Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

How To Defeat Advanced Malware. New Tools for Protection and Forensics

1,080 views

Published on

"How To Defeat Advanced Malware: New Tools for Protection and Forensics" is a FREE continuing education class that has been designed specifically for CIO's, CTO's, CISO's and senior executives who work within the financial industry and are responsible for their company's endpoint protection.

Published in: Education
  • Share the presentation on meghwal.heera@gmail.com
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

How To Defeat Advanced Malware. New Tools for Protection and Forensics

  1. 1. Slide 1 Section 1: Productivity vs SecurityHow To Defeat Advanced Malware: New Tools for Protection and Forensics This online continuing education course is available through a professional courtesy provided by: How To Defeat Advanced Malware: Bromium HQ 20813 Stevens Creek Blvd Cupertino, CA 95014 Phone: 855-625-2683 info@bromium.com © Concise Courses USA. The material contained in this course was research, assembled, and produced by Concise Courses USA and remains their property. Questions or concerns about the content of this course should be directed to the program instructor. New Tools for Protection and Forensics
  2. 2. Slide 2 Section 1: Productivity vs SecurityHow To Defeat Advanced Malware: New Tools for Protection and Forensics Productivity vs Security
  3. 3. Slide 3 Section 1: Productivity vs SecurityHow To Defeat Advanced Malware: New Tools for Protection and Forensics Productivity vs. Security The internet enables unprecedented increases in efficiency, productivity and cre- ativity, while posing the greatest risk of damage and loss to digitally enabled or- ganizations of all forms and sizes.
  4. 4. Slide 4 Section 1: Productivity vs SecurityHow To Defeat Advanced Malware: New Tools for Protection and Forensics The internet enables unprecedented increases in efficiency, productivity and creativity, while posing the greatest risk of damage and loss to digitally enabled organizations of all forms and sizes. End-users demand free access to, and unrestricted use of, the web’s information to maximize their ability to get their jobs done effectively. The Empowered Consumer Search Social Networking Mobile Apps Mobility Internet Services: Social media, SaaS, collaboration, storage etc Personal equipment: Home pcs, laptops, tablet smartphones
  5. 5. Slide 5 Section 1: Productivity vs SecurityHow To Defeat Advanced Malware: New Tools for Protection and Forensics One approach – Lock’em all At the same time, organizations have been forced to impose restrictions and cumbersome procedures to try and secure their information and resources from attack.
  6. 6. Slide 6 Section 1: Productivity vs SecurityHow To Defeat Advanced Malware: New Tools for Protection and Forensics False sense of security… Today’s end-user computing environment has expanded beyond the traditional con- trol of the inner walls of the enterprise and as such, a solution must be created that provides effective end-point security for the enterprise, as well as a high perfor- mance interface for the user.
  7. 7. Slide 7 Section 1: Productivity vs SecurityHow To Defeat Advanced Malware: New Tools for Protection and Forensics The Fundamental Problem The fundamental problem with security today is the legacy computing architecture inherited from a much simpler time when computers were isolated systems that were only accessible to IT staff and corporate employees. The operating systems and many applications we use to- day were developed with little concern about the poten- tial for introduction of hostile or “untrustworthy” applica- tions or data. Unfortunately these systems have NOT kept pace with the growth in connectivity, and our computer systems still have no way to decide whether a document or an applica- tion is trustworthy or hostile. Malware continues to exploit the interaction between and within the software installed on a system to achieve its goals with little protection provided by the system itself.
  8. 8. Slide 1 Section 2: Current IT Security ProductsHow To Defeat Advanced Malware: New Tools for Protection and Forensics Current IT Security Products
  9. 9. Slide 2 Section 2: Current IT Security ProductsHow To Defeat Advanced Malware: New Tools for Protection and Forensics XXXXNetwork Firewalls and Anti-Virus Programs Current IT security products have evolved in response to the earliest cyber-attacks of the 1980s. Network firewalls were developed to foil attacks originating across network links and isolate the entire network. Anti-virus programs were developed to address the new phenomenon of “infected” files being shared via floppy disks, and attempted to isolate individual computers from harm. Simply put, over time, new security products have been continually “layered on” as new attack vectors, such as the Internet, have become available.
