Is Application Isolation the Future of Endpoint Security?

The endpoint is the new frontline in the battle against enterprise cyber-risk. When you consider the increasing volume and complexity of threats and the growth of unmanaged endpoints during the pandemic, that's a challenge. It's perhaps no surprise that the vast majority (91%) of global IT decision-makers interviewed recently by HP now believe that endpoint security has become as important as network security. The question is how to mitigate the risks posed by insecure devices, error-prone users and a cybercrime economy worth trillions.

For some, part of the answer lies with application isolation, a novel approach gaining traction in the industry, which applies zero trust principles and hardware virtualization to help neutralize threats. 

When Personal and Professional Collide

HP Wolf Security's Blurred Lines and Blindspots report paints a concerning picture of user behavior during the pandemic. Most of the employees polled for the study claim they're accessing sensitive company data like customer and operational info more frequently from home than before the crisis. They're also putting it at risk. Three-quarters (76%) claim that working from home (WFH) during COVID-19 has blurred the lines between their personal and professional lives. In practice, this means they're using corporate devices as if they were personal machines and using home computers for work business.

That can lead to risky behavior such as sharing work devices with other household members, visiting streaming sites, doing online shopping, downloading from the web and playing games – all of which could expose the computer to malware and other threats. On the other hand, 69% of office workers surveyed have used their personal laptops or printer for work activities. This is already having an impact: half (51%) of IT leaders HP spoke to have seen evidence of compromised personal devices being used to access corporate data over the past year. Slightly fewer (45%) have seen compromised printers being used to stage attacks.

The Problem with Endpoint Security

This wouldn't be so much of a problem if endpoint security tools worked as intended. According to HP's head of security for personal systems, Ian Pratt, the whole detection-based approach that these solutions take is outdated and ineffective.

"Endpoint compromises are the result of a user click. So are our EDR, next-gen AV and NDR tools protecting the user? Maybe, but they rely on detection: having a model of what is bad and then blocking or alerting," he explains to Infosecurity.

"The trouble is, the bad guys also have access to all these tools. They have their own version of Virus Total. In fact, they view it as part of the QA process to test their malware and ensure it evades detection, in many cases in an entirely automated fashion. We need a new approach – one that doesn't rely on detection and one that gets us out of this never-ending game of Russian roulette."

Pratt argues that an architectural approach to security rooted in zero trust principles is needed to overcome the deficiencies of detection-based endpoint tools.

"There's so much money in these attacks for the criminals that it's only going to get worse. You see tools and techniques that were perhaps the preserve of nation-states a few years ago being used today by criminal gangs. As the level of sophistication goes up we see more attacks moving lower down the stack. So rather than attacking the applications, they're going after the OS or firmware. The need for security designed into the hardware becomes increasingly important."

Why Application Isolation?

Application isolation is an approach increasingly favored by vendors and their customers to mitigate the challenges outlined above. It comes back to core zero trust principles. Alongside least privilege, strong identity and mandatory access controls is the idea of isolation. In zero trust it's usually associated with micro-segmentation of networks to prevent lateral movement. Yet, in the same way, it can be applied to applications and data within an endpoint, using virtualization at the hypervisor layer.

"Application isolation is separating an individual program or application stack from the rest of the operating system and environment"Steve Turner, Forrester analyst

"Application isolation is separating an individual program or application stack from the rest of the operating system and environment. This means that a program or application stack is sitting in an isolated environment where access by users and interactions with other applications or systems is denied by default and needs to be granted by policy," Forrester analyst, Steve Turner, tells Infosecurity.

"This is typically achieved by putting a program in a virtual, sandboxed environment driven by a hardware or software-based virtualization solution. The benefit of application isolation is that if a program or application stack is compromised or causing a performance issue, it's restricted to the virtual environment you've setup for it. It can't interact with the kernel-level operating system you're utilizing or with the other applications you have on a server or endpoint. You can discard the virtual environment and start back from scratch to a known good state."

This is especially useful in a hybrid working environment where IT doesn't always have full visibility or control over corporate and employee-owned devices to patch and manage them.

"App isolation immediately prevents a multitude of different threats because things like lateral movement through credential theft and other opportunities for attackers are eliminated. They simply don't have access to the low-level operating system resources," Turner continues. "Anything that an organization is suspicious of such as a sketchy link or suspicious attachment can be executed in these sandboxes without significant exposure to the rest of the environment."

