functional Description

WildFire. Preparing for Modern Network Attacks

Analyzing HTTP/HTTPS Traffic Logs

The Advanced Attack Challenge. Creating a Government Private Threat Intelligence Cloud

Chapter 9 Firewalls and Intrusion Prevention Systems

Cisco Advanced Malware Protection

McAfee Server Security

Check Point: Sandblast Zero-Day protection

HOW TO PROTECT YOUR VIRTUAL DESKTOPS AND SERVERS? Security for Virtual and Cloud Environments

Database Security in Virtualization and Cloud Computing Environments

Seven for 7: Best practices for implementing Windows 7

Load Balancing Security Gateways WHITE PAPER

Invincea Advanced Endpoint Protection

Choosing Between Whitelisting and Blacklisting Endpoint Security Software for Fixed Function Devices

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Beyond the Hype: Advanced Persistent Threats

The Benefits of SSL Content Inspection ABSTRACT

Compliance series Guide to meeting requirements of the UK Government Cyber Essentials Scheme

The Key to Secure Online Financial Transactions

Secure VidyoConferencing SM TECHNICAL NOTE. Protecting your communications VIDYO

Guideline on Firewall

Technology Blueprint. Secure Your Virtual Desktop Infrastructure. Optimize your virtual desktop infrastructure for performance and protection

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

WHITE PAPER Cloud-Based, Automated Breach Detection. The Seculert Platform

LASTLINE WHITEPAPER. Large-Scale Detection of Malicious Web Pages

CA Host-Based Intrusion Prevention System r8.1

Content-ID. Content-ID enables customers to apply policies to inspect and control content traversing the network.

Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified

McAfee Global Threat Intelligence File Reputation Service. Best Practices Guide for McAfee VirusScan Enterprise Software

WildFire Overview. WildFire Administrator s Guide 1. Copyright Palo Alto Networks

Symantec Endpoint Protection

Managing Remote and Mobile Workers Adam Licata, Enterprise Mobility SE, TSO Brian Sheedy, Sr. Principal TEC, Endpoint Management

By John Pirc. THREAT DETECTION HAS moved beyond signature-based firewalls EDITOR S DESK SECURITY 7 AWARD WINNERS ENHANCED THREAT DETECTION

Networking for Caribbean Development

Cloud Services Prevent Zero-day and Targeted Attacks

Effective End-to-End Cloud Security

Securing the endpoint and your data

INTRODUCING isheriff CLOUD SECURITY

End-user Security Analytics Strengthens Protection with ArcSight

10 Things Every Web Application Firewall Should Provide Share this ebook

McAfee Next Generation Firewall Optimize your defense, resilience, and efficiency.

End to End Security do Endpoint ao Datacenter

12 Security Camera System Best Practices - Cyber Safe

Intrusion Defense Firewall

Anti-exploit tools: The next wave of enterprise security

WEB PROTECTION. Features SECURITY OF INFORMATION TECHNOLOGIES

Streamlining Web and Security

How To Protect A Web Application From Attack From A Trusted Environment

The Hillstone and Trend Micro Joint Solution

ios Security The Never-Ending Story of Malicious Profiles Adi Sharabani Yair Amit CEO & Co-Founder Skycure CTO & Co-Founder

Next-Generation Firewalls: Critical to SMB Network Security

Applying machine learning techniques to achieve resilient, accurate, high-speed malware detection

Adobe Flash Player and Adobe AIR security

SSL Encryption and Traffic Inspection ADDRESSING THE INCREASED 2048-BIT PERFORMANCE DEMANDS OF 2048-BIT SSL CERTIFICATES

On-Premises DDoS Mitigation for the Enterprise

THE SMARTEST WAY TO PROTECT WEBSITES AND WEB APPS FROM ATTACKS

Symantec Endpoint Protection

ENDPOINT SECURITY WHITE PAPER. Endpoint Security and Advanced Persistent Threats

Symantec Endpoint Protection

White Paper. Advantage FireEye. Debunking the Myth of Sandbox Security

2012 Endpoint Security Best Practices Survey

WHITE PAPER. GoToMyPC. Citrix GoToMyPC Corporate Security FAQs. Common security questions about Citrix GoToMyPC Corporate.

Application Firewall Overview. Published: February 2007 For the latest information, please see

IS L06 Protect Servers and Defend Against APTs with Symantec Critical System Protection

Achieving PCI Compliance Using F5 Products

HTML5 and security on the new web

Superior protection from Internet threats and control over unsafe web usage

Securing Internet Facing. Applications. Technical White Paper. configuration drift, in which IT members open up ports or make small, supposedly

Building A Secure Microsoft Exchange Continuity Appliance

Intel Cyber-Security Briefing: Trends, Solutions, and Opportunities

Top five strategies for combating modern threats Is anti-virus dead?

