“As malware is left to run in a safe, isolated environment, security teams can track the whole kill chain in order to gather intelligence on what the hacker was trying to do”
Cathay Pacific, Eurostar, British Airways – it’s fair to say October was a bit of a nightmare for security departments across the world, and for consumers. Cathay Pacific lost the details of 9 million customers; whilst BA’s most recent hack saw 380,000 transactions affected – which was particularly embarrassing as it was seemingly conducted by the same group that targeted the business earlier in the year.
These are large organisations that no doubt invest heavily in security; they would have had a raft of tools in place to prevent such attacks and a talented team of security professionals on-hand to mop up the mess. Yet the breaches keep on coming, why?
Sometimes, one click is all it takes
While hackers are certainly investing in new tools and methods, they are also relying on old tricks to gain a foothold in enterprise defences. The most common causes of breaches remain the same as they have been for some time: the user.
Hackers will hijack commonly used applications and browsers, such as Facebook, Outlook or Chrome, in order to trick people into clicking on malicious links, downloading files or opening attachments.
Many organisations have responded by putting restrictive IT policies in place, preventing users from using such sites and applications. However, this approach isn’t always popular with workers who like to surf the web at lunch and is completely impractical for others that need more freedom to perform their job.
For instance, how can a marketing professional avoid using social media or a HR professional avoid opening unsolicited attachments?
So, even if such restrictions are implemented, people will soon find a way to circumvent them, creating a black hole for security teams.
User education and training, whilst important, isn’t fool-proof. Phishing emails and attacks delivered via email are becoming more difficult to identify. All it took was one click on a phishing email by a Butlins employee to allow hackers to swipe details of 34,000 people.
Meanwhile in the US, an employee at the Geological Survey was the source of malware on the network thanks to an “extensive history” of carelessly browsing porn sites at work. Sometimes you just can’t win. Expecting employees to spot threats is putting high value assets at risk, because hackers know it only takes one person clicking on the wrong thing to trigger a breach.
Cybersecurity investment not providing good ROI
Yet users should not be expected to put up a last line of defence against threats; that’s not their job, it’s the responsibility of the security team. However, we are seeing security struggle to meet the demands of today’s enterprise, as the current approach to layered defence security is built on the false premise that you can detect everything.
Gartner predicts worldwide cybersecurity spending is set to increase from $114 billion in 2018 to $170 billion in 2022, yet the majority of this money is being spent on a fundamentally flawed security architecture that is doomed to fail, leaving users open to manipulation and attack.
Investments are being made in advanced malware detection, next generation anti-virus, machine learning and artificial intelligence – all of which are hailed as the saviour of cybersecurity.
Yet these technologies are largely trying to detect or predict attacks by relying on behavioural analytics and identifying known threats. We’re increasingly seeing zero-day and other polymorphic malware being used to evade detection. This malware has not been seen before and cannot be found on a blacklist, allowing hackers to simply tweak code and email unsuspecting employees to sail past defences with ease.
Relying on detection means most hacks are not detected in real-time. If an employee clicks on a link that downloads polymorphic malware, protection will only begin once the breach has been triggered. This is a bit like shutting the door after the horse has bolted.
Modernise the stack to combat the hack
If we’re going to get serious about stopping breaches, then it’s time to be realistic about the causes. It’s impossible to predict the future, and it’s not fair to lay the burden of security on the shoulders of employees. Yet, today’s security stack is doing both.
Organisations need to modernise the enterprise security stack to focus on protection, ensuring that customer details and other high value assets are kept under lock and key. Detection-alone is an outdated concept and cannot deliver this. To create true cyber-resilience, organisations must adopt layered cybersecurity defences that incorporate detection-based solutions alongside real-time protection, as is provided by virtualisation-based application isolation.
Application isolation separates each individual web page, email, document or task within its own contained virtual machine; this renders any attack harmless, as the hacker has nowhere to go and nothing to steal.
As malware is left to run in a safe, isolated environment, security teams can track the whole kill chain in order to gather intelligence on what the hacker was trying to do. As a result, security teams can turn a traditional weakness – i.e. the endpoint – into an intelligence-gathering strength by using this data to strengthen wider enterprise security.
Don’t hunt for a scapegoat
If organisations are to learn from their mistakes, or those made by others, then it’s time to admit that the current security stack is fundamentally flawed. We need to move away from this overreliance on detection-alone, and make it harder for hackers to gain a foothold, by protecting users.
Modernising the security stack helps to ensure customer data is kept safe, without making employees the scapegoat. If action isn’t taken, then hackers will continue to penetrate enterprise defences and make away with the crown jewels.
Cyber threats have evolved, it’s time for today’s security stack to do the same.