Louis Maresca: In today's connected world, there's constant talk about how secure browsers are on the Internet, and some say locking your system down or even hardening your system is just not enough. Well, we have Danny Miller, Director of Product Marketing for Ericom Software, with us today to talk a little bit about some of the options for the enterprise. Welcome Danny, welcome to TWiET. Can you tell the folks at home a little bit about Ericom Software?
Daniel Miller: Great, thanks for having me. Ok, Ericom Software, let me introduce the company. We are a software house, we've been in the business for more than 20 years. The company grew from doing secure remote access, virtualization and other types of remote security solutions, and entering into the cyberspace, the cyber world. We're now about to launch a very exciting secure browsing solution, based on isolation technologies, and this is what I'd like to talk about today.
LM: Great. So why don’t you tell a little bit about the solution — what Ericom Shield is, what problem is it trying to solve and how does it solve it?
DM: Right. So when we're looking at the reality in the corporate world, we see that there are many attack vectors that are impacting the organization. Attack vector meaning that we can see that exploits are coming into the organization through different areas. When you're looking at browsing, it turns out that the browser is probably the weakest link in terms of the corporate environment. And there are various research pieces that show that indeed browsers are the most prevalent attack vector, more than any other — I would say browsers, and probably emails.
Here you can see that we have a new guy, called Joe CISO, who's going to try to deal with that problem. Because when we come and look at what organizations are doing, they're really investing a lot of money and effort in building a pile of products that are doing detection and prevention. And, as we all know — and you guys already touched upon it — detection and prevention is great, as long as you keep things up-to-date. But the patching is kind of impossible, right?
So when you think about ransomware and phishing attacks and all kinds of social engineering possibilities, you realize that doing the patching is one thing, but really the whole concept of doing detection and prevention using signature-type solutions is just not good enough. And even when you start looking at solutions that are, for example, next generation antiviruses and secure web gateway, and email filtering, and all those great products — even when you have all those together in a defense-in-depth strategy — still, it's not enough.
So what we're bringing to the table is a new concept, I would say it's a kind of a paradigm shift, saying: look, we believe that we are unable to really differentiate between good and bad. It's just impossible to say what kind of content that is coming through browsing, which websites, can actually bring some exploits and can be malicious. So instead of doing the process of saying, this is good or this is bad, and making some mistakes that cost the organization a lot of money and a lot of effort, we actually say, we don't even know what's good or what's bad and, as a result, we’re just going to isolate everything. And by isolating, it means that we're going to enable normal browsing, a native browsing experience; however, this browsing is going to be done through a virtual browser that resides outside the corporate environment, in the DMZ.
LM: Yes. So I have a couple questions. You were talking a little bit about how it's done in kind of a DMZ zone. How is this different than a VDI type thing, where you don't actually run any applications on your machine — like for instance, virtualizing a browser, in this case? How does this differ from that?
DM: Right. So let’s look at several types of solutions that do secure browsing. Obviously, we have solutions that try to do some hardening, and we know of some governments and even some banks who are doing a total separation between the networks — but we all know that's just too expensive and it's not realistic to keep it ongoing. So there are some other type of solutions that are based on putting a virtual browser somewhere; for example, using Microsoft RDS technology, using Terminal Services, or even solutions that are doing local isolation on the endpoint. However, the way we see the world is, we believe that everything should happen away from the user and away from the Local Area Network. So when you actually have that virtual browser — it's not just a virtual browser, it's actually a container, because we're talking about isolation so it is a container — in this container we run a Linux operating system, and a virtual browser that's doing all the browsing. By using Linux you actually get a lot of additional security by design. And there are of course other types of security measures and hardening that we do within the system, so it is not exactly the same.
LM: So you say you kind of server render and acquire all the third party resources that a page might have, and you do that in a container. How does this potentially… does it ever compromise any other data that's on the actual page itself? Does it strip everything from the site? Can the user view the content and the site after it's done in the machine? How does it set that up?
DM: So actually, the great thing about the solution is that the user doesn't even know they're browsing through a virtual browser. The way the solution is set up is that it goes through the proxy. So we actually hook up into the existing proxy using an ICAP protocol, and what we do is we kind of inherit the policies that are existing in the organization.
