Turning the tables on tomorrow’s threat agent

By Nick Edwards, VP Product, Menlo Security.

  • 1 year ago Posted in

Long gone are the days of every worker being a nine-to-five commuter. While some employees retain a preference of working in the office all the time, many are embracing the willingness of employers to offer flexible alternatives such as remote and hybrid models. 

Research shows that UK staff went to the office 3.8 days per week on average pre-pandemic, this having dropped to 1.4 days per week in 2022.  

While the new normal is undoubtedly improving workplace cultures and driving forward a new frontier that centres around enhancing the employee experience, in the case of security, it has had dramatic implications. 

No longer are staff members all accessing the internet behind a security perimeter – where applications were all controlled, and VPNs could be used on a remote basis where necessary to replicate safe sessions.  

Today, employees can readily use the internet to access corporate networks housing sensitive and personal data within key applications and SaaS platforms from a range of devices in a variety of locations. And as a result, the web browser has now become the biggest attack surface and target for threat actors, many of whom are leveraging and exploiting it successfully.  

These changes in working patterns have undermined the methods that security practitioners traditionally relied upon to secure their organisations. Indeed, firms have been forced to re-evaluate their business needs and develop entirely new strategic roadmaps, leaving CISOs scrambling to find ways in which to bake in security best practices. 

Understanding of modern security requirements is improving 

During the past three years, the picture has thankfully become somewhat clearer.  

Today, organisations typically require a consistent set of security policies for all users – be it an employee in the office, or an engineer commuting and using a cellular network. Regardless of the device they are using and app they need to use, there needs to be a clear security framework that guides universal best practice across the board.  

Unfortunately, firewalls and VPNs simply aren’t designed to deliver that. Instead, organisations are now tapping into cloud services that can effectively manage comprehensive security permissions and deliver key insights, detailing exactly who each user is, and what they can respectively access on the corporate network.  

This has become a highly intelligent process. More advanced security setups can manage privileges and assess the security posture on an ongoing basis, adapting permissions based on the type of user, location of that user, what systems they’re trying to access, and when they’re trying to access them.  

It is critical that companies adapt in this way. Not only has security become a more complex undertaking with many different moving parts, but the threat landscape has also changed dramatically. 

According to Statista’s Cybersecurity Outlook, the global cost of cybercrime was estimated to be $8.44 trillion in 2022 – over seven times the $1.16 trillion reported in 2019.  

Resultantly, security has fundamentally become a boardroom issue. It cannot be an afterthought. Instead, the CISO now needs to be a major part of business decision making. 

CISOs are there to add value, applying security as an integral part of the technology stack. To achieve this effectively, they must have an ongoing understanding of each new product, how customers will consume them, and the inner workings of the architecture underpinning each solution.  

Responsibility isn’t solely on the CISO, however. A culture in which security becomes a leading priority needs to be instilled throughout the organisation – every enterprise will have different models and workforce structures, and there are many roles that need to be thinking about security more actively. 

Interestingly, a Gartner study found that 88% of boards regard cybersecurity as a business risk rather than solely an IT problem. The threat of ransomware and nation-state-backed threat outfits has changed cyber perceptions, with those at the top table becoming increasingly aware of the challenges.  

Bolstering defences in the face of evasive and complex threats 

This growing appreciation provides CISOs with the opportunity to bridge the gap between technical professionals and the broader C-suite.  

They are now enjoying greater influence over boardroom discussion to ensure best practices are instilled more readily. However, given the continual advance of new threats, this is the bare minimum that is required. 

Today, the browser is the new office. Where previously you’d have had to have gone into a conference room to have a meeting, employees are now typically spending 75% of their working days on a web browser or using web conferencing applications.  

Unfortunately, as we have mentioned, threat actors are aware of this and the opportunities it presents, adapting their techniques accordingly.  

There has been a significant uptick in the use of evasive attack methods leveraged by nefarious actors, enabling them to bypass traditional security tools such as secure web gateways (SWGs), firewalls, phishing detection tools and malware analysis engines.  