  10. 10. Slide 3 Section 2: Current IT Security ProductsHow To Defeat Advanced Malware: New Tools for Protection and Forensics Is the data or the application trustworthy? Each layer tries to solve the same problem: Is the data or the application trustworthy? Untrustworthy content is detected and blocked, and trustworthy content is allowed, but if an incorrect deci- sion is made, the malware is free to interact with, and compromise all the other parts of the system.
  11. 11. Slide 4 Section 2: Current IT Security ProductsHow To Defeat Advanced Malware: New Tools for Protection and Forensics Malware is now designed to evade detection Furthermore, Malware is now designed to evade detection. By leveraging zero day exploits, polymorphism and the rapid evolution of web technology, malware evades “detection” based security solutions and infiltrates the organization by exploiting the inherent trust between operating system components. It may be weeks or months before a successful attack is discovered. Meanwhile valuable information can be stolen or criti- cal infrastructure can be disrupted by the attackers.
  12. 12. Slide 1 Section 3: End Users Have Emerged As The Weak LinkHow To Defeat Advanced Malware: New Tools for Protection and Forensics End Users Have Emerged As The Weak Link
  13. 13. Slide 2 Section 3: End Users Have Emerged As The Weak LinkHow To Defeat Advanced Malware: New Tools for Protection and Forensics Users Are One Click Away From Compromising Their Desktop With the proliferation of web, email and social media, users are one click away from compromising their desktop. No one is immune to social engineering techniques that trick users into clicking on links, opening email attachments, or plugging in USB devices. End-users have emerged as the weak link in enterprise security. Social Media Landscape
  14. 14. Slide 3 Section 3: End Users Have Emerged As The Weak LinkHow To Defeat Advanced Malware: New Tools for Protection and Forensics BYOD Whether users are at home, on an airplane, in a coffee shop, or in an international hotel, with a malicious DNS server, they cannot be easily protected by traditional network-centric security devices simply because they are working outside the network perimeter and communicating directly with an untrusted network.
  15. 15. Slide 4 Section 3: End Users Have Emerged As The Weak LinkHow To Defeat Advanced Malware: New Tools for Protection and Forensics Backhauling The standard option today is to backhaul the connection back to the corporate network gateway, then forward it out to the Internet. But that can have significant impact on end user experience, performance, and productivity for mobile workers. Backhaul Station Internet Base Station WiFi Remote User
  16. 16. Slide 5 Section 3: End Users Have Emerged As The Weak LinkHow To Defeat Advanced Malware: New Tools for Protection and Forensics C-Suite Executives Executives are the least restricted yet most targeted class of users. They are highly mobile and often choose devices that are not sanctioned by IT to get their jobs done. As frequent targets of spear phishing campaigns, due to their level of access to sensitive data, executive support staff must make daily decisions to open external email attachments and click on unknown URLs.
  17. 17. Slide 6 Section 3: End Users Have Emerged As The Weak LinkHow To Defeat Advanced Malware: New Tools for Protection and Forensics End User Hardware Attackers view laptops and desktops as attack vectors – effectively launching pads – into the enterprises that they seek to penetrate.
  18. 18. Slide 7 Section 3: End Users Have Emerged As The Weak LinkHow To Defeat Advanced Malware: New Tools for Protection and Forensics Patch Tuesday Hackers exploit vulnerabilities in operating systems, browsers, and third-party software such as Java and Flash. Unfortunately, with more than a hundred million lines of code on any given laptop or desktop, vulnerabilities are of- ten discovered faster than patches can be created and applied to these vulnerable machines. It’s a losing proposition to rely on "Patch Tuesday" or any other carefully planned schedule to keep systems properly patched or to detect exploits or vulnerabilities.
  19. 19. Slide 8 Section 3: End Users Have Emerged As The Weak LinkHow To Defeat Advanced Malware: New Tools for Protection and Forensics SaaS and Cloud Based Applications Today's targeted malware seeks to use compromised PCs as a way to not only access the enterprise network, but also to access critical SaaS and cloud applications. Corporate security policies will often disallow ac- cess to these Internet-hosted applications and storage assets unless users are connected to the corporate network or using a corporate device. However, if a corporate PC is compromised, attack- ers are able to masquerade as a legitimate user and then extract sensitive data from these online repositories.