Now all this is not worth the effort if the user is going to say, I have a crummy user experience. But the reality is that the user doesn't even know that a second ago, or in a certain tab, they're actually watching a certain website that’s been white listed and they go there directly, and in another tab they’re actually going through a virtual browser.
Actually, what’s interesting to note is that for every tab that the user opens, we actually generate a dedicated virtual browser, so the security is really inherent in the session. Once the session is over or it times out, this container is going to be discarded — it's actually going to explode, disappear — and any potential malware that may have been there is now gone.
LM: You know, it's interesting; you can tell when a topic is really great because the chat room is just blowing up with questions. I think one of the questions they have is, you talk a little bit about virtualizing browsers containing the particular tab that you're on, but they have a lot of questions about… It seems like almost like a man-in-the-middle type thing, where you're taking data from the site, which could be a secured site with secure data on it, and then you’re containerizing it, you're doing some stuff to it, and then you're streaming it down to the to the user, after it's been kind of scanned and removed any threats. What kind of… Is there any compliance, like HIPAA compliance, here? How are you securing that data so it doesn't leak to some of these other processes, that kind of thing?
DM: Okay, so let me first clarify what we're doing with the data; we are not manipulating the page… I mean, there are some other players in the market who are actually stripping down the page and recreating the page — or flattening the page. So they're trying to imitate the situation so the page looks normal. We don't do that; we’re actually doing real-time rendering of the page. And it goes directly from the container, or the pool of containers, and streams into the endpoint. So there's actually nothing in the middle, because you can totally control the flow of the network. I understand the question — that you're thinking maybe there is a man in the middle here — but actually there's nothing, because you're going directly from your virtualized container, your virtual browser, and streaming it specifically to the user. So we create that handshake with the user.
LM: So you're not actually… you're saying that you’re not actually storing any state; you're just real-time rendering it and streaming it to the user so that whatever this page is supposed to look like and operate like, they see that. Can they still interact with the page, as if it was solely rendered on their machine?
DM: The page looks and behaves like a normal page; they wouldn't know the difference. So everything works, all the clicks, all the hovering, scrolling — everything behaves normally. If you want to click on a video and watch a video, you watch the video and there's also audio. You can do copy/paste, you can print; everything is normal. The challenge here is to go and create an environment and a situation where the user doesn't really feel the difference. Now, something may be very complex and then people don't expect… but browsing is something very common, everyone is browsing, so everyone knows what the browsing experience is. And unless it's going to be down perfect, the solution is just not going to be good enough. So the whole effort here is to make sure that you create a situation that the user would not notice.
Now one thing that I'd like to mention, which I think is very important, is around the deployment. I don’t know if this is one of the questions coming, but I think it's very important to highlight. One of the great benefits of having some sort of solution is, ok, I can deploy it across the wide enterprise, but now you're going to ask so what am I going to deploy on the endpoint and how do I deal with BYOD? Because corporations today are just full of different devices. And the beauty here is that we are using HTML5. Actually, the company was one of the first ones to develop a clientless solution based on HTML5 already in 2011, so we’ve got tens of thousands of devices already using our technology. So we're actually taking advantage of our heritage, and this is a 100 percent clientless solution. That means that whether you're using Chrome on iPad, or you’re using Internet Explorer on your PC — it doesn't really matter. If it's an HTML5-type browser, then we know what to do with it. So if you think about what the IT administrator needs to do, all they really need to do is, they need to route the traffic through the proxy and make sure that if the website, the URL that the user is trying to access, is not defined as an approved or a blocked website, they need to make sure it goes through Ericom Shield, and open up the virtual browser — but from the end-user perspective, it's a totally transparent experience.
LM: So you kind of go back to — you said something that was a little bit interesting to me, and the chat room is actually asking about: how does it handle latency? For instance, how does it set up if a video is coming in, or a large image, or that kind of thing? How is that kind of latency handled, if you have to be able to have this kind of proxying mechanism in between?
