Duration 44:43
16+
Play
Video

Citrix Synergy TV - SYN190 - Secure your users' access to the web–and the browsers that surf it

Kurt Roemer
Chief Security Strategist at Citrix
  • Video
  • Table of contents
  • Video
Citrix Synergy Atlanta 2019
May 22 2019, Atlanta, GA, United States
Citrix Synergy Atlanta 2019
Video
Citrix Synergy TV - SYN190 - Secure your users' access to the web–and the browsers that surf it
Available
In cart
Free
Free
Free
Free
Free
Free
Add to favorites
233
I like 0
I dislike 0
Available
In cart
Free
Free
Free
Free
Free
Free
  • Description
  • Transcript
  • Discussion

About speakers

About the talk

Topic: IT

Learn how an architecture including application virtualization and hypervisor-based security combine to create a virtual air gap between end user web resources while maintaining the desired web experience. In other words, this is 45 minutes to learn how you can sleep better at night. It's no mystery that the web is a dangerous place. The habits of workers, third parties and administrators accessing your web presence or using external resources often have frightening results. Drive-by downloads, watering-hole attacks, legitimate sites with rogue content: the list of threats is sadly as endless as the web. After decades of blame and weak directives, see how to offer more worker-focused web security technologies.Note: This session will be available for on-demand viewing post-event on Citrix Synergy TV.

Share

Hello everyone. I hope you're doing well today. My name is Sean Donaldson is he can see there and with the alliance's team at bitdefender? I've been 00:04 there for about eight years. If you hear me say a couple of things funny it always cracks up Kurt. It's because I'm from Ottawa Canada. So I'll try to 00:13 avoid saying a boat and words like that cuz but tends to confuse people and to my right is thanks John. Hi everyone. I'm 00:23 Kurt Roemer cheap security office and really happy to be here this afternoon. We got a lot of interesting things to talk about 00:33

been with Citrix for 13 years. Now. I'm looking forward to you Tweeting this session. This is open content and will definitely get 00:42 you a copy of the presentation afterwards as well. So Shawn I thought that we would do the session with just one slide. 00:52 All right. Oh, okay. 01:07 So we're going to very quickly go through the 01:16 web threat landscape. It should not be anything terribly surprising the web is an interesting place Kurt will cover how 01:26 browsers should be thought of as applications necessarily but more how they can be viewed as Frameworks all talk about how 01:36

isolated browsers won't cover. What isolated browsers me. I also need to be secured and then how that actually works 01:45 what the underlying security that were applying in browser isolation how the actual mechanics are the come together and 01:55 then bring it all together see how it works in action. There is a record a demo and what to do now. 02:05 so Very quickly. This is one of my favorite quotes. I don't often quote analyst no offense Fanny analyst but this was from a 02:16

Gartner report and literally the first line in the report was the weather's assassin pull back and said I'm going to enjoy this report and indeed. It 02:26 was a good thing. Now in today's everything is a service world. One of the challenges is so many of the productivity apps 02:36 are today access via web browser web browsers that are sometimes used for other things as well users on the other hand. We 02:45 can educate them as much as we want and indeed we can't blame and users. They will click on things attackers are very good at fooling end-users even 02:55

sophisticated and users. And none of what I've said so far should really be as interesting as those models make it appear. 03:05 What we're here to talk about today is that there is a better way you can increase the security of the browsers and the plugins. They happen to be 03:15 successful on their own and not isolate your end users from the website resources, which they demand access 03:25 to and beyond that not increase the workloads of admins. So first very quickly the threat landscape. 03:35

These are the vulnerability friends over the last 10 years from about 6,000 to 16000 over the last decade. 03:44 This should not be a surprise more code more vulnerabilities better techniques for 5 bring in finding vulnerabilities 2019. 03:53 So far isn't looking any better. This is from nist. This is a really interesting one. It covers the types of vulnerabilities being exploited overtime. 04:03 If you look at the far right you'll see a buffer errors and code injection. So to memory manipulation techniques Keep that in mind. 04:13

