The Power of Isolation

Greta Garbo (1905-1990) who once famously said, “I want to be let alone…” – a role model for endpoints for all time.

Greta Garbo (1905-1990) should be as much of an icon in cybersecurity as she is in Hollywood. Garbo, who was a huge movie star in the 1920s and 30s, retired from the spotlight after 28 films and declared, “I want to be let alone!” She lived the rest of her life in splendid, deliberate isolation. Unlike today’s stars, she hated publicity.

Security architects can learn a lot from Garbo. What she understood, that seems so hard to grasp in today’s over-exposed digital era, is that if you want to be alone, just be alone. Don’t invite unwanted publicity. Garbo never spoke to the entertainment press after 1941. She studiously avoided attention from fans, never once answering a fan letter. Considered one of the most beautiful women in the world, a person who fascinated millions, Garbo lived her life in peace by ignoring everyone she didn’t know. If only endpoints could do the same.

Isolation is a highly effective countermeasure. It’s easy to understand, but difficult to achieve. Isolated endpoints and networks are hard to breach, unlike most infrastructure, which is about as open to outside access as today’s desperate reality TV stars. It’s one of those frustrating dilemmas for security architects. You want access, but access is dangerous. Not everyone has the luxury of Garbo—a private fortune and a 7-room apartment in Manhattan.

How can you be secure through isolation, but still be exposed enough to the outside world to function? That’s the conundrum that companies like Unisys and Ericom are trying to crack. The new generation of Unisys cybersecurity tools is oriented toward isolation. Their approach is to empower the SoC analyst to isolate malicious activity easily.

“Triage can be a really big time waster,” said Jonathan Goldberger VP of Security Solutions at Unisys. “It eats up SOC analyst cycles while, in a lot of cases, it gives the attacker time to move laterally in the network while everyone tries to figure out what’s going on. This is not a good scenario for security.”

Instead, the new Unisys tools let the SOC analyst push a policy that isolates the problem instantly. This gives the team some breathing room to identify the problem and determine whether further escalation is needed. For example, the tool can reduce an endpoint’s access only to the corporate intranet while the incident is being evaluated.  Or, they can cut off access completely.

This is not as easy as it sounds, however. “You don’t want to damage a machine, in forensic terms,” Goldberger explained. “We can set up rules at the SOC to preserve the chain of custody for later analysis.” It’s also challenging to implement this kind of push-button isolation without breaking other assets, like High Availability (HA) clusters. “The trick is to take part of the network layer offline without bring the whole cluster down,” Goldberger said. Taking single assets offline without shutting off dependent systems is one of the many nuanced problems Unisys has solved in this latest version of its security solutions.

Ericom Software is more Howard Hughes than Greta Garbo. Like the legendary billionaire who never left his suite at the Sands Hotel in Las Vegas, Ericom advocates complete separation between the endpoint and the outside world. Their approach involves threat isolation. Users can access the Internet, but the access occurs by means of an insulated external layer.

“Industry trends all suggest that the problems we’re having today aren’t going away,” explained David Canellos, CEO of Ericom. “What we see, over and over, is that despite the best efforts of security teams and some pretty impressive security tools, it’s virtually impossible to keep malware off the network. The best practice, therefore, is to deny malware the opportunity to infect the network or any endpoint.”

The Ericom approach involves spinning up a container in the DMZ (usually done on AWS) which acts as a proxy for the end user. This way, an employee sees a website, but he or she is not actually accessing it directly. There is no direct connection between the website and the end user’s endpoint or the network he or she is using. “All the bad stuff on the site, stays on the site,” Canellos added.

Like the isolation done by Unisys, though, the Ericom solution has to leap over a number of architectural and usability-related hurdles to work effectively. “End user experience is critical,” said Canellos. “For the end user, it has to be completely seamless. If they perceive a performance drop-off from the proxy, or if they can’t do certain things on the website they’re visiting, they’ll work around the solution.”

Ericom seems to have addressed these issues. The company has 30,000 B2B customers in 45 countries, comprising a user base counted in the millions. The solution to the usability challenge requires an automated scoring of a website’s level of suspiciousness. Sites that are familiar and frequently used get a high score and no warnings. The proxy allows for interaction with the site. The user can enter data in a web form on the isolated site, for example. However, if the site is uncategorized or suspicious, Ericom may render it only in read-only mode or warn the user not to trust the site.