HP Sure Click
HP Sure Click | Whitepaper
L52623-001, November 2018
© Copyright 2018 HP Development Company, L.P.
The legacy approach is not up to the task
Detection-based security solutions protect against the vast majority of known attacks but
struggle to resolve new, unknown attacks. When antivirus software relies on matching
against signatures, heuristics, behaviors, or other attributes that have previously been
identified, novel threats will always be a risk. Even next-generation antivirus software does
not enable detection-based solutions to match the rapid innovation of exploits and
techniques; businesses need to be able to protect against threats that haven’t been seen
before, including new breeds of file-less malware and malicious code that runs only in
memory.
A crisis in patching
According to an Hewlett Packard Enterprise Security Research study titled HPE Cyber Risk Report 2016, the top 10 exploited vulnerabilities were all
over a year old, and most have had patches available for months or even years. Take, for example, the devastating WannaCry ransomware outbreak
in 2017, which leveraged a Server Message Block (SMB) vulnerability impacting all Windows versions dating back XP. Microsoft had already made a
patch available—but many devices remained unpatched, with devastating consequences.
Verizon research indicates that only 33% of public sector systems are patched in a timely manner,
4
leaving critical systems—their valuable data and
intellectual property—vulnerable to countless old and new exploits (Verizon’s measure for “timely” patch cycles averages 12 weeks, even as
Microsoft and other vendors offer monthly patches).
A new approach is urgently needed
HP Sure Click embraces application isolation at its core, utilizing hardware-enforced isolation to protect the enterprise from the inevitability of user
errors, unpatched machines, and highly susceptible Internet-facing or partner-accessible devices. We’ve taken the ineffective practice of “bolted-on,”
detect-to-protect security and fundamentally shifted it to a “built-in” protection model enforced right down at the chipset. HP Sure Click protects by
design, without relying on external detection of the unknown or the judgment of users to keep their organizations safe. Instead, it automatically
isolates untrusted content in the browser, protecting organizations from conventional, advanced, targeted, file-less attacks, zero-day exploits, and
more! Crisis patching can be relegated to the past.
Security via application isolation
At the Information Assurance Symposium (IAS) 2016, the National Security Agency (NSA) and the Central Security Service (CSS) of the United States
jointly published a presentation titled “Application Isolation & Containment for Endpoint Protection." Their premise was that true security can be
achieved only by reducing the ability of a compromised process to do damage. That’s precisely the approach HP Sure Click takes through hardware-
enforced process isolation and least-privilege restrictions on all tasks running within micro-virtualized environments. This creates high-fidelity, low-
exposure endpoints.
Separating the trusted from the untrusted
Bromium’s technology views the world in terms of trusted or untrusted content. Untrusted content typically originates from outside the organization
and enters via various ingress vectors including web and email. Trusted content largely originates from known internal sources or from files that an
organization’s own users create and distribute themselves. The two types must be treated differently.
Untrusted content might contain anything at all—previously seen or unseen, detected or undetected—and should always be regarded as potentially
malicious. It should never be granted access to the actual host PC operation system, the file system, or the internal network. Trusted content,
3
Verizon, 2018 Data Breach Report, 2018; Page 41
4
Verizon, 2017 Data Breach Report, 2017; Page 13
MOTIVES BEHIND PUBLIC ADMINISTRATION
SECURITY BREACHES
3
44% Espionage
36% Financial
14% Fun (breaches)