  20. 20. Slide 9 Section 3: End Users Have Emerged As The Weak LinkHow To Defeat Advanced Malware: New Tools for Protection and Forensics VDI Empowerment Local User Offshore user Teleworker Not long ago virtual desktops were considered more secure than physical desktops because VDI OS partitions are regularly re-built from a gold image. However, attackers have since learned to easily bypass this control by adding malware into the user’s profile. When virtual desktops are deployed in the same datacenter as sensitive information, VDI could actually increase the enterprise attack surface. Keep your data and applications secure • Reduce vulnerabilities • Use centralized policies • Data storage process that is virtualized and centralized Address dynamic requirements • Workforce mobility • Connectivity with partners • New employee onboarding
  21. 21. Slide 10 Section 3: End Users Have Emerged As The Weak LinkHow To Defeat Advanced Malware: New Tools for Protection and Forensics Security Spending Enterprises have spent billions of dollars on security but can’t stop all of today’s attacks.
  22. 22. Slide 11 Section 3: End Users Have Emerged As The Weak LinkHow To Defeat Advanced Malware: New Tools for Protection and Forensics Blacklisting The blacklisting approach can only detect known threats and fails to stop sophisticated malware that is used for today’s targeted attacks.
  23. 23. Slide 12 Section 3: End Users Have Emerged As The Weak LinkHow To Defeat Advanced Malware: New Tools for Protection and Forensics Whitelisting And the whitelisting approach, i.e. allowing only trusted applications, such as a corporate browser or pdf readers, is ineffective because attackers take advantage of the fact that enterprises are slow to update their software, and use malicious content and documents to exploit supposedly trustworthy applications.
  24. 24. Slide 1 Section 4: All Software Is Inherently InsecureHow To Defeat Advanced Malware: New Tools for Protection and Forensics All Software Is Inherently Insecure
  25. 25. Slide 2 Section 4: All Software Is Inherently InsecureHow To Defeat Advanced Malware: New Tools for Protection and Forensics Vast Attacks Surfaces Modern desktops and apps offer rich feature sets that offer a huge target to attackers. For example, Microsoft Windows now has more than 60 million lines of code, and Adobe® Acrobat more than 1 million, leaving many loopholes that can or have been exploited by attackers. This vast “attack surface” is responsible for the enormous number of ongoing vulner- abilities and exploits we see in the news every day.
  26. 26. Slide 3 Section 4: All Software Is Inherently InsecureHow To Defeat Advanced Malware: New Tools for Protection and Forensics Tabbed Browsing Efforts have been made to increase productivity and decrease resource consumption by allowing users to perform multiple instances of a programs function using a single instance of the application such as “tabbed” browsing. These multiple instances or “tasks” make security more difficult, as compromising the parent application automati- cally compromises all the tasks being performed by the application.
  27. 27. Slide 4 Section 4: All Software Is Inherently InsecureHow To Defeat Advanced Malware: New Tools for Protection and Forensics ‘Whack-A-Mole!’ The “whack a mole” approach to creating a new signature or patch to detect and block the latest attack, or develop- ing a new security product for a new kind of vulnerability is unsustainable. The security industry needs to address the fundamental shortcom- ings of the current approach, and adopt a new architecture that transforms computer systems into trustworthy endpoints that are protected by design.
  28. 28. Slide 5 Section 4: All Software Is Inherently InsecureHow To Defeat Advanced Malware: New Tools for Protection and Forensics Introducing Micro-Virtualization Micro-virtualization addresses the fundamental shortcomings of the legacy computing model by executing each vulnerable task in a tiny, hardware- isolated micro-virtual machine (Micro-VM). Tasks are isolated, along with all the associated resources that a task needs, all the way down to the security hardware (Intel VT) layer, including any resources that interact directly or indirectly with the task.
  29. 29. Slide 6 Section 4: All Software Is Inherently InsecureHow To Defeat Advanced Malware: New Tools for Protection and Forensics Need To Know Protected tasks have only “need to know” access to data, networks and local hardware devices, so if a task is compromised, the system still protects the enterprise and the user. Micro-VM’s are created and destroyed in milliseconds automatically discarding malware and ensuring that the desktop always remains in a “golden” state. These capabilities are implemented automatically, unseen by the user, and with minimal impact on the user experience.
