Back to something more ‘exciting’ than getting the basics right (which is and always will be critical).
Everyone knows how important it is to apply the myriad of ‘standard’ controls to end user environments such as patching, anti-malware, host IPS, DLP (Data Leakage Prevention), running with minimum permissions and proxying all external access.
However the end user environment still poses the greatest threat to many organisations. This is through a combination of the challenges faced in securing these environments, and the fact that people are often the weakest link in security either due to error, manipulation or malicious activity.
How many end user environments really have all the controls, applied appropriately and consistently to all devices and all users? This becomes especially true when you consider how broad the end user environment is in many companies in terms of both locations and devices.
How many companies really have a full appreciation of and appropriate control of the ‘insider threat’. When I say insider threat I don’t just mean malicious insiders, I’m referring to all ways insiders can be a threat to your systems and data, from breaching the rues with the best intention through accidental error to clicking the phishing link, to coerced all the way to the genuinely malicious people.
I’ll be writing a post on the insider threat and how to mitigate it in the near future, keep your eyes peeled!
In light of this I have recently been looking at how to best secure the end user environment, with a view to newer, more innovative solutions. There are some very interesting innovations occurring in this space at the moment that provide additional / complementary or better protection than the more traditional solutions.
Four of the most interesting solutions I have looked into recently are;
- Garrison Technology – http://www.garrison.com/ – providing safe browsing
- ReSec – http://www.re-sec.com/ – ensures all the files that get to your end user environment are safe creates replica files with no harmful content
- Hypori – http://www.hypori.com/ – virtual mobile infrastructure
- Ionic Security – https://www.ionic.com/- ACL based encryption, anywhere
What do these companies do, and why do I think they are worth highlighting?
The risks associated with web browsing are well known and documented, whether from accessing malicious sites, or accessing ‘trusted’ site that have been compromised. There are various software solutions that claim to segregate / isolate your browser or it’s tabs from the rest of the O/S, such as Bromium. If you have concerns with relying on software based security and the fact that the isolation solution could itself be compromised or circumvented by malware on the O/S then there are few choices to provide a good user experience and security when browsing the web.
One relatively new company that is just coming out more publicly that has a great solution to the problem is Garrison Technology. They provide a hardware solution using ARM chips in a server platform. These are configured in pairs to provide a solution where the end user device effectively watches a ‘video’ of the internet sites they are browsing. Even if there is malicious content, all the end user device sees is an image of the content, not the content itself. I can’t go into too much detail here yet, but the solution appears very complete, allowing images, video, audio etc to be seamlessly viewed in the browser, and also permitting keyboard and mouse data to be sent to the site, so you can browse as normal. All while effectively having genuine physical isolation from the internet!
There are definitely some great use cases here, fan example would be protecting your users with access to the most sensitive data.
Malicious files reaching the end user environment are a huge risk, whether as email attachments or downloaded files. For many years the anti malware industry has been playing catch up with increasingly complex solutions comprising traditional AV, heuristics engines, virtual execution environments etc.
How much safer would you be if the files reaching the end user environment were guaranteed to be safe and free from malware?
This is now possible, ReSec offer a solution that will decompose files like pdfs and office documents, then rebuild the content into known good templates that contain no malicious content. They call this Disarm and Reconstruction. Using this technology any potential malicious content isn’t just blocked or stripped out, the whole file is recreated containing only known good content.
This capability is obviously starting to get noticed as I have seen some similar capabilities in Checkpoint literature, so it may be becoming more mainstream in the near future.
This is a very interesting one, they offer cloud based mobile phone capabilities. The idea here is that mobile devices are holding more and more data, and are being permitted to access more of our environments. As such they are becoming an increasingly attractive attack vector. Mobile devices can also be notoriously hard to control, especially when you need to balance control with usability expectations.
What if you could move all of your phones capabilities to a secure, managed cloud based virtual ‘phone’, effectively turning your smartphone into a glorified terminal?
Hypori offer just such a solution with the capability to support calls, SMS, applications, video calls, in short pretty much everything your phone can do locally. The key benefit here is that there is never sensitive data on the phone, it is all on the virtual device in the cloud. So if your phone is hacked or lost, there is no risk to your data.
If you are working on your mobile strategy or have an upcoming mobile refresh I’d highly recommend investigating this or similar solutions. Like the Garrison solution above, executives and key users with access to sensitive systems and data would be great initial use cases. Depending where you work geographically, but I can think of a few countries where providing this solution to your teams would definitely benefit your security posture!
Encryption, encryption, encryption! This is definitely one of the topics of the moment. Many organisations are getting pretty good ad encryption of data at rest, and basic encryption of data in transit. But how do we ensure our data stays encrypted where ever it is, whatever device it is on?
With most solutions, once a permitted user has access to the data they can then save it or forward it on unencrypted. This is to me a pretty large hole in most companies data security strategies.
Ionic have a solution that plugs into various applications such as office tools and embeds itself into each file that is created. Using uniquely generated key pairs for each file, or element in the file, Ionic encrypts the data based on ACLs.
Then no matter where the file is sent or what device it is on you can only open the file or see the redacted elements if you have the Ionic solution and are listed in the ACLs.
It has a pretty decent user experience with a ‘splash’ page being shown if you can’t access the file informing you what you need to do, and all the key management is internal to the solution with the capability to scale to trillions of key pairs.
Having seen a demo of this I can agree it is easy to use and appears to work pretty seamlessly. There are some excellent use cases outside of the obvious one of all your files always being encrypted and no one being able to access them who is not permitted to. Think for example of a legal document where some of there content is public, but certain elements such a company names or monetary amounts may be highly confidential. In this example you can encrypt just those ‘elements’ that need to be confidential so only the valid users can see those and for everyone else they are redacted. You can also have different permissions, e.g. some people can view and some can edit a document or element within the document.
I hope you have found this interesting, I’ll write up some more details on these and other solutions as we progress our investigations. What solutions and capabilities are you currently looking at to secure your end user environments?