This content is part of the Essential Guide: Mobile endpoint security: What enterprise infosec pros must know now

Virtual containers help refocus modern endpoint security strategy

As companies struggle to protect constantly expanding attack surfaces, virtual containers could quickly become essential to companies' endpoint security strategy.

Constantly expanding attack surfaces created by technological innovations such as IoT devices and cloud computing, combined with a global shortage of cybersecurity professionals and a disarray of compliance and regulatory standards, have brought cyber risk to an unprecedented level.

In order to successfully prepare for these constantly evolving events, companies must put focus back on traditional endpoint security strategy. However, companies will likely have to rely on nontraditional methods such as a virtual containment security policy and micro-virtualization solutions that provide continuous protection for IoT, rather than relying on detection using signature-based antivirus software

Employing an endpoint security strategy and IoT containment policy using virtualization would isolate cyberthreats from the IoT and other endpoints where trusted resources are located. Virtual containment solutions act as isolation mechanisms when dealing with potentially malicious content from web browsers, email and removable storage. This is a concept that is like protected memory, a core technology in modern operating systems that uses memory virtualization to isolate one application from another.

Moving cyberthreat targets

Current cyberthreats are moving targets and come from all directions, making it impossible to detect all of them with total accuracy. This leaves some larger organizations experiencing hundreds of attack alerts daily.

Virtual containers help to resolve this problem by protecting any content source that is defined by the user as potentially insecure, including web browsers, email, FTP and even removable storage.  A virtual container allows for granular definitions of containment policies based on network segment, file location or file tag, digital signatures and URL/IP sources. They are transparent to both the application and the end user, and at the same time completely seal off threats from the rest of the computer while protecting the entire application environment.

Employing an endpoint security strategy and IoT containment policy using virtualization would isolate cyberthreats from the IoT and other endpoints where trusted resources are located.
Daniel Allenpresident, N2 Cyber Security Consultants LLC

Cyber infection threats are confined to the boundaries of the container and prevented from bypassing external endpoint access. The cyberthreats are effectively isolated from the endpoints where trusted organizational resources are accessed, making it virtually impossible for threats to harm the endpoint or the rest of the organization.

Email attachments are a commonly exploited vulnerability, and would also be protected in virtual containers from external, untrusted sources. Emails arriving from external sources would be identified on the organization's Exchange server, where these attachments would be tagged. Files that are in the virtual container, such as documents and executables, would be saved to the container's file system and would not be accessible from the uncontained environment except when allowed under organizational policy. When the downloaded files are then opened or executed from the container's file system, the resulting application would run safely inside the container.

Removable media, such as CDs and USB drives, are considered external and would not be part of the virtualized environment, so the access to the media should be contained rather than the media itself. Doing so would ensure that any malware present on these devices would not be able to affect native endpoint resources. autorun would be disabled, and media could be made accessible from a contained application such as a virtualized explorer application so that the access to them is contained except where specified under organizational policy.

Read-only access to native files and registries would be the only way applications would run in the virtual container. This would occur by monitoring application-level I/O requests, allowing read access to native resources but directing write actions to the virtual container in a different disk area. Windows applications must have read/write access to files and registry data, but the file system and registry is also where viruses, worms, Trojan horses, spyware and malware are installed.

Prevention over detection

At one time sandboxes -- which are not the same as virtual containers -- were thought to be an alternative to endpoint protection. Sandboxes do not continuously run on endpoints, rather they generally run on a server and are used to detonate a suspicious file. Sandboxes work by opening files first and if they do not trigger any alarms after a short time, they are allowed to proceed. The sandbox is a technique that operates for only a limited amount of time, and acts by scanning any unknown content and detecting malware. This process is time-limited and once the content is verified to be safe it is transferred into the trusted network. 

The flaw with this technique is that malware has evolved and can disguise itself as benign during the testing period, then morph into a dangerous virus. Polymorphic viruses are known to have this "sandbox evasion" characteristic. As opposed to sandboxes, containers' security architecture is designed to outsmart malware evasion and prevent it from entering the network by keeping them contained at the periphery.

Imagine the human body relying on detection as the sole source of fighting disease -- the body would eventually be overwhelmed. This is the reason containment policies have evolved: Traditional solutions, such as signature-based antivirus software, HIPS and patch management, are not effective to prevent many types of attacks. Detection is an inherently limited approach as a means of blocking malware, as it is impossible to block threats that you are unable to see or understand. In other words, an ounce of prevention is worth a pound of cure -- even when it comes to endpoint security strategy.

About the author:
Daniel Allen is president of N2 Cyber Security Consultants LLC and N2 Connected Vehicle Technology LLC. He holds a master's degree in cybersecurity and information assurance and is founder of The Center for Internet and Climate Security, where he focuses on the intersection of strategies for cybersecurity and climate change security risks.

Next Steps

More on endpoint security strategy:

New strategies to prevent endpoint security risk

Improved tools, techniques to boost endpoint security

Partnership ushers in new era for endpoint security strategy

Dig Deeper on Risk management and compliance