Presentation
Download
Report
Transcript Presentation
A Quick Tour of Ceedo
Safe Browsing and Remote Access Protection
When connecting to or from unsafe locations,
the end-point\data center is exposed.
• Data theft
• Machine hijacking
• Ransomware (Cryptolocker)
• Compromised infrastructure
• Privacy (session leftovers)
• etc.
2016 © CEEDO TECHNOLOGIES (2005) LTD.
Conceptually…
If you could some how create a barrier – an abstraction
layer – in the PC stack, you could:
Applications
Applications
Desktop Environment
Desktop Environment
Operating System
Operating System
Hard Disk
Hard Disk
Another HDD
Defend the OS and Apps
2016 © CEEDO TECHNOLOGIES (2005) LTD.
Abstraction Layer
=
Virtualization
2015 © CEEDO TECHNOLOGIES (2005) LTD.
Ceedo’s virtualization engines - overview
Disk virtualization
• Ceedo has an internal VHD-based virtual disk-mounting system
• Disks are mounted through internal OS<->disk interface
• Disks can be mounted with no mount point and into RAM
• Create child disks, merge disks, etc.
Applications
Desktop Environment
Operating System
Hard Disk
VHD
Process virtualization
• Process-centric isolation
Applications
Desktop Environment
• Every operation a specified process tries to execute is manipulated and redirected
• Virtualization is inherited by child processes
Operating System
Hard Disk
VHD
• For instance, if a virtualized browser opens PDF Reader, the PDF reader will be virtualized too
2016 © CEEDO TECHNOLOGIES (2005) LTD.
How do we isolate windows components?
Think of regular firewalls: Internet\network
firewalls allow companies to decide which
applications can have incoming or outgoing
connections to the network depending on rules
Now think of PCs: Our Kernel Firewall allows
companies to decide which applications can
have access to the OS and other apps!
Completely isolating apps depending on rules
2016 © CEEDO TECHNOLOGIES (2005) LTD.
Applications
Desktop Environment
Operating System
Hard Disk
VHD
Remote Access Protection and Safe Browsing
connecting to or from unsafe locations
2015 © CEEDO TECHNOLOGIES (2005) LTD.
Isolation – from the inside out
• Traditional anti malware solutions are mostly
based on signature recognition and heuristics.
• This means that if the attack vector is new or
smart enough – you are exposed.
• Isolation protects the machine by blocking any
untrusted software or infected web pages from
Window title
touching the machine (MITM/MITB).
3:00PM
3/14/2011
2016 © CEEDO TECHNOLOGIES (2005) LTD.
Isolation – from the outside in
• Traditional remote computing relay mostly on
communication-centric measures (tunnels, 2FA,
etc.).
• But if the client is compromised, nothing is
secure.
Window title
• Isolation prevents the compromised machine
from accessing any data generated during a
remote session.
3:00PM
3/14/2011
2016 © CEEDO TECHNOLOGIES (2005) LTD.
Ceedo’s extra security and privacy tools
• Nothing is written to the machine and all generated data
can be removed entirely at the end of the session.
• To add an extra layer of protection, the “bubble” runs
from a hidden location stored inside an encrypted
container.
• And to seal the environment we also deal with
environment permissions (AC), process enforcement,
and more…
2016 © CEEDO TECHNOLOGIES (2005) LTD.
What we do – in process isolation context
Run isolated applications (installed to the host or encapsulated)
Protected from the client and protecting the client
Leave zero-footprint and/or keep data encrypted
Remove all session data after shutdown, or store it in encrypted containers
Allowing safe browsing and secure computing
To and from unsecure locations keeping privacy and safety
2016 © CEEDO TECHNOLOGIES (2005) LTD.
How we do it
Isolate processes by redirecting all R/W functions
For instance: app writes document to C:\, we divert it to X:\
Capture all R/W data in a hidden disposable VHD volume
Optional load VHD as RAM-disk and/or with zero-mount point
Leverage native NTFS permissions (AC)
Launch processes with “Run-As” using separate user account
2016 © CEEDO TECHNOLOGIES (2005) LTD.
Components in process isolation context
VHD based isolated environment
(optional: with encapsulated applications)
Application launcher (host/encapsulated)
Kernel “firewall” – intercept and divert R/W
operations form virtualized processes
Virtual user with separate elevation and
NTFS security configurations.
2016 © CEEDO TECHNOLOGIES (2005) LTD.
Components in process isolation context
• VHDs and data can be stored inside
encrypted containers locked to a specific
machine.
• Environment can force processes to
terminate based on MD5 and Certificate
Thumbnail (black\whitelist)
• All components undergo integrity check to
protect against tampering
• Remote wipe\deactivation
2016 © CEEDO TECHNOLOGIES (2005) LTD.
Thank You
www.ceedo.com
2015 © CEEDO TECHNOLOGIES (2005) LTD.