SaaS (virtual browsers) VS HIPS

hi

The last RSA conference has pointed out the emerging of a real evoltion: browser protection security as a service (SaaS or Security as a Service):
http://www.net-security.org/secworld.php?id=10489

I mention them by their date release on the market (but i might be wrong):

-Virtual browser, from CommonIT (corporate environment):
http://commonit.com/en/technology/overview

-(Dell) Kace Secure browser:
http://www.kace.com/products/freetools/secure-browser/

-Invincea Browser protection:
http://www.invincea.com/solution/invincea_browser_protection/

-Quaresso MyProtect:
http://quaresso.com/products/myprotect/myprotect-overview

This kind of in the cloud protection are opposed to virtualization/sandboxing based HIPS (DefenseWall, GesWall, Sandboxie) as they're not host based security: this is a "there (web) for here (host) protection.

I have no doubt that they have a real efficiency against some Man in the browser malwares OR 0Day PDF malwares.
But theses SaaS have various issues like privacy implications for instance (and others that i've not time to discuss).
If we consider that Security is a Process, then more we have control on this process, and more reliable is this security.
That's why my preference goes to HIPS, and this is of course just my fresh opinion as these service are too recent to have a real idea of their effectiveness.

Rgds

 

Why use these browsers at all if you can sandbox any browser you want.

 

@kareldjag:
There are varying perspectives on browser security depending on where you sit:
- high assurance web app trying to deliver its service to a machine it doesn't control
- a user trying to prevent malware creation on his/her machine or clean a pre-existing infection
- a user trying to privately access web services from an untrusted machine

Quaresso designed its commercial product Protect On Q to allow a sensitive web site to secure the browser side of the HTTPS connection to mitigate malware or user driven compromise of the data. It creates an on-the-fly hardened browser instance whose behavior (e.g., what URLs the user can open, or what SSL certs can be used) is controlled by the web site. Think of it as a mission-specific or site-specific browser instance. Upon session termination the exits leaving no installed client behind.

We have a service called MyProtect that is offered free to people. It is a Quaresso hosted version of Protect On Q that offers enhanced security over the typical Private Browsing modes available in browsers. Basic operation is - after a one time registration - a user can login from any Windows machine and get an on-the-fly armored browsing session. Handy for surfing from untrusted machines. We don't proxy the connections.

Hope this clarifies at least what Quaresso is doing.

 

It's non-science fiction. If computer insecure, privacy is broken.

 

Untrusted does not mean necessarily insecure, it means unknown state.

And you are correct at least to the extent that if a computer is insecure, than privacy COULD be broken. Whether is it or not depends on what the user is attempting to do and what the actual security issue(s) is/are.

If their is a hostile plugin waiting to activate when the user goes to mybank.co.uk and the user is skypping then their privacy (at least for that channel and that moment in time) is intact.

We are pretty comfortable with our abilities to reduce many browser insecurities and thereby improve privacy of web browsers.

 

You may reduce browser's insecure by malware with your software only until the moment it become any popular. It's very easy for malware creators to bypass any tricks from your side.

 

Is not SaaS browser, IMO

 

SaaS has terrible implications on ones privacy. I am not saying its all bad, but for constant home use it might prove quite a problem as you could be subject to some obscure fineprint regarding TOS that normally wouldn't be an issue if you had a resident virtualizer.

Invincea on the otherhand is a primitive VM spinoff. No advantage using that when you could easily have more functionality by running in an OS VM

 

HI,

Some of them are not SaaS but "virtual browsers" as mentioned in the title in an inapropriate syntax.
Virtual browsers like BufferZone, ZAForceShield or the "sold to Google" GreenBorder.
And SaaS browsing like Cocoon addon/toolbar: https://getcocoon.com/

Such programs designed for browser security and privacy enhancement can be completed by E-capsule private browser, Xencare guest browser or Comodo Dragon:
http://www.xencare.com/site/product_guest_browser.php
http://www.eisst.com/products/private_browser/hd/
http://www.comodo.com/home/browsers-toolbars/browser.php

As pointed out by Quaresso, there's a need for service like MyProtect on untrusted machines (internet/cyber Café) or networks (hotspots).
On the other hand, the technolgy has evolved since the Portable Virtual Privacy Machine that i've used in spanish cyber café beach: it's possible to carry it's own secure desktop on 4Gb USB stick (linux, hardened browser, virtualization).
The recent intrusions on the french governement computers has shown the need of host HIPS and i do not talk about USB threats and malwares.
one of the main limitation of Cloud security is the need of internet connection.
With system and browser hardening, SSL VPN, virtualized/sandboxed browser session (with an HIPS for instance), it is possible to get a high level of security, without any kind of cloud security service.
This thing said, these SaaS can be helpfull for average users who want reliable high security with a minimum of experience and effort.
And no doubt that Quaresso would get the first place instead of Invincea if they have been "cashflowed" by the US Gov
Like Transglobal Undergound for the Music, Security can be a mix of various approaches and technologies, and DefenseWall combined with Quaresso might be a plus for some users...
In the cloud regards...