  30. 30. Slide 7 Section 4: All Software Is Inherently InsecureHow To Defeat Advanced Malware: New Tools for Protection and Forensics Micro-VM’s Micro-virtualization has profound consequences for system architecture, and applies to both server and client sys- tems. Its application in endpoint protection transforms the resilience of enterprise clients and will massively increase the cost and complexity of system penetration.
  31. 31. Slide 8 Section 4: All Software Is Inherently InsecureHow To Defeat Advanced Malware: New Tools for Protection and Forensics Introducing Bromium’s vSentry Bromium’s vSentry uses Micro-Virtualization to isolate malware delivered via Internet Explorer or untrustworthy documents and e-mail attachments. Malware isolated by vSentry is unable to steal data or access either the Windows system or corporate network and is automatically discarded when the web session or document is closed by the user.
  32. 32. Slide 9 Section 4: All Software Is Inherently InsecureHow To Defeat Advanced Malware: New Tools for Protection and Forensics Micro-VM’s Each micro-VM is optimized and provisioned for the specific task at hand and is hardened against the installation of malicious code. Micro-VM’s deliver significant attack-surface reduction thereby delivering an inherently more secure platform for running risky tasks. If unknown malware does manage to exploit the application performing the protected task, only a single browser tab or a single instance of the document handler (for example, Acrobat, Word, etc) will be compromised.
  33. 33. Slide 10 Section 4: All Software Is Inherently InsecureHow To Defeat Advanced Malware: New Tools for Protection and Forensics Defeating Malware Every Time Malware cannot gain access to other applications or tasks, for example, the Windows system itself, the protected file system, the enterprise network, or trusted SaaS applications. Since each web page or document is run in a hardware-isolated, hardened and independent container within the Win- dows environment, threats can’t propagate and compromised sessions can’t be used for surveillance or to launch at- tacks on other systems in the network. Malware is not allowed to persist and is automatically removed on clos- ing the web browser tab, document or attachment.
  34. 34. Slide 11 Section 4: All Software Is Inherently InsecureHow To Defeat Advanced Malware: New Tools for Protection and Forensics vSentry Automation vSentry automatically isolates vulnerable tasks, such as opening an unknown web page in a new browser tab, or an email attachment or document from an unknown sender. Users are not prompted to “allow” or “deny” actions and can focus on getting the most from their system without worrying about the chance of compromise.
  35. 35. Slide 12 Section 4: All Software Is Inherently InsecureHow To Defeat Advanced Malware: New Tools for Protection and Forensics The Microvisor The Microvisor on which vSentry is based integrates directly with Intel VT ad- vanced hardware virtualization tech- nology, which is built into every CPU, to ensure that malware can’t break out of the micro-VM to compromise the rest of the Windows operating system, other ap- plications or tasks.
  36. 36. Slide 1 Section 5: Micro-Virtualization vs Traditional Endpoint Security ProductsMicro-Virtualization: A New Approach To Endpoint Security Micro-Virtualization vs Traditional Endpoint Security Products
  37. 37. Slide 2 Section 5: Micro-Virtualization vs Traditional Endpoint Security ProductsMicro-Virtualization: A New Approach To Endpoint Security Anti-Virus systems detect malware by using signatures that are developed from samples of attacks that have suc- cessfully compromised other users. The addition of heuristics and cloud based lookups has decreased the time needed for Anti-Virus systems to detect known attacks, but with over 3 billion unique pieces of malware discovered in 2011 alone, today’s attackers have lit- tle problem avoiding these systems. In contrast, Micro-Virtualization does not rely on detecting malware to protect against its malicious intentions. The granular isolation and “need to know” access model for each task ensures that malware cannot gain access to any data, persist the attack, or penetrate deeper into the network. Micro-Virtualization vs Anti-Virus Systems
  38. 38. Slide 3 Section 5: Micro-Virtualization vs Traditional Endpoint Security ProductsMicro-Virtualization: A New Approach To Endpoint Security Micro-Virtualization vs Host Intrusion Prevention Systems Host Intrusion Prevention Systems attempt to detect and block malicious attacks by comparing the behavior of vul- nerable applications, with a pattern that could indicate “malicious behavior”. The shortcomings of this technology are that malicious and benign code can perform the same types of operations within an endpoint and singling out the behavior of a single piece of software can be challenging. A Host Intrusion Prevention System that is tuned to be effective against unknown malware will also block many un- known but benign software functions leading to user dissatisfaction and an avalanche of corporate help desk calls. A Host Intrusion Prevention System is often disabled or tuned to the point that malware is no longer blocked in reac- tion to these problems. In contrast, Micro-Virtualization does not interfere with the execution of the vulnerable application or the pro- ductivity of the user, while ensuring that critical enterprise resources are protected at all times.