It comes up later this latest Intel processor vulnerability that was announced within the last week can also be 04:22 executed from within a browser. So from within userspace, it's crazy and guess who's researchers found that 04:32 at this point. We are beating a dead horse 04:39 with this vulnerability information, but we know web browsers are always at the top of the list. I don't know how exhaustive how would you go 04:48 through every version of every plugin out there to compile this sort of list. I mean, we all know intuitively from her own experienced a lot 04:58

of time attacks are coming in through browsers and plugins. Very familiar attack scenario if 05:08 this looks surprising as it says kindly contact the authorities. So this should be very familiar. It's pretty 05:18 rare for attackers to send malicious attachments or else now that way they can manipulate the attack code 05:28 that lives on the server that they're controlling as soon as something get detected. They'll start fiddling with it change it and essentially the same 05:37

link will work when the end-user inevitably an end-user somewhere. It will click on the link that launches an exploit 05:47 a vulnerability and their browser the plugins. If the attacker does not successfully they gain remote access that's how they got the initial 05:56 foothold. What they do at that point. They could inject ransomware. They could drop command-and-control they could do a completely file this attack 06:06 where they never write anything to disc. They just start attacking the next system over on and on and on the bottom line here is this is how 06:15

in one scenario they can gain that initial foothold on systems. This is what the demo will look like. So from the 06:24 user view, it's essentially here's a link. Of course, you know, we stick a pretty innocuous looking Lincoln there. They're getting really 06:34 sophisticated using characters from different alphabets that look kind of like characters in the alphabet we use but are different 06:42 and on and on and on they're getting really really good at this. So over to you Kurt, yes little primer or a reminder as we go through 06:52

this what do people actually use browsers for well. Most of the should be rather obvious. So ubiquitous cat videos, we've got 07:02 Facebook and other social media also great ways for malware to be injected to not safe for work content see a lot of that happening 07:11 and that can cause legal issues as well as other other problems. I thought we were going to meet legal change that 07:21 and other Rob communication and collaboration technology arbitrary links often times will 07:29

lead not just to shopping sites, but directly to ransomware and fishing and other things and then we also have increasing amounts of business 07:39 applications that are driven through the browser and on top of that also the web consoles behind them. Anything that you do in the cloud 07:48 is by definition through a browser. All of your Cloud Administration is through a browser increasingly. Everything you're doing is a highly privileged 07:58 user is through browser see the problem. We're going to explore that a little further little further expansion on what 08:07

businesses are using browsers for I'm sure you could add substantially to that list. Don't just think of these as use cases that are lumped together 08:16 think of these as use cases that demand a different level of security or different security method different verifications. How would you audit 08:25 access to each of these how would you go through it investigated incident go through and look at the truck inspected. If you're just letting people 08:35 run the browser that's on their laptop or device. How can you go through and control any of these these very critical functions and how can you audit 08:43

them? So don't think you use cases just as yeah. I need to let users use. There's a lot of administrative access back behind it. And the Brows 08:53 are also is almost always completely over privileged in over configured your browser is set up to get to any type of 09:03 resource use any certificate from the US from Canadia from anyplace house throughout the world. It's got all the 09:12 browser Frameworks in plugins and everything else connected into it. It's connected to your registry. It's connected to your file system is connected 09:22

to your key store in your password stores. Think of all of the things that we have munged into the browser these days is definitely over privileged in 09:30 over configured. Absolutely the things that we definitely need to solve it. I'll leave lead you to read the rest of 09:39 these but one of the big things were going to focus on his control over resource delivery through the browser. Don't just thinking Browsers a nap as 09:49 Sean said think of it as a framework and a framework for delivering resources. So what we're going to do is spend a couple minutes talking about 09:57

delivering resources through browser. And in order to do that. I want to introduce the four primary delivery methods. So if you're delivering any 10:06 resource, you have four predominant methods you can go direct to the resource also called native access pretty easy. Somebody just pulled up their 10:15 browser. They go to their favorites house or cloudapp. There's no intervening proxies or technology or filtering or anything. It's just that I'm going 10:25 to the resource is that appropriate? Course it is but not for a high-security contacts. Right might be good for you to but they'll 10:33