DM: So as I mentioned, latency is part of the game — but we limit it to the bare minimum, and with images you have really no latency that you can observe using the naked eye. And then videos — really, we've done a lot of work on making sure that the video is accelerated. Now, if you happen to be in Europe and you're using a proxy which is in the US, and you now go into a site somewhere, I don't know, then you may notice some latency. But at the end of the day, if you have decent connectivity, we will deal with the latency to a bare minimum. As I said, it's all about user experience. If we can't have a good user experience then people are just not going use it — so we deal with it.
LM: Another question, kind of similar to that is: what if you’re a user and you're downloading some content, downloading documents or images or something like that? Where you're actually downloading content, you're not rendering it in the page. How does how does this kind of solution handle that as well?
DM: Great question, because again, this is part of the user experience. And we know that for a complete experience, people sometimes need to download stuff from the Internet. Now I can tell you that I’ve been to a couple of financial organizations recently and they said, we don't care, we don't let people download stuff, but let's put that aside because I think this is part of the package.
So first of all, what we see in the field is that there are a lot of customers who actually have sanitization systems, kind of a whitening type of servers with third-party software. We're able to do file sanitization and enable download files, and we are able to connect to these using standard API. However, for those organizations who do not have that kind of a solution in place, we actually -- as part of our solution, we have a third party solution embedded in our product, in Ericom Shield, and we enable the downloading of files.
How it's being done — let's remember that for every browsing session, you have a dedicated container, so if you're browsing using that session now, we're actually downloading the file into that disposable container. So we run those whitening sanitization packages, which are actually a combination of two different types of products: one is multi-scanning technology, using a lot of antivirus engines, and the other one is CDR (Content Disarm and Reconstruction), which actually takes apart the file, flattens it, gets rid of any potential malware and brings it back to a usable format, using the original template provided by the manufacturer — say Microsoft Word or Microsoft PowerPoint.
So these third-party engines are actually able to dissect and rebuild files so they're completely usable, and on top of this we do the multi-scanning. And only after the process is done and the file is safe to use; only then will it be downloaded to the endpoint.
So this entire process is actually happening in a safe zone, in isolation, where the user is not being impacted. And if there's any potential malware in this file that’s been detected, then the user will just get a message saying: hey, this file is malicious or there is a threat, and you won't be able to get this file today — which I believe is an okay answer for this user.
LM: So it sounds like you have… almost a curated workflow in this isolation —especially when you're downloading files, especially a specific type. Is it customizable by an implementer, where they say, hey I have a particular file type that your server might not know how to deconstruct and reconstruct. Can I add additional third party software to be able to do that; is it extensible?
DM: So as I said, we're using, I would say, best practices in the industry. This is a type of solution we've embedded in our product, and we can share the list of files which is, I would say, a very extensive list. I think you would find most of what you expect — all of the Microsoft Suite and Adobe and all that — and if there is any particular file that is needed, we can always go back to those vendors and check. And as I said, if you already have in place or want to acquire on your own, a third party whitening type of sanitization solution and have it in-house, we can just simply connect using an API; just connect and have your process. Some organizations actually have cloud folders that they are using to test those files and clean them up, so again we can connect to any of these processes and enable it, no problem.
LM: You talked a little bit about how the site itself gets rendered and it's kind of in isolation in some container; it's on the server, it's virtualized. And you said you did a little antivirus scanning, you do some other things… Is there any other type of analysis you do of the site? Like for instance, maybe some phishing analysis, where for instance, a user might be routed to a third-party login that looks like a real login, but it's not? Does this service provide a way to tell the user they're in a bad space, in a bad spot — or is it more around the content within the site?
DM: Actually, I think it's almost a philosophical question, and I said it before and I'd like to make this point clear. When I talk about right and wrong — I think this is probably the main difference between the current products in the market and the isolation approach — we just don't attempt to say, hey this may be a phishing site, or not. We just say, you just received an email that looks legitimate and you just clicked on this email. Based on your organizational policy, if this email and this URL has not been either whitelisted or blacklisted, it will by default open using a virtual browser. So if this has been a phishing attempt, it's still… it's only going to work within the virtual container, and it's not going to get anywhere.