Content-ID. Content-ID URLS THREATS DATA

That Point of Sale is a PoS

Guidelines for Web applications protection with dedicated Web Application Firewall

Cyber Security in Taiwan's Government Institutions: From APT To. Investigation Policies

Web Request Routing. Technical Brief. What s the best option for your web security deployment?

A Modern Framework for Network Security in the Federal Government

The evolution of virtual endpoint security. Comparing vsentry with traditional endpoint virtualization security solutions

How McAfee Endpoint Security Intelligently Collaborates to Protect and Perform

Cisco Advanced Malware Protection for Endpoints

Decryption. Palo Alto Networks. PAN-OS Administrator s Guide Version 6.0. Copyright Palo Alto Networks

Advanced Endpoint Protection

Unknown threats in Sweden. Study publication August 27, 2014

Securing Virtual Applications and Servers

DMZ Virtualization Using VMware vsphere 4 and the Cisco Nexus 1000V Virtual Switch

Agenda , Palo Alto Networks. Confidential and Proprietary.

Cisco ASA 5500 Series Business Edition

Clean VPN Approach to Secure Remote Access for the SMB

How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements

White Paper. Protecting Mobile Apps with Citrix XenMobile and MDX. citrix.com

you us MSSP are a Managed Security Service Provider looking to offer Advanced Malware Protection Services

The Dirty Secret Behind the UTM: What Security Vendors Don t Want You to Know

Transcription:

AirGap The Technology That Makes Isla a Powerful Web Malware Isolation System

Introduction Web browsers have become a primary target for cyber attacks on the enterprise. If you think about it, it makes perfect sense. The ubiquitous web browser is the only application on your desktop that regularly downloads and executes code from trusted and untrusted networks. And because ports 80 and 443 on corporate firewalls are always open, there is pretty much a direct connection between internal users and external web sites, even if it first passes through a web proxy. It s not surprising then, that hackers are able to develop and launch complex APTs, drive-by malware, polymorphic threats, and various zero-day attacks to exploit the inherent vulnerabilities associated with browser code and plug-ins. The traditional response to this never-ending security problem has been to augment the firewall with a multi-layer, defense-in-depth (DID) security architecture to protect the network perimeter and endpoint devices. The assumption is that if the first layer does not detect the attack, the second layer will, and so on. This DID architecture is typically based on various forms of detection technologies (signatures, heuristics, content analysis, etc.). Unfortunately, the headlines we see each week of new cyber attacks provide strong evidence that detection technology is no longer effective in protecting corporate networks. In fact, this was verified in research of more than 1,000 organizations published in 2015 by FireEye, which showed that 96% of these organizations had been breached even though all of them employed a DID security strategy. 1 Clearly, detection 96% of the 1,000 organizations had been breached even though all of them employed a DID security strategy. technologies are failing miserably. Isolation Technology More recently, some vendors have begun to offer endpoint security products focused on software-based isolation through sandboxing. While this strategy represents a step forward, it also has inherent risks. For example, software sandbox technologies can be breached through targeted attacks, giving hackers full access to all files and resources on the endpoint and possibly inside the corporate network. Other vendors have tried hardware-assisted endpoint isolation, which also represents a step forward. However, it faces similar risks of vulnerabilities, plus the complexity of deployment, configuration, and updates on a broad scale makes it less attractive to enterprise customers. The safest, most effective solution to this problem is to apply isolation technology to the entire network, rather than individual endpoints. More specifically, what this means is that all external web content whether it is from trusted or untrusted web sites should be isolated and 1. FireEye, (2015) Maginot Revisited: More Real-World Results from Real-World Tests. Retrieved from: https://www2.fireeye.com/web- 2015RPTMaginotRevisited.html 2