for training or stuff like that. But the second method is proxies. So you've got forward to reverse proxies. They do content filtering scrubbing 10:43 you can do rewrites redirect see some applicability with the browser there. There's a lot that a proxy can do with with browser-based 10:52 functionality and remember browser proxies are not just networking technology proxies can be in a lot of places. You can have a proxy 11:02 framework embedded in the browser and you can have proxies as part of your work space and is part of cloud services. So don't just think of them as a 11:12

piece of kid on the network. The third method for delivering resources is virtualization and particularly with the browser being able to 11:20 virtualize your browser gives you a lot of functionality you otherwise wouldn't have today if somebody went home and they were running Office 365 or 11:30 Salesforce or concur work day and one of the the very common app's how do you control their ability to print information to a printer and whether they 11:39 can print their personal info but maybe not info that is related to customers are there teams are things that would involve intellectual 11:48

property. How can you control your clipboard? How can you control where they save information? How can you control whether they can utilize other 11:58 peripherals within the environment and even if the webcam and microphone aren't need to turn them off by default. Well with virtualization you can 12:07 very easily do that. That's why we see a lot of people using virtualization in a browser context. We're going to show more of that here in a second. 12:15 And then the last deployment method is containerization. So the ability to have a container and when you hear 12:23

container is don't just automatically think doctor in kubernetes are very important. You also add mobile base containers, you've got project-based 12:32 containers containers are used for offline access their used for delivery. They're used to help control deployment of resources, and 12:40 we're going to increasingly see the browser used within this context. So it doesn't matter what type of resource you're delivering you're using one of 12:50 these delivery methods Direct. Proxeed virtualized or containerized now these used to be something that you had to pick when you 12:58

were architect in the application. The nice thing is with the workspace. You can dynamically pick movies at the point of service. So if somebody is in 13:08 a different situation or there's a different risk level you can pick the deployment method that makes the most sense for them. So you lysing 13:17 situational awareness you can make sure that all access and usage is risk appropriate by using a combination of these methods. Let's take a look at 13:24 that. But we did that on purpose because browsers are not just an app. They're very complex and they 13:34

really need to be considered as a framework on the left hand side. You got your local browser on the endpoint all of us have browsers. I'm many of our 13:44 in points and many of the devices that we work with. There are times when it's appropriate to use that but remember often times at local browser is 13:53 over configured and overprivileged especially for things like privileged access and administration. You don't want to rely on that. There's there's 14:03 too much risk in using that browser by itself. You also have a lot of options for containerizing a browser on the endpoint and we've seen things like 14:13

bromium you got Microsoft and what they're doing with the edge browser and and embedding chromium in there. Even the Citrix workspace app has an 14:21 embedded browser as part of it and you can consider that as a containerized browser to increasingly you've got ways to make the browser much more 14:30 specific even as it runs on the endpoint and may be able to do some things offline in the middle are a lot of the resources that would be published 14:38 through the data center. So you can deliver any of the types of browsers that you would need on Windows on Linux and we'll talk about the special 14:47

hbi thing here in a second and then way off on the right you got cloud-hosted browsers. We might think why would you want to host a browser out in the 14:57 cloud? Well, you may have some non-strategic traffic that you just don't want on your network in the first place. You don't want to going across your 15:06 network. You don't want it on your endpoints. You don't want it hitting any of your logs, but you need to use it examples are things like social media 15:15 where maybe you want to give your employees and contractors access to social media, but you don't want it actually coming within the four walls. You 15:22

want to keep it outside might be good for investigations by the security team where they have to click on one of those bad links or something that 15:30 suspect launch it out in the cloud. So it never touches your infrastructure. We've also seen those used in areas where you cannot do content filtering 15:39 like libraries and prisons and other things within the US where you need to provide the service, but you really don't want that to be on-site. You 15:48 don't want it interacting with the machine or the network. So very very interesting enough. What more on the slide that we can get into talking 15:57