So the concept is, you can't really say, this is a good site or this is a potential phishing attempt. And we all know that the human factor, at the end of the day — and it doesn't matter how much education you do in the organization and how high is the person, in terms of the “food chain” in the organization — people sometimes click on the wrong link. And it happens — it happens to everyone. And the concept of the Ericom Shield isolation is that we don't care, we’re just going to open it in a remote virtual browser, making sure that nothing gets to your endpoint. And I think this is the beauty of the solution, this is why it's protecting the enterprise from that user through doing the extra click.
LM: So, I think it was Gartner who called out several kinds of what they call “Lean Forward programs” that organizations should be focusing on, to make sure that they're isolating risky applications and ensure that they're taken away from the core endpoint resources. They call out several pillars of containment, or solutions for that — like for instance, application containment, remote application isolation, virtualization, and other VDI technologies. Where do you feel like the Ericom solution fits in — across a couple of those, or just one of those?
DM: So actually, just a note on Gartner… I happened to attend the Gartner Security Summit in Washington a couple of weeks back and they actually mentioned isolation as one of the… They had a session about what are the hot topics in security, and browser isolation was number two among those topics. So definitely Gartner is looking at isolation as something that's going grow and going to impact how security is consumed in the enterprise. Now when you look at the Ericom Shield solution, specifically, to your question — again, we can handle applications, they need to be like a cloud application, web application — we are really focusing on the browser as the main attack vector that threats are coming from. I want to allude to something else regarding isolation. Before we embarked on this very exciting project, we actually ran a little survey. We sent a survey to a list of senior security executives in North America and Europe, and we were amazed to get a response from dozens and dozens — close to a hundred people — ranked very high in Fortune 500 companies. And all of them said, you know, we understand that — we believe that this is a solution, this is an approach that is really needed. And not only that, we understand the fact that browsing is not a luxury anymore. We can't really say to employees, stop browsing — because they need to, as you just mentioned, access those business applications, being Salesforce or others, in order to do their job. They need to do research on financial topics, and they to do competitive analysis. So these kind of things are being solidified with the concept that isolation can provide that safe avenue for corporate employees to use the browser to do their work, and still keep the organization safe.
LM: So we're still getting a ton of questions coming in. One of them actually is around customization. So you talked a little bit before about how some organizations might have set up a whitelist. So they have essentially set up, I guess you can call them policies, where they handle what can come in and what can come out. How does the Shield system — you said it kind of takes on their existing lists and settings — but how does it kind of regulate…? Let's say I didn't want to actually run this particular site through this particular system, or maybe I didn't want some sensitive data to run through there, or I know it's from a trusted source. Can I regulate that? Is it role-centric, user-centric, policy based? How do you kind of customize the system?
DM: So obviously we want to keep things as simple as possible, but things are not always as simple as you want them to be. So first of all, there is usually more than one component in the network. I mean, you might actually go through a firewall and then you may have a secure web gateway and maybe a secure email gateway. So we need to be able to work along the lines with all those components and create that defense-in-depth, and we also have a web admin that helps you not only take the existing policies but also make some changes. As you said — maybe a particular site is actually whitelisted but I want to make sure that people access it a certain way, or I want to limit it to a certain group, or I want to limit it per role. So you can create those specific customizations, you can really go the full width of the solution. You can either just take your existing policy and run with it, or you can go and customize very specific things — from a specific website, to a group of websites, and everything in between. And it's much needed because obviously, this is part of what organizations need. It's not a cookie cutter solution. Even though they may have collected that blacklist for years, still they might they want to make some tweaks — and we enable this, of course.
LM: So what kind of audience are you targeting — solely just the enterprise and large organizations? Can consumers use this — or maybe EDUs for educational purposes, can they use it? What's the target here?
DM: Actually, the target is very broad. Something I failed to mention is that we have actually developed this product based on our first generation Secure Browsing solution, which is based on RDS and Microsoft technology, and we actually have dozens of customers already using it, ranging from financial to government to education.
Now that we are coming out with our second generation, which is Ericom Shield, we approach different kinds of verticals. I mean, the financial obviously, and healthcare, but also education. We've just attended Campus Tech in Chicago and there is a lot of interest in this, because universities have a lot of people roaming around with devices and sometimes they just want to make sure that people adhere with a certain policy — and we can help them do that. So I can tell you that we're speaking to large organizations that have tens of thousands of users, who are really looking at this as a life saver, and we’ve also been speaking to some small organizations who don't even have a proxy, and they’re counting on us to actually bring the proxy with it, so we can help them dissect the organization for little groups, and make sure that we help them put policies in place.
