Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Quick Tour of Ceedo Safe Browsing and Remote Access Protection.

Similar presentations


Presentation on theme: "A Quick Tour of Ceedo Safe Browsing and Remote Access Protection."— Presentation transcript:

1 A Quick Tour of Ceedo Safe Browsing and Remote Access Protection

2 (contractors, offshore, BYOC)
When connecting to or from unsafe locations, the end-point\data center is exposed. Organizational Resources Data theft Machine hijacking Ransomware (Cryptolocker) Compromised infrastructure Privacy (session leftovers) etc. Corporate Desktop Unmanaged PC (contractors, offshore, BYOC)

3 Conceptually… If you could some how create a barrier – an abstraction layer – in the PC stack, you could: Applications Hard Disk Another HDD Operating System Desktop Environment Applications Desktop Environment Operating System Hard Disk Defend the OS and Apps

4 Abstraction Layer = Virtualization

5 Ceedo’s virtualization engines - overview
Disk virtualization Ceedo has an internal VHD-based virtual disk-mounting system Disks are mounted through internal OS<->disk interface Disks can be mounted with no mount point and into RAM Create child disks, merge disks, etc. Hard Disk Operating System Desktop Environment Applications VHD Process virtualization Process-centric isolation Every operation a specified process tries to execute is manipulated and redirected Virtualization is inherited by child processes For instance, if a virtualized browser opens PDF Reader, the PDF reader will be virtualized too Hard Disk VHD Operating System Desktop Environment Applications

6 How do we isolate windows components?
Think of regular firewalls: Internet\network firewalls allow companies to decide which applications can have incoming or outgoing connections to the network depending on rules Now think of PCs: Our Kernel Firewall allows companies to decide which applications can have access to the OS and other apps! Completely isolating apps depending on rules

7 Remote Access Protection and Safe Browsing
Hard Disk VHD Operating System Desktop Environment Applications Remote Access Protection and Safe Browsing connecting to or from unsafe locations

8 Isolation – from the inside out
Traditional anti malware solutions are mostly based on signature recognition and heuristics. This means that if the attack vector is new or smart enough – you are exposed. Isolation protects the machine by blocking any untrusted software or infected web pages from touching the machine (MITM/MITB). Window title 3/14/2011 3:00PM

9 Isolation – from the outside in
Traditional remote computing relay mostly on communication-centric measures (tunnels, 2FA, etc.). But if the client is compromised, nothing is secure. Isolation prevents the compromised machine from accessing any data generated during a remote session. Window title 3/14/2011 3:00PM

10 Ceedo’s extra security and privacy tools
Nothing is written to the machine and all generated data can be removed entirely at the end of the session. To add an extra layer of protection, the “bubble” runs from a hidden location stored inside an encrypted container. And to seal the environment we also deal with environment permissions (AC), process enforcement, and more…

11 What we do – in process isolation context
Run isolated applications (installed to the host or encapsulated) Protected from the client and protecting the client Leave zero-footprint and/or keep data encrypted Remove all session data after shutdown, or store it in encrypted containers Allowing safe browsing and secure computing To and from unsecure locations keeping privacy and safety

12 How we do it Isolate processes by redirecting all R/W functions
For instance: app writes document to C:\, we divert it to X:\ Capture all R/W data in a hidden disposable VHD volume Optional load VHD as RAM-disk and/or with zero-mount point Leverage native NTFS permissions (AC) Launch processes with “Run-As” using separate user account

13 Components in process isolation context
VHD based isolated environment (optional: with encapsulated applications) Application launcher (host/encapsulated) Kernel “firewall” – intercept and divert R/W operations form virtualized processes Virtual user with separate elevation and NTFS security configurations. Kernel functions “firewall”

14 Components in process isolation context
VHDs and data can be stored inside encrypted containers locked to a specific machine. Environment can force processes to terminate based on MD5 and Certificate Thumbnail (black\whitelist) All components undergo integrity check to protect against tampering Remote wipe\deactivation Kernel functions “firewall”

15 Thank You


Download ppt "A Quick Tour of Ceedo Safe Browsing and Remote Access Protection."

Similar presentations


Ads by Google