through a lot of the the various aspects of whether you're going direct whether you're going containerized weather going virtualized or whether you're 16:06 going through a proxy? So when you think about browsers think about all the different ways that you can deploy them in the benefits for usage and 16:15 administration and then we get to the fun part that Sean had to make sure is going to flash on the slide at least. I didn't find the blink tag. So 16:23 yes hypervisor introspection. This is really where were when you think about the four pieces of the framework. We're 16:32

concentrating on virtualized browsers here. And the reality is there isolated. They're not running on the end-user system, which is that's 16:41 good. That's really good, but they're not necessarily secured. So a browser running within a virtualized container 16:51 basically Citrix and Virtual Lab I'm probably going to say xenapp to change the name again, and I don't think I'm alright 17:00 though. It's running in an isolated session. I can still be compromised. And so 17:09

the question is and this was a direct parallel to non-persistent vdi. What are you willing to sacrifice during the. Of time that is compromised 17:19 until it's destroyed Andre instantiated East-West attacks. Obviously, if an attacker has gotten onto 17:29 the low-hanging fruit, they're after something else or potentially are after something else. So they're going to use that as a foothold in the 17:39 environment to move on to other systems. So even if you can reset that system the attacker may already be on another box 17:45

also and end this goes back to your conversations with kiosk vendors years and years ago is compromised once and then Night at midnight you reset the 17:55 thing. So that means you're willing to sacrifice being compromised for 11 hours 59 minutes a day. That doesn't really sound ideal to 18:05 me. It's funny you bring that up because you see some developers these days relying on that old kiosk model putting the browser for microservices in a 18:14 container and just refreshing it when things mess up that can cause problems to write. Oh absolutely and we know once an attacker can get in there. 18:23

They'll just keep doing it over and over again. So what is hypervisor introspection the quick overview of it? We have 18:32 the Citrix hypervisor down at the bottom. If you guys are into the Zen project there something called virtual machine introspection that has been in 18:42 there. We have Defender put a lot of work with the Zen project folks into extending that essentially putting it on steroids as it's been rolled up 18:50 into the Citrix hypervisor the commercial name. direct inspect apis What does that mean? What that is is it 18:59

gives our security Appliance in this is an open API anyone can can code against this any security vendor can it's only Defender that is done. So 19:09 our security Appliance essentially can access the raw memory of running virtual machines without having to touch those virtual machines. 19:19 So we're running outside and do the access that the hypervisor gives us. We can see everything that is occurring within the 19:29 memory of running virtual machines. So pretty cool and there are some implications about it that will briefly cover I could go on all day just about 19:38

that piece, but it's actually what we're looking at is if somebody attacks ever Collide browser any virtualized and since 19:48 we see that we got the alert we know what is happening. We can block that we can report on it we can even if I want in Jack's 19:57 clean up tools and get rid of that problem. Now the cleanup tools that's really over kill again. We're looking at the point of 20:07 exploit if we're blocking the exploit the attacker doesn't get that initial foothold on the system injecting cleanup tools as a way to say. Okay, we 20:16

know something's going on. Let's just be sure let's basically look at the entire system in a more traditional way. How does this really work? 20:26 How does a actually detect these things? So quite often because bitdefender is known mostly as an anti malware Company. Please don't say 20:36 antivirus defense us a 20:46 different approach. So 20:49 essentially first, what's it based on I mentioned VMI under the hood. It's using Intel extension. So this is going right down 20:58 to fertilization instruction sets on the silicone and it allows their party appliances to get privileged access to memory. The 21:08

appliance itself is running in a privileged space essentially. We register rules with the Citrix hypervisor that allows us to trap certain 21:18 event. So what do I mean by that and you know, I'm simplifying this to make it. Unreadable, especially here were talking about a buffer overflow. 21:28 So somebody forgot to do balance checking you stuff way more data into a certain parameters and should be there. That means you can write memory that 21:38 is beyond what should be allowed for that particular parameter. And if you do it, right you can execute something. So essentially 21:48

what you're doing is you're over running the buffer in Heap to execute your code again, most of the time you're probably going to crash the 21:57 process maybe with crash the Box by attackers have all the time in the world. They eventually if they get it, right they can take advantage. 22:07 Now what we're doing with HBO eyes were saying, hold on. That particular piece of memory is read right? Why is 22:17 something trying to execute on it? We don't care what the vulnerability is. We certainly don't care what the specific exploit is. We just know someone 22:27

