By Fraser Kyne, EMEA CTO, Bromium
Cathay Pacific, Eurostar, British Airways – it’s fair to say last October was a bit of a nightmare for security departments across the world, and for consumers. And the Marriott breach in November was equally horrific. Cathay Pacific lost the details of 9 million customers; whilst BA’s most recent hack saw 380,000 transactions affected – which was particularly embarrassing as it was seemingly conducted by the same group that targeted the business earlier in the year. These are large organizations that no doubt invest heavily in security; they would have had a raft of tools in place to prevent such attacks and a talented team of security professionals on-hand to mop up the mess. Yet the breaches keep on coming, why?
Sometimes, one click is all it takes
While hackers are certainly investing in new tools and methods, they are also relying on old tricks to gain a foothold in enterprise defenses. The most common causes of breaches remain the same as they have been for some time: the user. Hackers will hijack commonly used applications and browsers, such as Facebook, Outlook or Chrome, in order to trick people into clicking on malicious links, downloading files or opening attachments. Many organizations have responded by putting restrictive IT policies in place, preventing users from using such sites and applications. However, this approach isn’t always popular with workers who like to surf the web at lunch and is completely impractical for others that need more freedom to perform their job. For instance, how can a marketing professional avoid using social media or a HR professional avoid opening unsolicited attachments? So, even if such restrictions are implemented, people will soon find a way to circumvent them, creating a black hole for security teams.
User education and training, whilst important, isn’t fool-proof. Phishing emails and attacks delivered via email are becoming more difficult to identify. All it took was one click on a phishing email by a Butlins employee to allow hackers to swipe details of 34,000 people. Meanwhile in the US, an employee at the Geological Survey was the source of malware on the network thanks to an “extensive history” of carelessly browsing porn sites at work. Sometimes you just can’t win. Expecting employees to spot threats is putting high-value assets at risk because hackers know it only takes one person clicking on the wrong thing to trigger a breach.
Cybersecurity investment not providing good ROI
Yet users should not be expected to put up a last line of defense against threats; that’s not their job, it’s the responsibility of the security team. However, we are seeing security struggle to meet the demands of today’s enterprise, as the current approach to layered defense security is built on the false premise that you can predict the future. Gartner predicts worldwide cybersecurity spending is set to increase from $114 billion in 2018 to $170 billion in 2022, yet the majority of this money is being spent on a fundamentally flawed security architecture that is doomed to fail, leaving users open to manipulation and attack.
Investments are being made in advanced malware detection, next generation anti-virus, machine learning and artificial intelligence – all of which are hailed as the savior of cybersecurity. But these technologies are largely trying to detect or predict attacks by relying on behavioral analytics and identifying known threats. We’re increasingly seeing zero-day and other polymorphic malware being used to evade detection. This malware has not been seen before and cannot be found on a blacklist, allowing hackers to simply tweak code and email unsuspecting employees to sail past defenses with ease. Relying on detection means most hacks are not detected in real-time. If an employee clicks on a link that downloads polymorphic malware, protection will only begin once the breach has been triggered. This is a bit like shutting the door after the horse has bolted.
Modernize the stack to combat the hack
If we’re going to get serious about stopping breaches, then it’s time to be realistic about the causes. It’s impossible to predict the future, and it’s not fair to lay the burden of security on the shoulders of employees. Yet, today’s security stack is doing both.
Organizations need to modernize the enterprise security stack to focus on protection, ensuring that customer details and other high-value assets are kept under lock and key. Detection-alone is an outdated concept and cannot deliver this. To create true cyber-resilience, organizations must adopt layered cybersecurity defenses that incorporate detection-based solutions alongside real-time protection, as is provided by virtualization-based application isolation. Application isolation separates each individual web page, email, document or task within its own contained virtual machine; this renders any attack harmless, as the hacker has nowhere to go and nothing to steal.
As malware is left to run in a safe, isolated environment, security teams can track the whole kill chain in order to gather intelligence on what the hacker was trying to do. As a result, security teams can turn a traditional weakness – i.e. the endpoint – into an intelligence-gathering strength by using this data to strengthen wider enterprise security.
Don’t hunt for a scapegoat
If organizations are to learn from their mistakes, or those made by others, then it’s time to admit that the current security stack is fundamentally flawed. We need to move away from this overreliance on detection alone and make it harder for hackers to gain a foothold, by protecting users. Modernizing the security stack helps to ensure customer data is kept safe, without making employees the scapegoat. If action isn’t taken, then hackers will continue to penetrate enterprise defenses and make away with the crown jewels. Cyber threats have evolved, it’s time for today’s security stack to do the same.