Passages: Secure virtual browser for malware isolation

secure virtual browserOver 90% of undetected attacks come through the web. In this podcast recorded at RSA Conference 2017, Lance Cottrell, Chief Scientist at Ntrepid, talks about Passages, a secure virtual browser that provides complete protection from web-based attacks.

With Passages, users can access any website and follow any link without risk to your infrastructure or data, and you can monitor and manage it all with ease.

secure virtual browser

Here’s a transcript of the podcast for your convenience.

Can you give us a quick overview of exactly what is unique about your secure web browser?

Passages is addressing the issue of malware coming in through the web browser, because the browsers are inherently vulnerable to all kinds of attacks and very difficult to secure. So what we do is we take a Firefox browser and put it inside a virtual machine running on your desktop. And that completely isolates it from your computer. And we also use a VPN to isolate it from your network, so it can’t scan for other vulnerable devices.

It sounds like there could be lots of challenges with the customers that you work with in terms of how the industry is facing different challenges and what those challenges are that your technology addresses. Can you explain a little bit about what those risks are and the challenges they face, as well as who can benefit most from your technology?

The problem with defending against web-based attacks is there’s no time to think about it right now. So the companies that are trying to defend their networks, you put up, say, a firewall or some perimeter defense, that needs to be making a decision on whether some given file or piece of content is legitimate or safe or malware in about a millisecond. And in general, that means signature-based scanning, and that’s really ineffective these days. The bad guys are getting extremely good at working right around that kind of thing. Plus, of course, a lot of times companies are dealing with mobile workforces. So people might not be in the office, they’re at home, they’re at a Starbucks, they’re traveling, and they may be using their own laptop rather than a company issued computer.

So, Passages allows them to deploy this browser as a replacement for their normal browser. And as soon as that’s on the desktop computer, whether a Mac or Windows, everything the user does is protected.

I’ve noticed from a recent report, out of Enterprise Strategy Group, that they cited that 90% of organizations surveyed consider web browsers as critical for day-to-day business operations and employee productivity. And yet, we also know that 90% of all undetected attacks come through the web browser. So it seems like a no-brainer that people should be using these secure web browsers. Are they doing that? And if not, what’s the disconnect?

There’s no question that you can’t avoid using the web. That’s not an optional thing anymore. You have to be able to engage. So much of our business takes place on the web. But you’re right, they’re having a really hard time solving this. So something like a secure browser, some isolation-based approach is going to be the most effective solution for them.

In particular, because so much malware is polymorphic, it’s so difficult to detect, it’s altering itself to avoid detection, you’d like to use a system that actually can protect you against undetected and undetectable malware. And with this Passages solution, because we can destroy the entire virtual machine at the end of every session, whether or not we detect anything, we guarantee that even the undetected attacks get wiped out.

I see also that IDC recently named isolation technology as a fresh approach to security. That seems right down your avenue. And I wanted to see also if you could talk a little bit about what you mean by extending the perimeter.

I think they’re talking about isolation-based security. It’s directly in line with the strategy that we’re pursuing. The applications are the vulnerable aspects. So if you can separate the vulnerable application, in this case, the browser from the desktop, and not allow the bad things happening in the one place to affect the valuable data and information in the other, it guarantees that you’ve got that kind of protection. Effective security and protection, exactly.

It’s interesting to hear about protection, because we talk so much and we’ve seen in the industry so much about detection and prevention, but I think that protection is very important these days. So, can you talk a little bit more about what you mean by extending the enterprise?

Right now, like I was saying, people are not always in the office. They’re using different devices, they’re in different places. And so, the old ideas of protecting at the perimeter or you’ve got firewalls at the edge of some defended network really doesn’t apply anymore. And in fact, very often, the people aren’t accessing the corporate data on a network that is even under the control of the business. And so, that perimeter is failing.

You need to rethink how you then extend some kind of a perimeter out to protect the user, out to the endpoint. And we’re conceptualizing that and saying that the perimeter, instead of being something that’s sort of at the edge of your network, we’re going to actually wrap it around the point of vulnerability. And if the browser is the main point of vulnerability, we’re actually going to build that perimeter wall right around that browser. That gives us a strong point to defend, it’s a very small and defined perimeter unlike the wide perimeters that are going now. So, changing our idea of a perimeter and extending that out to the endpoint to the application is a much more effective way of controlling that attack.

secure virtual browser

We know that security fails often times, because it’s just not simple of intuitive enough to use. Can users tell the difference between Passages browser and another browser out there, like Google Chrome?

Not really. And that is the key. It has to be familiar, it has to work like they’re used to working, and be a seamless experience for them. So with Passages, it looks and feels like a normal browser. It launches like a normal browser. You click a link in your email, and up comes Passages and displays the page in the way you’re used to. You can still print, you can still save files.

Although we are able to scan them at leisure and do a much more effective job at looking for malware before allowing it to the user’s desktop, it is critical that it doesn’t change their workflow, it doesn’t require them to learn new skills. It’s just a seamless replacement from their perspective.

I’m assuming there’s other secure web browsers out there. So how is Passages unique?

Passages has a unique approach to solving this problem. We are doing all of the virtualization on the desktop. We do that for performance reasons. Running the virtual machine right on your desktop means no matter what kind of Internet connection you’ve got, you get the same kind of performance that you’d get using any other conventional browser.

We’re also using a Linux-based virtual machine. And the reason we’re doing that is that is already inherently immune to over 99.9% of the malware that you’ll actually encounter on the web, because all of the malware you run into is actually written for Windows, or occasionally, Mac. Basically, never for Linux as an endpoint desktop. And we’re able to leverage our cloud infrastructure to bring all the best of breed scanning, and oversite, and monitoring technologies so the company can have assurance of both safety and visibility on their users, no matter where they’re using their browser.

How is Passages deployed? And do you offer support or additional services to your customers to help?

Absolutely. Passages is really simple to deploy. It deploys just like any other piece of endpoint software. So, you can install it yourself, it doesn’t require special permissions to be installed on the endpoint. But also, we support all of the enterprise class centralized deployment, SCCM-type solutions so that a system administrator can push this out and manage it to all of their users.

You can manage all of the Passages accounts through either our dashboard, but also you can run it through your own Active Directory or LDAP directory system. So we can just tie into your existing authentication scheme, in your existing user management systems. We also integrate smoothly with the customer’s SIMS systems and their track reporting systems so they can take all of the data either, again, through a dashboard that we provide or they can export it right into their own systems, and monitor it through a central point right there.

Now, to wrap things up, you’ve talked about extending the perimeter earlier. And we’ve talked a lot about enterprises. Whose responsibility is it for the secure web browser? Is it the individual person’s responsibility or employee, or is it the enterprise who has oversight and manages those employees?

I really think that enterprises need to be taking this seriously, and taking the responsibility for protecting their employees. Because the employees are using their own personal devices to do work at home, to read emails, and often those home devices become the gateway to attacking the company.

People will attack the individual user’s personal accounts and personal computers as a stepping stone into the enterprise. And so, it’s really incumbent upon these enterprises to deploy these kinds of tools and provide them to their employees, really, for their own protection.

secure virtual browser

RSA Conference 2017

Don't miss