No network is truly secure unless its endpoints are secure, too. That's what Dell is banking on with the announcement today that its Dell Data Protection (DDP) suite, with new security features, will come baked-in to all Dell commercial PCs. Dell claims the security suite will make its PCs the most secure in the world, right out of the box. Last week, I sat down with representatives of Dell and its malware prevention technology partner, Invincea, to learn how.
"End users do silly things": Why endpoint protection matters
The way we work today makes endpoints more difficult to secure than ever.
Endpoints were once less problematic. Employees had a corporate PC and worked from an office on the corporate network, on which access to the Internet was often limited. Nowadays, workforces are far more distributed, mobile, and collaborative. Administrators must "accept the fact that end users behave differently" than before, according to Brett Hansen, executive director of end user computing at Dell. In this new behavior lies the rub.
"End users, by their nature, do silly things. We click on links we shouldn't, open attachments we shouldn't, lose things, leave things where they shouldn't be," Hansen told me. Ultimately, this creates vulnerabilities, which hackers know they can exploit. "The bad guys are increasingly focused on end users for those reasons," he said.
And the bad guys are growing more sophisticated. Targeted attacks, like spear-phishing, are on the rise; within the past three years, the French Finance Ministry, Nasdaq, Lockheed Martin, and the White House Military Office all fell victim to spear-phishing attacks, for example. These targeted attacks are much easier to fall for than the obvious threats of spam email and questionable online ads. Easier to fall for, and, like zero-day attacks, much harder for antivirus software to detect, thanks to their uniqueness and lack of known signatures. And once one person falls for the trick, an entire network could be compromised.
"Antivirus as we know it is nearing its end of life": Virtual containers for malware prevention
Today's threats far outstrip the capabilities of traditional antivirus, which is reactive, unable to stop zero-day attacks, and "nearing its end of life" as a result, according to Anup Ghosh, founder and CEO of award-winning security software vendor Invincea. Invincea's solution, which now powers the DDP Protected Workspace, takes a different approach than most other antivirus solutions.
Instead of relying on signatures or the end user's ability to recognize and avoid malicious links and attachments, DDP Protected Workspace addresses threats with a containment-and-detection philosophy. The software segregates potentially dangerous activity by launching Web browsers, PDF readers, and Office apps—the most highly targeted applications—into a secure virtual container on the endpoint device. Anything opened within that container remains in that container. There, the software uses behavioral analysis to detect malware. Once it identifies malicious activity, it flushes the container and collects the forensics of the attempted attack.
"It won't matter if you click on something bad," Ghosh said.
End users won't even notice DDP Protected Workspace running unless it detects malware and issues an alert. Dell chose Invincea's solution in part for its invisibility. "We wanted to increase security without inhibiting productivity," Hansen said.
DDP Protected Workspace should be of particular interest to small and medium enterprises. Previously, Invincea had sold its software directly to larger organizations, often early adopters within the Global 500, but not to smaller entities, many of which fall below what Ghosh called the "security poverty line." Small- and mid-sized enterprises below the security poverty line typically depend on whatever security they get from the endpoint manufacturer, rather than on high-end security devices or solutions, Ghosh said. The fact that Dell commercial PCs will now come bundled with Invincea-powered protection means that those businesses can receive "world-class security that they otherwise wouldn't have access to," he explained.
Virtual sandboxing of the type DDP Protected Workspace uses does have some weaknesses, such as kernel vulnerabilities, but Ghosh is confident that segregation offers benefits vastly superior to that of most other malware prevention solutions.
Dell Data Protection authentication, encryption, compliance, and management tools
Malware prevention is, of course, only one part of the story. Dell also aims to provide the most rigorous authentication and the strongest encryption of any commercial PC vendor.
DDP offers a robust range of authentication technologies: FIPS-certified TPM and fingerprint and smart card readers, secure hardware credential processing, and pre-boot authentication and single sign-on capabilities. "The most susceptible time a device has is when it's being booted up," Hansen said. To remedy that, he told me that Dell has "done things across our entire boot path to secure and authenticate the device. Nobody can cut into the boot path."
In addition, while DDP does offer full-disk encryption, Dell doesn't stop there. Full-disk encryption is necessary in some heavily regulated fields but too limiting and inefficient for most others, so DDP Encryption also offers file-level encryption. This encryption stays with each file as the file moves. "If you move a file up into the cloud, into Dropbox, for example, it stays encrypted. If you plug in a USB stick and put files on it, those files stay encrypted, and an IT administrator can control the key," Hansen explained. Then, any time a file is compromised, whether through a cloud service breach or the loss of a device, the administrator can revoke the key, leaving the files with 256-bit encryption.
The final pieces of the puzzle are compliance and management. DDP offers preset compliance templates to automatically set and update security policies in compliance with relevant regulations. And DDP's centralized, remote management console, DDP Security Tools, allows for automatic deployment and provisioning of its various security services to make management easier for IT administrators.
Is pre-loaded Dell Data Protection a game-changer?
Hansen believes that baking DDP into Dell's commercial PCs will make the machines the most secure in the market. DDP's feature set compares favorably both to other OEMs like Apple, Lenovo, and HP and to third-party developers like Symantec, he told me.
Dell is the only OEM to offer FIPS 140-2, level 3 security and the only one to offer Invincea's malware protection pre-loaded on its machines. In addition, the fact that all of DDP's authentication, encryption, and malware prevention capabilities come bundled onto the machines may make the offering especially attractive.
"We can do things other vendors can't, because we're building the device from the very beginning," Hansen said. He added, "Once a device hits the network, it becomes less secure. You wouldn't buy a car and then six months later install an airbag, right? You should have it right out of the box." With DDP set to ship on every Dell commercial endpoint—over 20 million each year—plenty of enterprise users will. And for those who don't plan to acquire new Dell hardware, Dell offers volume licenses of the DDP software. "It will always work better on a Dell, but it will work on any device," Hansen said.
Endpoints can be gateways to your entire enterprise network. Dell hopes that DDP will lock those gateways down better than any other OEM or third-party vendor can.
For more on DDP and Invincea, check out more coverage here on eWeek.com.
Jude Chao is Executive Editor of Enterprise Networking Planet. Follow her on Twitter @judechao.