If the browser is the new client, is Spikes AirGap the new security?

Spikes' approach to security: Isolate the browser by placing it outside of the corporate firewall.
Written by Dan Kusnetzky, Contributor

Branden Spikes, CEO of Spikes Security, and Franklyn Jones, CMO, introduced me to their up-and-coming company and to AirGap, the company's take on a universal approach to security. They reached out to me after reading Bromium - microvisors to enhance Windows security. They thought that Spikes' approach to client-side security was better than what Bromium is offering.

Spikes Security's initial assumptions

Our discussion began with a review of Spikes Security's assumptions and why the company chose their approach to a security solution. Here is a list of their five basic assumptions:

  1. The browser is now the most important enterprise app.
  2. The browser is the primary threat vector for cyber attacks.
  3. Complex attacks are becoming increasingly undetectable.
  4. Defense-in-depth detection architectures are ineffective.
  5. Time to shift security focus from detection to isolation.

Let's consider each of these assumptions separately.

The browser is now the most important enterprise app.

It is Spikes Security's position that more and more of the time, the client software used to access enterprise applications and data is a web browser. Enterprises have decided that since smartphones, tablets, laptops and desktop systems come equipped with a browser, it is far easier to develop a Web-friendly front end to their enterprise applications than trying to build, test and deploy an app for each of the different operating systems supporting those systems, all of the different screen sizes, memory configurations, storage capabilities and processor power they offer. It also means that the enterprise doesn't have to sort out keyboard/mouse input versus on-screen touch input.

The browser is the primary threat vector for cyber attacks.

Spikes Security points out that many of the security breaches have come through people accessing a malicious website that introduced malware into the client system. This included things like keystroke monitoring software that recorded website access credentials allowing attackers to break into enterprise systems and steal credit card numbers, customer names and the like.

Complex attacks are becoming increasingly undetectable.

Spikes Security thinks that it is pretty scary to consider that the industry really doesn't know how many security breaches have actually occurred or what data has been compromised.

Most small- to medium-size enterprises don't have either the staff or the expertise to learn if their systems have been compromised or what data might have been stolen.

Defense-in-depth detection architectures are ineffective.

Spikes Security would assert that most of the traditional security approaches that try to defend systems against these threats have proven to fail. The defenders seem to always be fighting the last war rather than keeping up with the newly-developed threats. Threats, today, come in the form of malicious websites, email messages, video and audio content. It is not at all clear what will be attacked next.

Spikes points out that cyber security is like trying to plug holes in the dike — as soon as one hole is plugged several more show up. Some are so subtle and the leak so small, that it takes a great deal of work just to find them.

Time to shift security focus from detection to isolation.

Spikes believes that its approach is a different take on how to defend against these attacks. Spikes' approach is based upon isolating the browser, placing it on the outside of the corporate firewall, and transforming content to eliminate hidden threats posing as emails, videos or other types of content.

Here's what Spikes has to say about AirGap

Enterprise server software provides isolated content rendering outside the secure network.

This technology allows any common desktop or mobile browser to become malware-immune through our AirGap Transport, a true hardware & network isolated web rendering engine. Then we add comprehensive Isolate™ technologies to further prevent malware execution and associated risks. On any computer or mobile device, this approach protects both endpoints and web services against all sorts of threats, even the ”zero day” unknown and undetected.

Isolate Technology

  • True network & hardware isolation is the core attribute of Isolate™ technology which makes AirGap the most secure application delivery technology possible.
  • All communications between client and server utilize an Isolation Transformer to ensure all data streams are cleansed of potentially malicious payloads.
  • Isolated browser processes execute in a specialized, hardened OS with a nanoscopic attack surface.
  • User sessions execute within type 1 hypervisor VMs to maximize session isolation, and are destroyed after each use.
  • Isolated browser tabs protect each user session from man-in-the-browser attacks.
  • All user data streams are isolated and kept private with 256 bit encryption.
  • Active monitoring for unexpected activity provides accurate detection and isolation from Advanced Persistent Threats.

Snapshot Analysis

After speaking with many of the suppliers of security software, it appears that securing one's systems and data is a never-ending quest. That is because many workloads were never designed with security in mind. The developers' goals were more along the lines of acceptable performance, a rich set of features and time to market.

Furthermore, the goals of the cyber attacks have also changed over time. Rather than just breaking into a company's systems for fun, they've become heavily sponsored attempts to steal financial information or industrial and government secrets.

Spikes Security has developed what appears to be a truly different, innovative approach to Web security. By positioning its AirGap software outside the firewall to isolate potentially malicious traffic and transform content from an active to a display format, it has found a way to block intruders from getting inside corporate networks.

Editorial standards