Known as highly evasive adaptive threats (HEAT), these attacks are actively exploiting the web browser as the attack vector, rendering a decade or so of security investments focused on network perimeter protection almost obsolete. 

It’s a frustrating reality that has left many security departments having to completely rebuild their defences from scratch. Yet the dangers of HEAT simply cannot be ignored. Research conducted by the Menlo Labs team revealed that there had been a 224% increase in HEAT attacks in H2 2021 – a trajectory that only seems to have continued through 2022.  

Menlo Security also surveyed 505 IT decision makers at firms with at least 1,000 employees across the US and UK last year found more than half (55%) of organisations encountered advanced web threats at least once a month, with one in five facing them on a weekly basis. 

There are several increasingly concerning signs. Hackers now looking to overcome two factor authentication through social engineering campaigns to access corporate assets, for example. And it is clear that browser-based attacks are not just becoming more common, but more successful. Indeed, almost two thirds of the respondents (62%) to our survey had seen a device compromised by a browser-based attack in the previous 12 months alone.  

Further, it is also clear that some of these attacks could have been avoidable. Indeed, the survey shows that less than three in 10 organisations have advanced threat protection solutions in place on all endpoint devices used to access corporate applications and resources, while almost half (45%) had not added any new capabilities to their network security stack in the previous year.   

Embracing a security-first culture 

For many, there continues to be an issue around prioritisation. 

Given the threat landscape, security now more than ever before needs to be a forethought. Yet approaching things in such a manner is easier said than done in the case of organisations that have always made operational changes first before implementing security adaptations on top.  

It’s about embracing a security-first culture – a shift that can be accelerated via a few simple strategies.  

Specifically, CISOs should focus on building a greater consciousness of security within the workforce, enabling every worker to be more adept at spotting suspicious activities such as social engineering attempts.  

The good news is that a growing number of roles are coming to the realisation that they have a responsibility to practice good security hygiene. CISOs may operationalise this mentality, but it is becoming everybody’s responsibility to embrace it.  

Further, organisations should ensure security parameters extend to all endpoints capable of accessing the corporate network. This can go a long way in enabling firms to thwart any kind of threat.  

Perhaps the most important realisation is that there is no quick fix when it comes to the cyber security of an organisation. Good management principles must apply, centred around hiring well, training well and executing toward a roadmap that is forward looking whilst prioritising security. 

Of course, everyone is looking for the next shiny new widget or silver bullet technology capable of keeping everyone safe, but the reality is that the strongest teams are the ones that are consistently deliberate with their intentions, taking longer to steer the ship whilst doing so in a way that’s secure and safe and executed according to the needs of the business.   

Isolating the end point 

In the case of browser threats, a good starting point for mitigation is removing user interaction and traffic from the browsers themselves as much as possible. This might sound like an impossibility given the criticality of the browser to modern day working models, but it’s easily achieved with the right supportive solutions. 

Isolation technology can be used to isolate the end point from the internet browser, re-writing it and then delivering it as a clean stream.   

This prevents any malicious code from ever reaching user endpoints by moving the point of execution to a disposable, cloud-based container that acts as digital air gap between the browser and corporate networks. It also reduces the number of alerts reaching the security operations centre (SOC) which can exacerbate alert fatigue – a major issue facing security professionals as they attempt to navigate the demands of the new normal. 

Addressing security alert fatigue 

We’re confident that this approach will soon become the mainstream model for internet security. It’s not necessarily about eliminating proactive detection and identification. Instead, it’s about creating clean working environments while dramatically reducing the burdens on the SOC from alerts and false positives.  

Threat intelligence teams are already looking at massive amounts of data. They don’t want to have to sift through even more to find one needle in a haystack. The more customers can address alert fatigue whist upgrading their security posture, the better. 

By Alasdair Anderson, VP of EMEA at Protegrity.
By Eric Herzog, Chief Marketing Officer, Infinidat.
By Shaun Farrow, Security Practice Lead at Bistech.
By Andre Schindler, GM EMEA and SVP Global Sales at NinjaOne.
By Darren Thomson, Field CTO EMEAI, Commvault.