Nick Lowe, Check Point : Taking the Shield to Protect Mobile Computing
September 2009 by Nick Lowe, Check Point’s Regional Director for Northern Europe
Technology has come a long way in the last 850 years, but we can still learn a thing or two from our medieval ancestors. Take security, for example. After the Norman conquest of Britain, the new administrative centres and power bases of the country were quickly strengthened against attack.
Hilltop fortifications of earth and wood were replaced by imposing castles made of stone, with multiple layers of security built in. These protected the newly centralised trade and business operations against theft and external attacks, and controlled third-party access – rather like the perimeter defences, intrusion protection systems and VPNs of a typical company’s network.
And if important figures left the protection of the castle, they would wear armour and carry a shield for extra defence against all types of weapon. But do corporate endpoints – laptop computers and smartphones – have the same level of protection?
Unfortunately, it seems that unlike their medieval counterparts, modern mobile workers are not as well prepared for attacks when they are away from the relative safety of the corporate ‘castle’.
Outside the walls
In a recent global survey of senior IT staff within enterprises, just 49% of respondents said that they had firewalls on their corporate laptops. Less than half had VPN clients deployed to secure remote access, and only 56% had antispyware on laptops. However, 90% said that they used antivirus software.
This means many business laptops are left vulnerable to a range of attacks when their users are away from the office: in many cases, relying on luck to avoid an attack rather than protection. So what type of armour and shield should businesses equip these machines with?
Although multiple endpoint security solutions are available, the nature of external threats is evolving. This means that traditional security approaches – such as the antivirus solutions deployed on the majority of machines – may not defend against the latest types of web threat.
New threats need new defences
Over the last four years, malware authors have developed new techniques which can evade detection by traditional antivirus solutions and security suites, infecting users who think they are protected. These new attacks are focused on stealing personal or corporate information for financial gain, and include phishing attacks via fake Web sites, drive-by downloads from malware-infected sites, and keyloggers that pose a major security risk.
These web-based threats are also using a new vector for attack. They try to gain access to users’ machines via the application that accesses them – the web browser. This means supplementing the traditional security ‘armour’ for laptops (firewalls, antivirus, antispyware and so on) with additional protection specifically for the web browser application.
Just as medieval noblemen would carry a shield to stop attacks before they hit the body, so the web browser needs a shield to absorb attacks, and protect identities and data against both high-profile and stealthy infiltration attempts.
A virtual shield
How should this ‘browser shield’ work? In effect, it’s a protective shell that surrounds the browser application itself. When the user launches the web browser to connect to the Internet, the shield launches a virtualised browser session that sits between the user’s PC and the Internet.
This virtualised browser is a duplicate version of the user’s real session, with a duplicated, virtualised file system, registry and system calls. This has the effect of isolating the browser from the laptop’s OS from the web – in turn protecting the PC itself against web threats. It’s done transparently to the user, so it does not force users to change their online behaviour and does not slow down a browsing session. It can also detect if a system call was initiated by the user, or was an automated call – so user-generated calls can be acted on as normal, and automated calls directed to the virtualised session.
The browser in the bubble
This dual-browser mode has a number of key benefits. It segregates corporate data from the Internet, putting the browser session in a secure ‘bubble’ so that details keyed in by the user online cannot be spied upon either by web-based or PC-based malware.
It can also be made to automatically scan for malware using both heuristic and signature-based techniques and warn users if a problem is detected, or if the site is known to be infected, while giving the ability to access the site if corporate policies allow. This is because the malware attacks the duplicate, virtual browser, not the user’s PC.
Furthermore, as the session is virtualised, any data from the user’s session is deleted when the user closes the browser – as well as any malware inadvertently downloaded during the user’s time online. This leaves no trace of the user online, and no malware on the user’s PC, drastically cutting the risk of data loss, or of an infection being able to attack the corporate network from a user’s remote laptop.
So while businesses still have some way to go before they can truly secure their remote users and endpoints, there is now a technique which can protect against the latest web threats that can be fully integrated with other endpoint protections. Just as his shield might save a nobleman’s life, virtualised browsing could do the same for your network.