Symantec uses its Global Intelligence Network (GIN) to categorize the internet as either known good, known bad or unknown. As the internet changed and grew, Symantec introduced risk levels. Risk levels indicate site risk on a scale of zero to ten and are calculated based on a number of different static and dynamic technologies.
Traditionally organizations have had to determine whether to allow or block based on categorization (or lack thereof) and risk level based on their appetite for risk and overall threat posture. This works, but involves the classic security tradeoff of potential false positives (and tickets) or potential infection. High Risk Isolation (HRI) allows organizations to allow potentially risky sites without increasing risk or disrupting the business.
High Risk Isolation (HRI) utilizes Symantec’s Remote Browser Isolation (Web Isolation) to remotely execute risky browsing activity in the cloud in order to prevent web based attacks. For more information about Web Isolation see the resources here.
It is included as part of the Web Protection Suite for both on-premise ProxySGs and the cloud based Web Security Service (WSS). The HRI service itself is 100% cloud based with no on-premise component.
HRI is explicitly for traffic that is either uncategorized or risk level 5 and higher (inclusive). It includes:
Utilizing the HRI service requires ProxySG version 7.3.1 and higher. It is not supported with ProxySG 6.x.
To use HRI, you must use the default Isolation service and policy must be configured with the Isolate action either via the Web VPM or CPL.
The Default Isolation Service
An Example HRI Policy Layer
More information on configuring the service can be found here.
The ProxySG forwards the traffic to the service via a secure tunnel with mutual TLS authentication to ensure that the browsing is private and secure.
Note that traffic that is either internal or categorized and low risk will be blocked at the isolation service. Admins should ensure that internal traffic is exempted from Isolation via policy or other means to avoid impact.
With a Web Protection Suite entitlement, a new Isolation section is exposed in the WSS portal that is disabled by default. To utilize it, admins must enable and then activate the preconfigured policy. Admins can add additional bypass rules at the top with an action of do not isolate.
Customers utilizing both ProxySG and WSS may choose to use Universal Policy Enforcement (UPE). UPE does not currently support the Isolate action. A workaround is necessary to use HRI on both ProxySG and WSS. For more information see this article.
Essentially two HRI policies must be defined, one with the Isolate action (based on the HRI criteria) for the ProxySGs and one with mock-forwarding rules (and match criteria) that are specific to WSS. This is a temporary workaround, projected to be fixed in Q3/Q4 of 2022.
The default security configuration for most browsers may prevent successful isolation. It is important to make the browser changes in advance of enabling HRI and to test thoroughly before rolling out to the user-base. For more information about the browser configuration needed, please see this article.