HP's Pratt explains that his company's app isolation technology spins up a micro-VM whenever a user starts a new task. It exists solely for the life of that task, with access to only the resources needed. This can be done in micro-seconds, with tens of VMs capable of running on machine concurrently without impacting the user experience. In this way, the solution can thwart any kind of endpoint threat, from ransomware and spear-phishing to Trojans, browser exploits, fileless malware and drive-by-downloads. He adds that it also works no matter how the threat ends up on a user's machine – via email, web download, chat or conferencing app or even USB.

Driving Zero Trust Protection

Application isolation isn't just built on zero trust principles such as isolation, least privilege and "default deny." According to Joe Turner, research manager at analyst firm CONTEXT it, can also enhance a zero trust strategy for hybrid workers across the enterprise.

"By adding zero trust controls, an organization can limit what applications each user is permitted to access. Therefore, even if a hacker were to gain access to the network, zero trust would ensure all other applications remain invisible, preventing any lateral movement," he tells Infosecurity

"Application isolation is a good idea for companies looking for a solution that doesn't require replacing their whole infrastructure. It can be used with an existing VPN or next-gen firewall, with the application isolation cloaking network applications so that network security isn't compromised."

"Application isolation is a good idea for companies looking for a solution that doesn't require replacing their whole infrastructure"Joe Turner, research manager at CONTEXT

It's an approach that turns many of the old certainties about cybersecurity on their head. If you don't need to worry about malware executing on the endpoint, then patching of those endpoints, while still important, can be done in a more measured way. That will be a relief to operational teams drowning in the sheer number of bugs produced each week. Over 18,000 CVEs were published in 2020 alone, amounting to around 50 per day. Increasingly they require no user interaction and are easy to exploit, experts have warned.

"By running risky activities in micro-VMs we reduce the attack surface. We no longer have to worry about whether there are vulnerabilities in Word, the web browser or even the OS. Such vulnerabilities may exist and may be exploited, but it just doesn't matter if it's taking place in a micro-VM. No harm will come from the attack," concludes Pratt.

"Micro-virtualization also enables us to isolate the highest value applications and data from the user's regular tasks, making it much harder for attackers to move laterally or elevate their access. It means there's no need to provision users with additional dedicated laptops and all the operational expense and inconvenience that comes from that."

The Top Five Benefits of Application Isolation

  1. Reduces the corporate attack surface via hardware-enforced strong isolation.
  2. Provides more time for IT teams to patch at their leisure, safe in the knowledge that even if vulnerabilities are exploited, they will be contained in the micro-VM.
  3. Reduces the number of alerts for SecOps teams to deal with, as threats will be isolated and rendered harmless rather than escalating into something more serious.
  4. Reduces costs associated with breach fall-out and provisioning of special dedicated laptops for access to sensitive corporate resources.
  5. Provides useful intelligence for threat hunter teams and incident responders, who are able to mitigate risk further and enhance resilience against future attacks.

From the maker of the world's most secure PCs* and Printers**, HP Wolf Security is a new breed of endpoint security. HP's portfolio of hardware-enforced security and endpoint-focused security services are designed to help organizations safeguard PCs, printers, and people from circling cyber predators. HP Wolf Security*** provides comprehensive endpoint protection and resiliency that starts at the hardware level and extends across software and services. For more information, visit www.hp.com/wolf

*Based on HP's unique and comprehensive security capabilities at no additional cost among vendors on HP Elite PCs with Windows and 8th Gen and higher Intel® processors or AMD Ryzen™ 4000 processors and higher; HP ProDesk 600 G6 with Intel® 10th Gen and higher processors; and HP ProBook 600 with AMD Ryzen™ 4000 or Intel® 11th Gen processors and higher.

** HP's most advanced embedded security features are available on HP Enterprise and HP Managed devices with HP FutureSmart firmware 4.5 or above. Claim based on HP review of 2021 published features of competitive in-class printers. Only HP offers a combination of security features to automatically detect, stop, and recover from attacks with a self-healing reboot, in alignment with NIST SP 800-193 guidelines for device cyber resiliency. For a list of compatible products, visit: hp.com/go/PrintersThatProtect. For more information, visit: hp.com/go/PrinterSecurityClaims.

***HP Security is now HP Wolf Security. Security features vary by platform, please see product data sheet for details.

Brought to You by

What’s Hot on Infosecurity Magazine?