* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download all the web without the risk
Survey
Document related concepts
HTTP cookie wikipedia , lookup
Wireless security wikipedia , lookup
Information security wikipedia , lookup
Deep packet inspection wikipedia , lookup
Distributed firewall wikipedia , lookup
Cracking of wireless networks wikipedia , lookup
Security-focused operating system wikipedia , lookup
Unix security wikipedia , lookup
Computer security wikipedia , lookup
Cross-site scripting wikipedia , lookup
Do Not Track legislation wikipedia , lookup
Computer and network surveillance wikipedia , lookup
Browser hijacking wikipedia , lookup
Transcript
Enable Your Enterprise to Browse ALL THE WEB WITHOUT THE RISK Introduction Over 90 percent of undetected malware infects the enterprise via the Web browser.* Historically solutions have been built around the idea of 100 percent prevention either by removing vulnerabilities or detecting attacks before they are executed. Neither of these approaches has been completely effective. In fact, Brian Dye, Symantec’s senior vice president for information security, went as far as saying that Antivirus is dead in a 2014 interview with the Wall Street Journal. Browsers have become far too complex to be free of bugs and vulnerabilities. They execute multiple types of active content, including some or all of Java Script, Java, Flash, Active X, and HTML 5. A flaw in any of these, or in the browser engine itself, opens the host computer to compromise, and ultimately puts the enterprise at risk. Detection has similarly fallen short in the cat-and-mouse game between attacker and defender. Encryption and malware polymorphism allow known threats to continue to evade antimalware tools. Intelligent and targeted malware now takes care to avoid executing in the virtual environments used by security researchers, avoiding identification as malware. Many attacks are starting to be highly targeted, only triggering the malignant behavior when in the presence of the chosen victim. The risks from browsers go beyond just malware infection. Intentional, accidental or passive loss of sensitive information also happens most often through the browser. Ubiquitous active content and increasing use of encryption by websites makes this harder to monitor and control. The browser is the enterprise’s Achilles’ heel. Securing the browser must be our No. 1 priority, but doing so requires a completely different approach. Ntrepid’s Solution: Passages Passages is a secure, virtualized browser that evolved from Ntrepid’s secure cyber operations platforms. These tools allowed our government customers to engage in online activities in extremely hostile environments without risk to the mission or compromising their infrastructure. While many of the capabilities in those solutions are applicable only to a few, the security and identity control capabilities are desperately needed everywhere. We created Passages to address the full range of Web-based vulnerabilities. We start from the assumption that browsers themselves will never be invulnerable to attack, and that many of those attacks will evade detection. The key to nextgeneration defenses is containment and mitigation. When the browser is compromised, that should not lead to further compromise of the host computer, exposure of company information, or access to company assets. Furthermore, compromises must be quickly and effortlessly repaired, and *http://media.paloaltonetworks.com/documents/The-Modern-Malware-Review-March-2013.pdf US Patent 8,375,434 B2 System For Protecting Identity In a Network Environment - allows users to securely browse online by masking their true location and other identifying information. ©2014 Ntrepid Corporation. All rights reserved. www.NtrepidCorp.com 12-14-002 Enable Your Enterprise to Browse ALL THE WEB WITHOUT THE RISK all systems returned to a known good and pristine state at a moment’s notice. Finally, the browser must be fully and directly integrated into the larger enterprise through monitoring, alerting and enabling oversight systems to ensure control over what enters and exits the enterprise networks. To accomplish this, the Passages secure browsing platform is built around a conventional Web browser running in a hardened virtual environment. The browser can only communicate with the Internet over a secure VPN, isolating its activity from the host network. This provides an ideal single and accessible choke point for monitoring and filtering. Three Paths to Security Passages takes three paths to provide comprehensive protection for Web activities. • Isolate the Vulnerability • Control Identification • Integrate into the Enterprise Isolate the Vulnerability Because the browser itself can’t be trusted to remain secure, it is critical to keep it isolated from the valuable data and infrastructure in the business. This ensures that any malware that penetrates the browser is contained. If it can’t access local files or processes, it will not be able to take control of the local host. Passages provides full system isolation through a hardened virtual machine. If the malware can’t even see any other devices on the local network (printers, servers and other often poorly secured devices), it can’t expand its beachhead to other devices. Passages uses a VPN to create complete network isolation. By isolating the attack within a small restricted environment, nascent compromises can be quickly remediated. The entire virtual machine can be destroyed and re-created from a known good copy, in a matter of seconds. Because of the near zero cost to do so, it can be done frequently and automatically to remove even undetected malware. Because all Web traffic can be constrained to come from this single browser, all of the communications can be monitored and stored to ensure oversight and compliance. Control Identification Increasingly, attacks are very narrowly targeted. For anyone not in the target population, the malware remains completely inert. This is a clever tactic by attackers to avoid detection and maintain the utility of their exploits for as long as possible. This tactic also creates an opportunity for the defender. If you can’t be identified as who you are then the targeted malware will ignore you. Identification also leads to a different kind of data loss: passive information leakage. Every website can easily monitor the activities of all their visitors. By analyzing this activity they can gain valuable information about investment plans by financial institutions, acquisition plans by other companies, R&D efforts by competitors, and more. By hiding the identity of the visitor and preventing tracking, Passages ensures that the website is unable to effectively analyze or apply the information they collect. Additionally, many websites provide different information, including pricing, products and messaging, based on who and where the visitor appears to be. Sometimes that information or misinformation is targeted to competitors. In many cases it is useful to be able to look at a website from multiple perspectives to get a full understanding of what they are doing. Integrate into the Enterprise Stand-alone point solutions are no longer appropriate for enterprise security. It is critical that all aspects of operations and security