Cybersecurity companies have done a good job of protecting the perimeter of networks over the years. Between firewalls, IPS/IDS, network anti-virus, web filtering and network sandboxing, the controls are in place for a well managed, responsible security team to stop all but the most aggressive of attacks on the network perimeter, (for now, at least).
It’s important not to downplay the importance of the highly trained and diligent security professionals who manage the perimeter. Without the intelligence and responsiveness of these professionals, all the tools and the money spent wouldn’t matter.
One major hole in security is the browser. The freedom that end users have to virtually do anything they want, including bypass security, combined with the pervasiveness of browser based malware and sophistication of social engineering attacks, make it very difficult for the end user to know what is good and what is bad. End users are the security administrator at the browser, and they can’t be expected to be experts in cybersecurity. This, combined with the need to get their jobs done, often lead them to make bad security decisions.
The Gold Rush at the Endpoint
Infosec companies realize that the endpoint is still vulnerable, and there seems to be a push to create new types of solutions that monitor what is happening between the time the user downloads that piece of malware, and it actually runs. In addition to A/V and firewalling, we now have application whitelisting, IPS/IDS, sandboxing, and behavioral tools that sit on the endpoint. This suite of tools makes for good money for the cybersecurity companies, but leads to problems with performance, incompatibilities between applications, and management issues. Worst of all, none of these solutions claim to be 100% effective against browser borne malware.
There is a Better Way
Instead of adding application after application on the endpoint, why not remove the browser from the workstation? In place of the physical browser, serve a virtual browser to the workstation from a hardened perimeter device, sitting on a DMZ This has the following benefits:
- Browser security now becomes owned by the security experts, not the end users.
- It becomes impossible for the browser to introduce malware into the network.
- If a virtual browser becomes infected, it gets destroyed and a new one created in seconds.
- If the hardened browser appliance somehow becomes compromised, you’re still protected by the DMZ.
A cool idea, right? That’s what Gartner thought, when they called my company, Spikes, a Cool Vendor for 2015. Spikes was founded by Branden Spikes, the former CSO at Space-X. If you’d like to find out more about this technology, and look at some whitepapers, go to www.spikes.com.
I’m happy to answer any questions you have as well. I can be reached at Paul@Spikes.com, or 1-410-740-3490
Although I am an employee of Spikes, and I believe in this concept, this and all posts by me are my personal opinions, and not endorsed by my company