  39. 39. Slide 4 Section 5: Micro-Virtualization vs Traditional Endpoint Security ProductsMicro-Virtualization: A New Approach To Endpoint Security Micro-Virtualization vs Desktop Firewalls Desktop Firewalls protect the host system by blocking low level network requests to specific processes within the the endpoint. Desktop Firewalls do not provide any protection for the most risky applications like the web browser or opening files and attachments as these processes must be able to communicate with the outside world to function. In contrast, vSentry implements a per micro-VM, task-specific, granular isolation or task “firewall” capability by intelligently isolating, filtering and enforcing the communications between each task and the rest of the Win- dows environment.
  40. 40. Slide 5 Section 5: Micro-Virtualization vs Traditional Endpoint Security ProductsMicro-Virtualization: A New Approach To Endpoint Security Micro-Virtualization vs Desktop Virtualization Systems Desktop Virtualization Systems provide a mechanism for running multiple operating systems on a single desktop or laptop com- puter. Migrating computing resources to a virtualized environment has little or no effect on most of the resources’ vulnerabilities and threats. While running, these solutions provide no protection beyond that provided by standard desktops and the monolithic nature of tra- ditional hypervisors lend themselves to the execution of multiple applications within the virtual machine. Attempting to run multiple virtual machines often incurs a heavy performance penalty and restricts the granularity and effective- ness of this approach. In contrast, vSentry represents the next generation of virtualization technology that hardware virtualizes each vulnerable task without the performance penalty incurred by legacy virtualization solutions. Micro-Virtualization works at the task level within the Windows environment and provides full code level visibility and extremely granular control for all interactions between the active task, Windows, system devices, the file sys- tem, storage and networks.
  41. 41. Slide 6 Section 5: Micro-Virtualization vs Traditional Endpoint Security ProductsMicro-Virtualization: A New Approach To Endpoint Security Micro-Virtualization vs Application Whitelisting Solutions Application Whitelisting Solutions restrict end users from using “non-approved” programs on their systems. This approach typically has a large impact on user productivity which often results in users finding “workarounds” such as performing critical tasks on mobile or home products. Application whitelists provide no protection from attacks targeted at the “approved” programs which remain vulner- able to zero day or targeted attacks routinely delivered within the content the applications are tasked with process- ing. In contrast, vSentry does not impact user productivity and enables them to use their key productivity applica- tions safely and with no risk to the critical information contained within their systems or on the corporate net- work.
  42. 42. Slide 7 Section 5: Micro-Virtualization vs Traditional Endpoint Security ProductsMicro-Virtualization: A New Approach To Endpoint Security Micro-Virtualization vs Patch Management Solutions Patch Management Solutions attempt to address the root cause of security exploits by providing fixes or ”patches” to the underlying vulnerabilities in the programs that are at risk. Unfortunately, the sheer scale and attack surface of today’s operating systems and application suites provides end- less vulnerabilities. Organizations spend huge amounts of time and money testing and deploying patches in an endless attempt to keep their systems secure with little impact on the number or frequency of successful attacks. In contrast, Micro-Virtualization protects PCs from being compromised, even if they have not been patched. This enables organizations to schedule patches for the lowest impact on the organization.