are integrated in terms of monitoring, alerting, deployment and maintenance. Security tools need to be able to feed their monitoring data to a centralized repository where anomaly detection and alerting tools can consider a holistic view over the entire enterprise at once. Additionally, increasing US Patent 8,375,434 B2 System For Protecting Identity In a Network Environment - allows users to securely browse online by masking their true location and other identifying information. ©2014 Ntrepid Corporation. All rights reserved. www.NtrepidCorp.com 12-14-002 Enable Your Enterprise to Browse ALL THE WEB WITHOUT THE RISK use of encryption, like SSL, and highly dynamic website content is making firewall-based monitoring of Web activity more difficult and less effective. Passages provides the ideal source of ground truth about user behavior by capturing user activity directly from the browser before any encryption. Passages also integrates with existing enterprise security assets already in place and is designed to work with existing firewall, IDS, DLP, and Web filtering devices. Furthermore, Passages leverages existing deployment and management tools and integrates with single sign-on systems including active directory. Four Key Technologies Passages’ secure browsing platform is composed of four key components: • • • • Virtual Machine Virtual Private Network Safehold Insight Virtual Machine The core of Passages is a secure virtual machine (VM). When Passages launches, it cryptographically verifies the integrity of the ISO image used to create the virtual machine. That image is read-only, so every time the VM is run it is guaranteed to be clean and safe. The secure VM can run locally, or along side the user’s image in a VDI environment. Passages’ VM runs a hardened and lightweight Linux operating system. We have stripped out all unnecessary components to reduce size and minimize possible vulnerabilities. This provides the smallest possible attack surface. Almost none of the attacks launched are even capable of executing against a Linux system. Once it is proven secure, the VM boots up and locks itself down before launching the browser. The browser is the only part of the VM visible to the user, and from the user’s perspective, Passages is just a standard browser. The browser in the VM runs as an unprivileged user, further reducing the possibility of even temporarily infecting the restricted Passages environment. The VM is completely destroyed at the end of every session, or any time the user desires. This eliminates any malware, trackers, or anything else that may have gotten onto the VM. For user convenience, bookmarks and some other information (as allowed by the administrator) are persisted to the Passages servers and loaded back onto the VM each time it runs. Virtual Private Network Passages uses a VPN combined with routing and firewall rules within the VM to completely isolate the VM and the browser from the local network. As part of the lockdown phase, after the VM boots but before the browser is launched, Passages establishes a VPN connection to a server located in Ntrepid’s cloud network or at a customer’s facility outside the secure perimeter. The VM is configured so that the VPN is the only allowed network device for any Internet traffic in or out of the VM. This restriction ensures that, were malware to access the VM, it would not be able to see, map or attack any other infrastructure within the network. Using a second VPN from the server, users have the option to direct their traffic through a Global IP hub of their choice, allowing them to easily control who and where they appear to be. This is what allows users to avoid targeted attacks and prevent others from capitalizing on passively leaked information. Maximum security can be achieved by setting up the enterprise network so the Passages VPN is the only allowed path for Internet connections outside the local network. Passages is easy to monitor and filter, making it the perfect platform for DLP. Locking down other paths to the Internet forces all activity through that choke point. US Patent 8,375,434 B2 System For Protecting Identity In a Network Environment - allows users to securely browse online by masking their true location and other identifying information. ©2014 Ntrepid Corporation. All rights reserved. www.NtrepidCorp.com 12-14-002 Enable Your Enterprise to Browse ALL THE WEB WITHOUT THE RISK Safehold Insight One of the biggest vulnerabilities associated with a browser is its ability to download files directly onto a local machine without prior vetting. It is far too easy for hostile websites to initiate “drive-by downloads” that will place malware on the user’s local desktop. Passages saves all files to a folder remotely mounted from the Passages Safehold server in our secure cloud environment (located in Ntrepid’s data centers or at the customer’s facility). In the Safehold server, the files are tested against multiple bestof-class anti-malware tools. If they are shown to be safe, the user can initiate a download to their local computer. Only safe files that are intentionally requested by the user can ever make it to the local desktop (although administrators can provide access to flagged files for analysis). SSL encryption and active Web applications make conventional firewall-based user monitoring less effective. Insight provides monitoring and analytics for user activity within Passages. Activity monitoring takes place through a browser plug-in, so it is captured directly at the source before any encryption can take place. Insight may be configured to capture basic URL logs or extremely detailed and granular information and file captures. All captured information is streamed to the Insight servers (located in the Ntrepid cloud network or at the customer’s facility) effectively in real time. Due to the challenges with analyzing raw data, Insight provides two options for turning it into actionable information. First, Insight includes a sophisticated interactive analysis tool for quickly discovering patterns and anomalies, and drilling down to their source. Second, Insight can stream all the captured information into third-party platforms already in use in the enterprise (like Splunk) and through syslog. Conclusion With over 90 percent of undetected attacks coming through the browser, the enterprise is in a perpetual state of compromise. Threats now go beyond simple malware to highly targeted spear attacks, targeted misinformation and information leaks. The existing browser paradigm fails to mitigate any of these vulnerabilities. Passages is the only solution to offer the enterprise all the Web without the risk by: • Isolating all browser vulnerabilities — ensuring that attackers are unable to access or damage sensitive data or equipment. • Controlling your identification — preventing targeted attacks and mitigating passive information leakage. • Integrating into the enterprise — guaranteeing full user oversight, comprehensive monitoring, and central management of user Web activity. US Patent 8,375,434 B2 System For Protecting Identity In a Network Environment - allows users to securely browse online by masking their true location and other identifying information. ©2014 Ntrepid Corporation. All rights reserved. www.NtrepidCorp.com 12-14-002