is trying to commit a memory violation to produce unexpected results by in a buffer overflow case. The ultimate goal is to 22:37 run code on a system remote code execution and gained control it is we don't care what the boner ability is 22:46 anybody in here have folks within your organization that develop web apps for contractors. You hire to develop web apps. 22:56 Will it be kind of cool for them to have those to be able to take a look at what's going on debug the application be able to get the running State and 23:05

even when it's crashed be able to reset it instantly and then try the attack again and see exactly what's happening as their lives making 23:14 modifications to the code. How much developer perspective this is tremendous how about security teams anybody in here from a security team? 23:21 So what if you got something that is coming in that, you know is causing major problems, but it's not being highlighted anywhere. You can redirect it 23:29 over to this system and because of in memory forensics be able to see exactly what is being targeted against your organization be able to see why it's 23:39

Unique and be able to develop some medications for it. These are a couple things most people don't talk about but I see is being a very core value and 23:49 Sean goes to hear you. He just wanted to say, you know people don't care if they do care. That's why we want to make sure you saw 23:58 and they can go through and help you look for any in memory violations. It's 24:04 that this technology can be used for so much more than just security incidents and malware. Absolutely, absolutely. And there is good forensic data 24:14

that gets pushed out. But certainly the point of not having prior knowledge of the exploit or the vulnerability is something that 24:23 our customers enjoy when wannacry first started hitting we weren't that surprised because as soon as we saw external external heater, no blue 24:33 thing. We did was say, hey guys, it definitely does a blog post three weeks 24:43 later wannacry hit I want to watch right? It could not spread across their networks because I add HBO I installed so 24:53

it it's having no a priori knowledge of the exploit or the vulnerability. Just seeing if a buffer overflow. I'm going to stop it. That 25:02 means going back to you. It's not answering our at the hypervisor level. We're looking for attack techniques attackers use the same techniques over 25:12 and over again in this is so much more efficient than looking for known bad or trying to whitelist. No one good. Those are valid approaches, but we 25:22 all know they have their limitations attackers only need to succeed. Once where is Defenders need to succeed every single time. So if we can take 25:31

these attack techniques out of their hand buffer overflow heatspray code injection function tutoring. There's a whole bunch more of it not going to go 25:40 through an exhaustive lit. We're really raising the bar on the cost of attack if they can't use buffer 25:46 overflows. That's really painful for the attacker. Another piece is this security is actually isolated from what 25:56 is being protected. So because the virtual Appliance is running at a higher level of privilege and obviously where we're getting the information the 26:06

hypervisor. Is that a Hardware in Forest higher level of privilege. That means we are isolated from what is being attacked. When you're running within 26:15 a VM, what is the first thing the attacker does turns off the security or otherwise obvious case itself to hide from 26:25 the attack? We see that all and we're not affected because where we don't have a footprint within the VM to 26:34 attack. So this is really Bridging the Gap between contacts and isolation. That's another concept I could go on and on about 26:44

but let's just say is classic security problem is my network IDs IPS or my web app firewall is painful to configure because it has 26:53 zero contextual awareness of what's going on within the VM where I was if I'm in the VMI great contextual awareness, but I have zero isolation. So I'm 27:03 susceptible to attack in the same way everything within that VM is susceptible to attack in Hindi. I'm using OSAP eyes within the VM to 27:12 protect the OSAP lies within the so this is a great way of getting complete contextual awareness, but still 27:22

being isolated from what is being protected. Guy would say as we're getting into the demo one thing to keep in mind. No, Sean 27:31 didn't show that this is any workload that would run on top of the hypervisor and I'm so you've got tons of different were close current application 27:41 told her applications that can't be patched an updated. You can run a browser server on top of it. And that's one of the main things that were talking 27:49 about here is being able to run a browser server and being able to do re directions from email arbitrary links from just people who click and open 27:58

