Security measures relying on detection will not eliminate damage

We will introduce "Isolation", which is a solution that is completely different from conventional web security measures and is recently attracting attention as a solution for protecting endpoints (end users) from threats.

Security incidents continue to occur, such as information leaks caused by targeted attacks several years ago and financial damage caused by recent ransomware. Why does this kind of damage occur? I believe this is because the security measures we have taken so far have relied on detection in the first place.

In addition to the first generation that eliminates threats that are already known to be malicious, such as firewalls, IDS/IPS, and antivirus, through verification, we also address unknown threats such as Box, machine learning, and AI (artificial intelligence). Including the second generation of countermeasures, as long as judgments about whether it is good or bad are added, false positives, oversights, and careless mistakes by users can occur. In addition, I think that detection technology and avoidance technology continue to play cat-and-mouse, and that new products and solutions are being introduced every day to prepare for new threats [Chart 1].

We have some interesting data on web-borne threats. For example, 42% of the 100,000 most accessed sites are at risk. 4,600 phishing sites using legitimate hosting services. Business and Economy is the number one risk in the proxy category. Access to one domain often leads to dozens of other domains behind the scenes, and users can be infected with malware without their knowledge. Even with employee education, it is impossible to call attention to websites used for business.

Defensive measures centered on "separation and detoxification" = Isolation

Isolation is a defense measure centered on "separation and harmlessness" that realizes a mechanism that prevents threats from reaching endpoints in the first place without relying on detection technology. It takes all the information on the web and delivers only safe display results to the endpoint. Since the code is obtained on an isolation platform between the web and the endpoint, you can avoid the risk of sites connected behind the scenes, such as the other domain mentioned earlier.

Isolation is a very effective new technology and there are several vendors including us. There are several challenges in adopting isolation. For example, whether it is practical as a basic function. A website contains not only HTML but also many files such as JavaScript, images, and fonts. Malware was installed due to font vulnerabilities, so it is important to be able to deal with all the elements that make up the page. Also, it supports both HTTP/HTTPS. Content in encrypted communications must also be sanitized.

Low implementation costs are also very important. It is also an issue to consider whether endpoint software is not required and whether it does not impair the user's experience. Many isolation technologies are implemented in a format called pixel mirroring, and the separated results are displayed as an image on the endpoint browser. pressure.

[Chart 1] Previous security measures “detection”

Another feature is that it can be easily introduced with less impact on the existing environment.

In fact, the Menlo Security lsolation Platform (MSIP) solved these issues. With two core technologies, DVC and ACR, it is possible to obtain and execute all risky active content in an environment separated from the endpoint without impairing the user experience.

もうすこし具体的に説明します【図表2】。MSIPでは、仮想マシンがいくつも動いていて、それを仮想コンテナとしてユーザーに割り当てながら代理でコンテンツを取得し、表示結果を返します。新たなセッションのたびに仮想コンテナを消去するため、たとえ仮想コンテナが感染したとしても持続することはありません。また、表示結果に関しても単純に絵ではなく、Webページの構成要素をコピーするため、ユーザーの使い勝手を損ないません。これは弊社が特許として取得している技術です。

Japanese financial institutions are increasingly adopting isolation instead of VDI or as a complement to VDI. In addition, there is also an operation of browsing through MSIP for sites that are not classified as a proxy category. In some cases, it is used to safely view and store downloaded document files. One of the features of MenloSecurity is that it is a cloud service, so there is no need to install an appliance in-house, and it can be easily installed with less impact on the existing environment.

[Chart 2] Menlo Security Isolation Platform (MSIP)

Reprinted from: JTB Communication Design Co., Ltd.