The Old Way: A Never-Ending Battle
For years, cybercriminals have been playing a game of cops and robbers, with the criminals usually staying one step ahead. There’s always another type of malware or evasion technique on the horizon. Much of the security industry now realizes that it’s time to move away from security that’s based purely upon discovery and detection.
Changing the Paradigm
BUFFERZONE safe browsing & endpoint isolation keeps access to external, untrusted
content such as unknown internet sites or removable media in a virtual container, along with anything saved or downloaded. Contained browsing sessions and applications cannot reach the native endpoint or organizational resources such as an intranet; those are accessed only by uncontained browsing sessions and applications, which can’t have accessed untrusted sites.
The advantage of this approach is clear: When malware strikes, no matter how new it is and what evasion techniques it implements – it cannot cause any damage to native endpoint or organizational resources. And, the container is periodically emptied, so even there malware can’t last.
For when users do need to keep downloaded files or use them in trusted environments, you can deploy BUFFERZONE Secure Bridge (see separate data sheet) to submit files for Content Disarm & Reconstruction (CDR) and/or for analysis & detection. With Secure Bridge, users can have downloaded files disarmed or authorized to securely extract them from the container. BUFFERZONE can provide integrated CDR / analysis solutions, or you can integrate with your own deployed service.
Centralized, Policy-Based Management
For centralized containment policy management and agent deployment, you can integrate BUFFERZONE with existing endpoint management systems (for example, McAfee ePO); or, for complete management capabilities, use the BUFFERZONE Management Server (BZMS – see separate data sheet) to manage BUFFERZONE agents across your organizational network, to gain visibility to relevant organizational endpoints, and to assign organizational policy by endpoint and/or user.
Seamless User Experience
The BUFFERZONE agent manages switching between contained and uncontained browser instances according to accessed sites. Several management paradigms are available (see Zone Management below).
The versatile BUFFERZONE Viewer displays contained files (downloads), supporting a wide range of document and media file types; Office application containment is separately licensed. For uncontained editing or long-term use and distribution, users can intuitively click ‘Save’ to bridge the original file or create a PDF. Additionally, on agent endpoints, users can Bridge contained files from the File Explorer.
How it Works
The BUFFERZONE agent creates a virtual container on endpoints, isolated from the endpoint operating system’s native resources. The container isolates the following system resources:
Network access isolation (optional) prevents uncontained applications from accessing untrusted destinations such as the internet, and prevents contained applications from accessing trusted IP ranges of organizational network destinations.
BUFFERZONE patented containment technology is transparent to contained applications, providing them with read-only access to native files and registry by using a kernel driver that resides in the operating system kernel. The driver transparently monitors application- level I/O requests, allowing read access to native resources but directing write actions (and subsequent read actions to the new content) to the container in a different disk area.
BUFFERZONE provides several ways to manage browser containment (IE, Chrome) in your organization:
Site list: Configure a list of trusted URLs; browsing sessions to all other sites are contained. Zone switch is automatic, requiring no user intervention. Optionally also configure Neutral sites to be accessed in any current zone.
Proxy control: Upon trying to traverse the organizational perimeter proxy to the internet, users are prompted to opt-in to browser containment. Browsing sessions are digitally signed by BUFFERZONE and the proxy allows only contained sessions.
Network separation: Configure trusted IP ranges; users are prompted to opt-in to browser containment in order to access untrusted addresses.