up a browser open up Facebook. Click on the link for Salesforce. You can have it go to the service and have it be able to protect the levels that Sean 28:08 was just talking about and what you're about to see in the demo. So we're focusing on web browsing today, but there's a lot more that you want to stop 28:17 by and see you later. Absolutely and and I've seen a lot of very worried admins, especially Healthcare finance places like that who have to publish 28:25 i-86 Like that must really, you know lead to some 2 a.m. Sweats. So let's see what this thing looks like 28:35

in action. Top hits offender browser isolation, which is a specific solution 28:45 running on top of Virtual Lab. So of course little thing from ponymon, there was like to throw big numbers out there. No surprise. We know 28:55 web browsers are a problem. So there's not user view attack review. You're going to see some, you know, welcome to the Matrix stop. The bottom line 29:05 there is when they clicked on the link, they talked to the web server. Now the attacker is running within the context of The Flash Player and they 29:13

have full admin on that box. You can see that they just downloaded secret docks in that case are just pulling information officer never going to write 29:23 anything to death. So what is there to look for the whole problem is? Liam users are running browsers with in there and point. So that means that 29:32 entire endpoint is infected now again, but with browser isolation running with hypervisor introspection, 29:40 they didn't get us a ship write the best security is exciting because nothing happens. So again, we're wrapping those virtualize 29:50

browsers with in browser isolation applying younique security unique capabilities of the Citrix hypervisor to protect 30:00 those browsers in ways that are not possible with other approaches. You could have perfect Hardware perfect OS 30:09 patched and up-to-date perfect browsers running on there as well. This was a boner ability Flash. 30:19 West with most shop men's is saying hate. Okay, you're running on a hypervisor that is not Citrix 30:36 hypervisor that's reality and I've had two admins go while you're not so if you think I'm going to move this entire thing on tube Citrus hypervisor 30:46

and our messages. Well, let's let's first talk about isolating browser execution. You're already doing that. But let's talk about the most vulnerable 30:55 end-users. Maybe it's people in HR departments because they're dealing with a lot of inbound stuff a lot of PDFs. I don't think people are 31:04 sending any flash resumes these days we have but you never know web design is a crazy crazy place. So they are very vulnerable folks and finance 31:14 very vulnerable. Mahogany Row the sea levels perhaps if it's a large 31:24

manufacturing there could be intellectual. Property things like that their users and their situations and this goes back to the 31:32 framework. We're in certain cases. It's appropriate to have those users browsers or specific browsers or browsers matter 31:41 accessing specific resources. Do it via this setup via browser isolation running on top of 31:51 Xanax. Another Advantage, which I covered is you gain contacts without sacrificing isolation and 32:00 that don't sacrifice isolation works both in the context vs isolation security dilemma, which this resolved but it also works 32:10

in the end-user dial Emma. Not every end user needs to access Facebook, but they do need to access a lot of resources at their 32:19 that you don't own you don't control you cannot trust. And then there also accessing your internal resources, which you own and you 32:29 hope to protect with potentially the same browsers from the same system. So you need to allow that access don't isolate the end 32:39 users but isolate and secure where those browsers are running. How do you get started? It's pretty simple. We have 32:48

Management console. We call gravity zone. Of course. If it depended we do a whole lot more be on browser isolation. But within gravity sooner 32:58 Management console add xenserver that pulls in your hierarchy your inventory in the whole structure that's in there. 33:07 Set up an HPI policy in this case. What applications do you want it to apply 33:18 to be on protecting kernel memory. And by the way, if you have other security tools running Within These instances, we protect the drivers 33:28

that run the security tools. That's just another tech box rust obviously in this case you'd be going with protecting browsers. And 33:38 that's really it is pretty straightforward. I think the biggest step is planning it out figuring out which users which 33:47 URLs which browsers. Do you want to be published in this high security browser isolation environment and planning that an actual implementation 33:57 standing up a couple of xenserver instances and configuring gravity Zone in hypervisor introspection against them. Is you know I'm 34:07