  43. 43. Slide 8 Section 5: Micro-Virtualization vs Traditional Endpoint Security ProductsMicro-Virtualization: A New Approach To Endpoint Security Bromium’s vSentry vSentry focuses on protection, and is able to defeat both known and unknown attacks using micro-virtualization combined with hardware-enforced, task-level isolation. If a micro-VM is penetrated by any advanced targeted attack, it remains completely isolated. The APT is unable to attack the desktop, persist any malware, steal any data, or penetrate the enterprise network.
  44. 44. Slide 9 Section 5: Micro-Virtualization vs Traditional Endpoint Security ProductsMicro-Virtualization: A New Approach To Endpoint Security Bromium’s LAVA (Live Attack Visualization and Analysis) When malware strikes, the entire attack is automatically recorded and delivered to Bromi- um’s LAVA (Live Attack Visualization and Analysis) console. LAVA provides a depth and breadth of information that arms security operations centers with critical threat intelligence and a stronger defense-in-depth strategy.
  45. 45. Slide 10 Section 5: Micro-Virtualization vs Traditional Endpoint Security ProductsMicro-Virtualization: A New Approach To Endpoint Security By extending the isolation and protection of hardware virtualization into the operating sys- tem, microvisor technology adds a new hardware-protected execution mode for Java applica- tions. These micro-VMs are automatically created in milliseconds to isolate any task that processes untrusted data or interpreted code. In addition, Bromium’s LAVA provides introspection of these micro-VMs and gives security op- eration teams the ability to capture and analyze threats, including Java exploits. Protection Against JAVA Exploits
  46. 46. Slide 11 Section 5: Micro-Virtualization vs Traditional Endpoint Security ProductsMicro-Virtualization: A New Approach To Endpoint Security Protects Mobile And Roaming Users Against Exploits In The Wild vSentry endpoint security software lets users safely surf the internet, open email attachments, download docu- ments, and plug-in USB device regardless of their physical location. It automatically and proactively protects mobile and roaming users against exploits in the wild by confining each website and document within a hardware-enforced container that is completely transparent to the user.
  47. 47. Slide 12 Section 5: Micro-Virtualization vs Traditional Endpoint Security ProductsMicro-Virtualization: A New Approach To Endpoint Security Happy Enterprise Network Security Administrators As a result, enterprise security administrators can worry less about continuously patching Windows vulnerabilities which can be a challenge for workers that spend days, or weeks away from the office. No longer is there a tug-of-war between the need for end users to have an op- timal computing experience and the need for the IT security team to safeguard the enterprise. No longer do users need to circumvent or disable the traditional controls that hinder them from “doing their job”.
  48. 48. Slide 13 Section 5: Micro-Virtualization vs Traditional Endpoint Security ProductsMicro-Virtualization: A New Approach To Endpoint Security vSentry vSentry delivers endpoint security against advanced targeted attacks, while removing restrictions on Internet freedom. It ensures that a compromised task (such as rendering a web page or opening an email attachment), cannot access enterprise infrastructure or infor- mation, because the attacker is contained within the hardware-isolated micro-VM with highly restricted need-to-know access to the OS, the underlying file system or the enterprise network. This level of continuous, granular protection applies to end users re- gardless of location and as a result, users are empowered to do what- ever they need to do to be productive, browse the internet, with- out risk to themselves or the enterprise. IT no longer needs to waste countless hours trying to keep blacklists and whitelists as updated as possible, and users will no longer attempt to circumvent or disable these restrictive controls.
  49. 49. Slide 14 Section 5: Micro-Virtualization vs Traditional Endpoint Security ProductsMicro-Virtualization: A New Approach To Endpoint Security vSentry vSentry assumes that all tasks performed on content originating outside of the corporate network – such as checking email, visiting Web pages, downloading documents, etc. – should be treated as untrusted. And each tasks is secured in its own private container using micro-virtualization software in combination with hardware-enforced isolation. If a malware attack occurs, it remains bounded within the isolated container and has no access to any network or system resources. Furthermore, it is automatically dis- carded when the user closes the document or Web page, thereby making it impos- sible for the malware to persist on the system or gain access to the network. If malware cannot persist on the end user device, the device cannot be infected. If there is no infection, there is no longer any need for remediation. Instead, remediation is in essence automatic – when the task is ended the malware is destroyed. This can save enterprises thousands – and sometimes millions of dol- lars.