rendered outside the network, and never be allowed to access endpoint devices. This network isolation strategy effectively eliminates the web browser as the primary vector for cyber attacks on businesses. AirGap Isolation Technology Spikes Security provides network-level, browser malware isolation through its patent-pending AirGap isolation technology. This breakthrough technology has been integrated into the Isla family of security appliances, which are deployed in the DMZ outside the corporate firewall. The appliances prevent all browser malware from entering the corporate network and infecting endpoint devices, while providing end users with a safe and secure browsing experience. This paper summarizes the underlying architecture and components of the AirGap technology. https://www VM VM Off-Premise Users On-Premise Users Physical Isolation The value of the AirGap technology and architecture begins with its ability to create literal physical separation and isolation between untrusted content and a secure network. Specifically, what this means is that while end users are located inside the network, the active web browser is located on the Isla appliance outside the network. End users inside the network can continue to use their favorite web browser (or a lightweight Isla client viewer), but they no longer have direct access the to web. Instead, desktop browsers connect directly to Isla, which processes all web requests from end users, then fully renders the original web content on the appliance never on the endpoint inside the secure network. Isla then actively and continuously transforms all audio, video, text, and graphics and delivers that to the browser on the desktop (which essentially becomes a viewer ). From a security perspective, this isolation ensures that any malware-infested web content stays on the appliance outside the network. 3

Resource Isolation One of the obvious benefits of isolating the browser outside the network is the resulting isolation of the endpoint (OS, applications, and files) from all browser-borne malware. As a result, cyber criminals can no longer exploit vulnerabilities of the internal browser to gain access to the operating system or any other internal resources on endpoint devices. Instead, malware-infected web sessions are terminated outside the firewall on the Isla appliance. The appliance is designed for maximum security, and only runs SE-Linux, a Type 1 hypervisor, and a specialized browser there are no other sensitive files or personally identifiable information stored on the appliance. Essentially, the Isla appliance is an empty room with no doors, no windows, no information, and no opportunity for malware to access the network and infect the organization. It is where malware goes to die. Session Isolation When end users inside the network initiate an external web session (via a web content request using their normal browser), Each user always enjoys a clean, secure, high performance browsing session. the AirGap technology on Isla automatically creates and launches each user web session within its own isolated VM, administered using a fast, efficient, and secure Type 1 hypervisor. The software VM combined with hardware-assisted isolation enforced with the Intel Virtualization Technology (VT) processor extensions ensure that each user session is completely isolated from all other user sessions. Memory, disk, and CPU resources are not shared between users, thus preventing any form of malicious activity or cross-contamination between user sessions. When a user completes a session, each VM is completely destroyed along with malware that may have been downloaded into that VM. The Isla appliance also destroys any stored data, session cookies, and residual data. This ensures that each user always enjoys a clean, secure, high performance browsing session. Content Isolation As noted above, when original web content is rendered within the Isla VM, it is possible that it could contain malware, and thus should not be delivered to the endpoint in that state. For that reason, the AirGap technology actively and continuously transforms all web content audio, video, text, and graphics to benign multimedia streams. Think of it as a digital distillation process where all content is purified. In this process, all data streams carrying requested content are automatically cleansed of potentially malicious payloads, making it impossible for cyber criminals to inject malformed activity commands within the content. In terms of content delivery to the internal network, all data streams are isolated and kept private with strong AES-256 encryption, which uses 256-bit symmetric key pairs that are generated when a client registers (or re-registers) with the Isla 4

appliance. These keys are used to establish a uniquely encrypted communication path for each individual client to provide complete privacy for each user session. This strategy is far more secure than traditional SSL connectivity. Isolating Attackers Even with the AirGap s complete, end-to-end focus on security through isolation, it is important to be prepared to isolate any suspicious traffic that may target the Isla appliance. To isolate potential intruders, AirGap technology includes active monitoring with trip wires that instantly identify and isolate any malicious traffic. This is actually fairly easy to do on Isla because, remember, the system is purpose-built for specific functions. So if any unauthorized activity, non-standard system states, or blocked processes are found, AirGap technology automatically isolates the out-of-bounds activity and can immediately destroy the VM session (and all malware it may contain). Summary The only effective way to prevent all browser-borne malware attacks known or unknown is to shift the focus from detection to isolation. Specifically, web browser isolation deployed at the gateway outside the firewall is the most secure, most scalable, and least complex way to eliminate the primary threat vector for cyber attacks on the enterprise. And the best solution available is the Isla browser isolation system based on patent-pending AirGap technology from Spikes Security. Learn more or request a demo at www.spikes.com. Spikes Security, 536 N. Santa Cruz Ave., Los Gatos, CA 95030 Tel: +1 855-287-7453 Email: sales@spikes.com www.spikes.com 2015 Spikes, Inc. All rights reserved. Portions of Spikes products are protected under Spikes patents, as well as patents pending. Spikes, AirGap, Isla, and the Spikes Security logo are trademarks or registered trademarks of Spikes, Inc. Linux is the registered trademark of Linus Torvalds in the U.S. and other countries. Intel is a trademark of Intel Corp. in the U.S. and/or other countries. All other trademarks used or mentioned herein belong to their respective owners. Part# M1008-001US 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information