warning not not not at all. We've got a joint white paper that we develop that goes through in detail how to do this. What are the considerations 34:17 how to configure the environment and Oceanside even if you're you're running VMware you're running hyper-v, you you're running another hypervisor. 34:26 It's very simple to stand up then server for just this type of solution and not be able to utilize it within the other environments 34:34 probably key takeaways perspective. We want to make sure that you were thinking of some of the areas that would benefit know you're highly privileged 34:43

users people who have privilege with an it within your security organization know your network administrators and people who manage your certificates 34:51 hold the SSH keys, but also privileged users that exist in other parts of the yard legal HR. People are privileged to wear 35:00 outside the organization. Maybe you have suppliers coming in and you're really concerned because you don't own the systems are coming in from you want 35:10 them to hit a very pristine browser and you want to make sure that as they're getting access maybe even through email or another collaboration 35:18

platform that any link any file that happens to have embedded URLs any image that happens to have been better. You are all is handled appropriately. 35:25 I've even heard about the reverse case where you on the application, but you don't trust the systems that that your end users external and users are 35:35 accessing your application through so you basically provision to them Citrix Receiver and they're accessing via a remote browser that 35:45 you're protecting. So you don't care about the security state of you know, Grandma's computer that is being used to access your very sensitive 35:55

application. So it can also be on the inbound side. Arbitrary links perspective, you know within the workspace you can obviously redirect those 36:05 arbitrary links. Do you wear El filtering uip reputation? You can go through and do content scrubbing you can watch it in a virtualized 36:14 browser cloud-hosted browser. You can also have your arbitrary links go over to HPI for further inspection and as you've heard even if 36:24 it's something brand new that nobody else in the malware Community has seen before if it causes an in-memory violation, you're going to see it. You're 36:34

going to be able to snapshot it you're going to be able to stop it which you probably want to do remediate it and you're also going to be able to go 36:41 through and perform some forensics against it and that's why I said this is also very appropriate for security teams because in addition to the 36:50 protections you get a lot of visibility you otherwise wouldn't have it helps you click on those links where you know, you've got to look at something 36:58 from an investigative perspective and you don't have your Chrome. Look in front of you or something else that you can trust at a pretty high level and 37:05

would otherwise reset and to me one of the other core areas as developers. This gives a lot of very rich information and developers and 37:12 continuing to develop browser-based apps mobile apps on a lot of microservices funnel it through HPI so that you get a much better 37:22 picture of what's Happening. Maybe there's something that the OS just kind of stumbled over it tripped, but you never really saw it and went into a 37:31 log somewhere or maybe didn't and it's something that might be a problem later on a very very slow leak. For example, this is going to show it other 37:39

Solutions are not going to give you that level of visibility cuz it's looking from outside without any desk agent. So that's why we're pretty excited 37:48 about it. We've got a lot of great customer success stories and happy to share those. Absolutely. So I guess in in closing before we get to the 37:55 Q&A and and they requested please use the microphone because It is the audio is being recorded. So we don't want your question laws come by the booth. 38:05 And anyone not know where the bitdefender booth is. It's a good-sized booth. Okay. I'm glad to see that. I wanted escort anyone down to the show floor 38:14

right now, but it is a good-sized booth stop by we have a lot of people are much smarter than I am at the booths who can answer any in-depth. 38:23 You can also explore all the other fun stuff that bitdefender is doing Beyond hypervisor introspection and the browser isolation. So 38:32 is that I think we are either confused everyone. They just appreciate getting done early 38:42 Brian man there so many tools out there and so many security vendors and you're bringing another solution in that could add 38:50

complexity. I wish things could lead to more risk, where could you reduce that? You know, we're just reduce the complexity. Is it on the network side? 39:00 Is it on a different malware protection side? Where is that reduction in complexity do to maybe show more value of this solution. The most 39:07 significant area is that this is an entirely different approach by leveraging the hypervisor and this is something it and 39:17 I've always been kind of curious about this because as virtualization is taking over the data center expected that there would be a lot of security 39:26