What's nice about the solution is the range; it really is a very elastic, a very dynamic type of solution. You can use as many servers as you want in order to increase your virtual browsing power. So as I said, you get a virtual browser per tab, so the more the merrier — you put more servers and we will dynamically manage this to perfection, to make sure that whenever a user needs it, whether it's a 10,000 user organization or 500, there will always be a browser ready for them to use.
LM: So another question I had is — and I tend to ask this to all service providers and so on — can you kind of walk us through the onboarding process? If I'm a small business and I want to get going, I want to be able to set up this proxy. How easy is it to get going; what do I have to do to get started?
DM: So we talk and we understand your requirements, the type and the number of users, and the type of setup. I mean, some organizations would like to have things deployed on premise, when this is mandatory; some organizations say no, we actually prefer to use the cloud; and some organizations are actually going to say, well we want this on premise, but we have a couple of remote offices where we prefer that they would be connected through the cloud. So we can actually deploy in all kinds — either on premise, cloud, or in a hybrid setup. And then we evaluate your network components and together we define the best place to install Shield — usually this is the last component before the user actually accesses the outside world.
The deployment itself, the actual deployment, is not sophisticated. It's just an easy installation, and then we sit together and we work on configuration. As you asked before, it can either go vanilla and just inherit all your existing policies, or you may have more specific requirements. We need to spend some time together — or you can do it on your own, it's fairly straightforward — but it still requires some configuration to make sure that both the components see each other. And then the website that you wanted to have special treatment — when I say “special treatment” I mean, for example, certain websites where you say I don't want to allow copy-paste, or I don't want to allow clipboard, or I don't want to allow streaming from this site. So this is the type of thing that you can go and define per site, or per group — as discussed. And again, as I mentioned, this is a clientless solution, so you don't need to install anything, you don't need to deploy anything, to the actual endpoints. It's all about routing the traffic to where the virtual browser resides, which is usually in the DMZ.
LM: I just got another interesting question: what's the cost structure? Is there a baseline cost, like per seat or per user, or is it is a more of a customized solution based off of your needs, and you kind of base it off of how many users, that kind of thing?
DM: So, it’s pretty straightforward; this is a subscription-based solution, per user on an annual subscription. If you try to look at what what's happening in the marketplace, again this is not replacing AV, but I think organizations are kind of used to paying that annual subscription, and this is the model that that we chose. We think it's just simplifies the whole process; no need for customization, as I said, it's pretty straightforward in terms of that.
LM: Here's another new question. If you have a whole bunch of users in your system, like maybe ten users, but you want to restrict this service to only a couple of them, maybe you don't have a license for them or whatnot … Is there a way to authenticate the users, so that you can restrict particular users using it versus not using it?
DM: Right now we're looking at identifying the users, and specifically to be able to manipulate per user; so this is on the roadmap and will be coming soon. But right now as is, we don't look at the specific ID, we just make sure that if the user is browsing through the network and all the credentials have been passed then, based on the proxy policy, we would enable that virtual browser when needed, so it's not a particular restriction.
LM: Got it. So Cheebert, you have to something to ask as well, right?
Brian Chee: Yeah, it basically goes around, you know, when we get access to it, are we authenticating against an existing Active Directory or internal database? I guess the other question is, on the licenses, is it per potential user or is it per simultaneous user?
DM: So first of all in terms of authentication, no need to further authenticate. Again, if you are able to normally access the internet through whatever credentials you have, then you will be able to browse the Internet — we would only interfere if you're going into a site that hasn't been defined and therefore it will be browsing through Shield. Okay, so that's one thing.