  50. 50. Slide 15 Section 5: Micro-Virtualization vs Traditional Endpoint Security ProductsMicro-Virtualization: A New Approach To Endpoint Security vSentry vSentry effectively enables multi-tenancy on endpoint devices, so that each individual task (and all related data) is truly isolated from the trusted machine. This architecture provides significant peace-of-mind for those tasked with securing an enterprise, and saves time for those who pre- viously had been spending countless man-hours trying to reverse engineer malware attacks. Furthermore, because endpoints are no longer infected as a result of unpatched vulnerabilities, organizations save significant costs because they no longer need to re-image infected devices.
  51. 51. Slide 16 Section 5: Micro-Virtualization vs Traditional Endpoint Security ProductsMicro-Virtualization: A New Approach To Endpoint Security vSentry When running vSentry on these endpoints, an executive or a privileged user may still fall prey to attacks from social networking vectors, enabling the malware to run on their machines. However, with vSentry, malware’s access is limited to a hardware-isolated virtual container, a "throwaway cache" that looks and feels like an empty desktop to the attacker. The Microvisor enforces the concept of “least privi- lege” or “need to know” to each and every document and website, so that there is never any sensitive data to steal within the micro-VM.
  52. 52. Slide 17 Section 5: Micro-Virtualization vs Traditional Endpoint Security ProductsMicro-Virtualization: A New Approach To Endpoint Security vSentry Best of all, anything that the spear-phishing malware does within the micro-VM is automati- cally and instantly recorded and reported via LAVA, so that security analysts can use this comprehensive threat intelligence to protect the rest of the users and systems across the enterprise. Information security teams gain assurance that these high profile targets can click on un- safe links and open unsafe attachments without risk to their devices or to the enterprise.
  53. 53. Slide 18 Section 5: Micro-Virtualization vs Traditional Endpoint Security ProductsMicro-Virtualization: A New Approach To Endpoint Security vSentry vSentry makes each SaaS and cloud application invisible to, and inaccessible by, every other untrusted website and document running on the endpoint device. And it applies the principle of least-privilege (a.k.a. "need-to-know") to each task so that each micro-VM is isolated from the rest of the system – re- gardless of whether or not malware is present. This hardware boundary running on the CPU automatically disables access to any cloud and SaaS sites containing sensitive enterprise data. As a result, vSentry protects against cloud data exfiltration, as well as XSS, CSRF, and other MitB attacks. Even if a drive-by-download from a compromised site installs a keylogger in one browser tab, and the user logs into a SaaS site in the adjacent browser tab, credentials and data re- main isolated and not accessible to the malware running in any other micro-VM. These online applications and data repositories are centrally configured by IT and have no impact on user experience with enterprise hosted, SaaS or cloud applications. vSentry automatically protects the desktop from these applications, but it also protects the applications from all other untrusted tasks, including attacks on themselves or each other, such as in the event of a service provider compromise.
  54. 54. Slide 19 Section 5: Micro-Virtualization vs Traditional Endpoint Security ProductsMicro-Virtualization: A New Approach To Endpoint Security Drive-By-Download Even if a drive-by-download from a compromised site installs a keylogger in one browser tab, and the user logs into a SaaS site in the adjacent browser tab, credentials and data remain isolated and not accessible to the malware running in any other micro-VM. These online applications and data repositories are centrally configured by IT and have no impact on user experience with enterprise hosted, SaaS or cloud applications. vSentry automatically protects the desktop from these applications, but it also protects the applications from all other untrusted tasks, including at- tacks on themselves or each other, such as in the event of a service provider compromise.
  55. 55. Slide 1 Section 6: ConclusionHow To Defeat Advanced Malware: New Tools for Protection and Forensics In Conclusion Micro-virtualization addresses the two fundamental challenges of today’s computer systems: 1. Users will make mistakes, and 2. Software will have vulnerabilities Key benefits to Micro-virtualization include: • Automatically defeating undetectable malware, so security teams stay focused on business needs, not costly and time consuming forensics or remediation • Providing real-time insights into every type of attack • Protecting users even if they click on malicious links, so they can access any website and open any attachment or document, thereby, allowing them to safely embrace mobility and empower your users

×