vendors looking at the stock and going how can we actually take advantage of this rather than how do we re architect anti-malware to not have such a 39:35 huge performance hit? What what many have done so really it's a brand new approach, but it is complementary to 39:44 the existing approaches. So we're looking at memory with this within an endpoint. You still want to do file system scanning friends since 39:54 but we can protect the drivers within the endpoint that are doing the file systems scanning. So I wouldn't look at it as bad as 40:03

adding more complexity. It is certainly another layer of security that is protecting things that are higher in the sky directly 40:13 complementary though. So I wish I could say Hey, you could rip out all these other Security Solutions and just use this but as a security guy, you 40:23 know, if anyone ever says that to you to shake your head in and say thank you for meeting with me and let them let them go for a reason. Maybe you're 40:32 in a PCI environment you have to have them but this does You some additional tools where else you going to get this level of browser protection where 40:42

else you going to get the visibility in memory of events where else you going to be able to redirect arbitrary links that otherwise were tripping up 40:50 others. It could also be a fun tool to go through and test some of your testing Tools in your QA and some of the other anti-malware Solutions 40:59 out there to be able to see here. What's what's getting through what's not getting through? Anyone else going once 41:09 going twice? So does this also support Pub list of virtual desktops as well as virtual apps get 41:19

that has yes, we have a specific solution because the case for around browsers is quite simply so compelling and 41:28 people absolutely they understand it. And so we have a specific Lesage solution for that. The underlying mechanisms are basically the same 41:38 the broader hypervisor introspection solution yea databases video and so on and so forth. You can apply 41:48 protection there. Right agent list or is there an agent that goes on the 41:57 VM? I love that question. Okay. So it's a really great marketing turn that 42:07

damn war came up with what it really describes is re-architecting antimalware. So to say instead of putting a full sentence in 42:17 each and every vdi in Spencer virtualized and since we're going to pull off as much as we can and run it as a single copy within a virtual appliance 42:26 that really does a scanning so it has the engines all the threat until and all that. They're still needs to be a communication Point file system 42:35 drivers and a few other things but you've taken out all the heavy stuff that needs to be updated a lot. So that gives you tremendous performance 42:41

benefits, but there is still something that needs to be in there in the case of VMware. It's embedded within vmtools. They say agent list because 42:49 from a security vendor perspective you don't need necessarily install something within the VM every 42:59 security vendor does ultimately layer something on on top. So it's agent list from the perspective of the security vendor doesn't necessarily have to 43:08 install an agent but they're still a piece there. Defender happens. We do in a great with with NSX including dashti. We also have a version that is 43:17

agnostic at the underlying hypervisor in which case that tool set the file system drivers in the communication point or bitdefender software. So 43:26 there's still a small footprint in there. Hypervisor introspection on the other hand. There's absolutely no software footprint within the 43:35 VM that you're protecting. So anytime there's a memory call with send a VM the supervisor the operating system says, hey, I'm going to talk to you 43:45 what is actually virtualize Hardware which is the hypervisor and it says I'm going to actually do stuff in the hardware there were down at that layer 43:55

with our inspection so we can see everything that goes on within the VMAs without having to touch them so completely isolated but still 44:04 back in touch with awareness. Thank you for that question because I I love her to blowing up the agent must marketing term 44:13 attending enjoy the rest of synergy and now stop by the bitdefender booth. There's a lot more that 44:21 can be shown. 44:30

Cackle comments for the website

Buy this talk

Access to the talk “Citrix Synergy TV - SYN190 - Secure your users' access to the web–and the browsers that surf it”
Available
In cart
Free
Free
Free
Free
Free
Free

Video

Get access to all videos “Citrix Synergy Atlanta 2019”
Available
In cart
Free
Free
Free
Free
Free
Free
Ticket

Interested in topic “IT”?

You might be interested in videos from this event

September 28 2018
Moscow
16
122
app store, apps, development, google play, mobile, soft

Buy this video

Video

Access to the talk “Citrix Synergy TV - SYN190 - Secure your users' access to the web–and the browsers that surf it”
Available
In cart
Free
Free
Free
Free
Free
Free

Conference Cast

With ConferenceCast.tv, you get access to our library of the world's best conference talks.

Conference Cast
505 conferences
19653 speakers
7164 hours of content