The other thing is that the licensing is per user, so if you have five hundred people in the organization, you need licenses for all of them. And we will take care of the browsing volume. As I said, in any given moment there is a pool of browsers waiting for you, so you don't need to be wary that a user will want to go and browse and there's not going to be a browser. So we're not counting how many concurrent browsers you are using because, let's be honest, if we all just look at our computer right now, most likely you have at least 10 different tabs open. And 10 different tabs means 10 different virtual browsers. So, there's no real way of saying what is a normal or a standard user. As a result, the subscription is per user and, regardless of how many browsers, how many tabs, you open, we will make sure it is handled.
LM: So I guess one question for me is, you kind of talked about this a little bit before but I definitely have to ask… There are some competitors in this space; for instance, you have Menlo Security, Spikes, Cigloo. But specifically we've heard just recently about the acquisition of Fireglass by Symantec and they claim what they call true isolation, where essentially they're — I think you said before, they're stripping source code and they're visually streaming data to you. They're also streaming your documents, so they're not actually downloading directly your documents. How does this — Can you go a little bit more specific, how Ericom Shield is a little bit differentiated from this, compared to something like Fireglass?
DM: So first of all, I think the acquisition of Fireglass is a very important message that the market is giving to the cyber community, saying isolation is the way to go. So we look at this very favorably and we congratulate the people at Fireglass for a job well done, and we think this is the way to go. Maybe just to correct you; as far as I know, they are not stripping down the website, they are doing something very similar to what we do in terms of opening this in a virtual container and streaming the information; it's not stripping down the page. This is actually, to the best of my knowledge, something that Menlo… Menlo Security is doing some manipulation to the page and reconstructing the page. Again, I don't want to misrepresent any of them; they are our competition, and I want to make sure I cite them correctly, this is just to the best of my knowledge.
So in terms of technology, what Fireglass is doing is actually very similar to what Ericom is doing. I think the differentiation really is that, as a company, our heritage is in virtualization, secure remote access, and HTML5, so we’re actually bringing forward all this experience and technology into our solution. So we feel that we're not so much bringing a new solution to the market, but rather a next generation of an existing solution, and we are very confident in our ability to deliver a very solid user experience using isolation.
LM: Fantastic. So I did have one other quick question from the chat room talking about, how does this handle, for instance, if you have multiple devices? So obviously people bring their own device to work, how does this differ — I know you talked a little bit about how it streams — does it differ, the technology, between the devices that you have; is it the same technology? How does it differ for different devices?
DM: So as we all know, BYOD is here to stay. At the end of the day, the focus is HTML5. If you are using a device which is HTML5 supported, using a browser which is HTML5 supported, we can handle the user experience in the same fashion. As I said, it can be a Mac, it can be an Android device or it can be a PC — it doesn't matter. As long as you're using a browser which is HTML5-compatible, we will do the same trick over and over again. But you need to go through the corporate network, otherwise we can’t route the traffic to the virtual browser. So that's, I would say, the most important thing.
If you are sitting in an internet café, what's called the Starbucks scenario — sorry for doing their publicity here — if you're sitting somewhere and just connecting to any Wi-Fi, unless you're connecting to the corporate environment, we would not know how to route that traffic. If the organization has a device management policy and these devices, regardless of where they are, are always passing through the network infrastructure of the organization, then everything applies; we will do the routing based on the existing policy, and if this site is a site that is not known, it will be opened by default using a virtual browser, and it's going to be safe browsing.
LM: Fantastic. Well unfortunately we've run out of time. This is a really interesting discussion; it's cool to see the advanced technology in this area. I do want to thank our guests for today for dropping some knowledge on TWiET. Mr. Danny Miller, the Director of Product Marketing for Ericom Software, thank you so much for coming to the show. Really cool, interesting stuff. Can you tell the audience at home where they can find you, where they can find Ericom Software, where they can find your solutions, where they can get started?
DM: Sure. First of all, thanks for having me. You can find us on Ericom.com or EricomShield.com. We have our headquarters in New Jersey; we have an office in England, although I'm not sure it's relevant for this particular audience. We have an R&D center in Israel, and some other development and support offices, and a large network of security partners around the world. We'll be happy to hear from you; drop us a note and we'd love to talk to you and hear your security needs and help you join the isolation revolution.
LM: Well thank you so much, Danny. That was Danny Miller from Ericom Software; thank you so much for joining us and dropping some knowledge on TWiET.