This column is available in a weekly newsletter called IT Best Practices. Click here to subscribe.
As cyber attacks continue to increase, organizations are investing heavily in multiple layers of security—at the perimeter (or what's left of it), on the network and at the endpoint. And yet, according to the Ponemon Institute, 43% of U.S. companies experienced a breach in 2013, and that's up 10% over the previous year.
The most vulnerable part of a company's computing environment is the endpoint. Verizon concluded that 93% of successful APTs begin with end user spear phishing or some other type of endpoint exploitation.
Anti-virus and anti-malware applications are still the primary means for protecting the endpoint, and obviously they are less than 100% effective in catching and stopping attacks. It's time for new protective measures to supplement what most companies do to secure PCs.
I've recently come across two companies that have solutions that isolate the most vulnerable activities on the endpoint so an attack that comes in through that vector is mitigated before it can spread. For example, if an end user opens a malicious email attachment or surfs to a website with drive-by malware, those exploits are contained and automatically mitigated.
The first of these companies is the Israeli startup BufferZone. This company has a lightweight solution for PCs running Windows XP and above. BufferZone creates a container on the PC that isolates applications that come in contact with untrusted external sources such as browsers, email, removable media, Skype and so on. From the user perspective, the application runs normally, but from the security perspective, the application is running in a separate, virtual container that is completely isolated from the rest of the endpoint. This creates a buffer that prevents malware from infecting the endpoint and the corporate network beyond. See Figure 1.
BufferZone’s containment technology is similar to Protected Memory, a core technology in modern operating systems, isolating the entire application environment—memory as well as files, registry and more.
Windows applications must have read/write access to files and registry data. But it is also through the file system and registry that viruses, worms, Trojan horses, spyware and malware are installed. BufferZone addresses this by using a kernel driver that resides as part of the operating system kernel and filters application-level I/O requests. Non-trusted applications are allowed to read from the file system and the registry, but as soon as they attempt to write or modify a file or registry key, the action is performed on a different area on the disk. All future read/write operations from this non-trusted application are redirected to the container. This I/O redirection is completely transparent to both the application and the end user.
As a result, any harm inflicted by malware is sealed off in the virtual environment. Neither the endpoint nor the corporate network is infected. New threats with unpredictable behaviors are contained just as effectively as known malware.
BufferZone’s endpoint security solution also includes a feature called SecureBridge, a configurable process for extracting data from the container, removing any threats and then moving the data into the trusted zone of the network. The solution also has detailed reporting and integration with SIEM and Big Data analytics to identify targeted attacks.
BufferZone is installed, updated and managed through common endpoint management platforms from companies like LANDesk, McAfee and Microsoft. The solution is transparent to end users, so productivity is preserved while security is enforced.
The second company, Bromium, also has an isolation approach which it calls micro-virtualization. Every time a user performs some type of untrusted task – say opening an email or browsing the Web or sharing files –Bromium vSentry isolates the task in a micro-virtual machine (micro-VM). Malware that may enter the micro-VM through vulnerable applications or malicious Websites can’t access vital data, the operating system of the protected endpoint, other applications, or the corporate network. When the user has completed the task, the micro-VM is discarded, and along with it, any malware – either known or zero-day – that may be present. See Figure 2.
Bromium micro-virtualization technology uses the Bromium microvisor, a purpose-built, Xen-based security-focused hypervisor, in conjunction with the VT features built into Intel, AMD and other CPUs. (Some of the founders of Bromium had key roles in developing the Xen-hypervisor so they have strong expertise in this area.) The solution creates hardware-isolated micro-VMs on the fly for each task a user performs on information originating from unknown sources. These micro-VMs provide a secure environment where user tasks are isolated from one another, the protected system and the network it is attached to. The system defends itself by design.
Bromium vSentry is deployed as a Windows MSI. It is not visible to the end user so he isn't even aware it is there, but the endpoint is resilient enough to shut down any kind of attack.
This solution transforms the ability to gain intelligence about an attack. Because of the isolation of the user tasks, Bromium can allow "bad stuff" to execute and then analyze its behavior and characteristics and apply that threat intelligence across all endpoints and the entire network to defend against future attacks. This process eliminates false-positives and delivers real-time complete forensics for any task that is attacked on an endpoint.
Both Bromium and BufferZone eschew the notion of trying to detect malware on an endpoint before it can execute. Instead the idea is to let the malware execute in a totally isolated environment where it can do no harm and where IT can learn about it to build better defenses for the next time—all the while preserving end user productivity and a good user experience.