Today’s threat actors are constantly on the move. And COVID-19 has created even more opportunities for them, as emergency digital investments broaden the corporate attack surface. The FBI recorded a 300% increase in reported cybercrimes in the first month of the pandemic. It’s perhaps no surprise that over two-thirds (68%) of business leaders feel security risk is increasing.
Thriving darknet marketplaces offer a continually evolving source of readymade attack tools and knowledge to financially motivated cyber-criminals. Theirs is a highly professional, commoditized industry worth over $600 billion. On the other side, mass remote working has exposed distracted employees, unsecured endpoints and home networks to a surge in threats. Security skills shortages only add to the challenges facing CISOs.
Organizations must move quickly to identify and prevent attacks as early as possible in the kill-chain. But the old endpoint security paradigm is no longer fit-for-purpose. It’s vital that we reinvent our approach to security to stay one step ahead of those who seek to cause us harm. The first step on this journey is understanding the Dos and Don’ts of cybersecurity.
DON’T rely on detection alone:
In October, HP identified a large-scale TrickBot campaign using Microsoft’s “Encrypt with Password” feature. This helped malicious documents slip past network security and behavioral detection tools, as the malware was only deployed if users entered the password sent in the phishing email. What can we learn from this? That detection-based tools can often be evaded by resourceful cyber-criminals. They don’t even have to use zero-day exploits or polymorphic malware.
Detection-based security tools also suffer from frequent false negatives and false positives. In fact, research shows that some security operations center (SOC) teams are receiving over 10,000 alerts per day, which they must trawl through to find serious threats. This can result in alert fatigue, and ultimately, attacks being missed. Once hackers have bypassed these defenses, they can move laterally to targeted systems with additional payloads dropped to steal data, mine for cryptocurrency, deploy ransomware and more.
DON’T make users the last line of defense:
The main target of attacks is often the endpoint, or the user in charge of it. Security tools are meant to protect users — by blocking malware before it reaches them, or detecting malicious content when a user clicks on it. However, as mentioned, real-time detection is far from 100% effective.
The result: users are still too often the last line of defense. The past year has seen a 176% increase in malicious Microsoft Office files, and COVID-19 has been a much-used and effective phishing lure to trick employees. User education can only work up to a point. Humans will always make mistakes and, when they do, the entire organization may be put at risk.
DO build security from the ground up:
It’s time to reinvent how we approach security, by building it into systems from the chip up. That means shifting to a protection-first model — one that doesn’t rely on detection but instead uses sound security engineering practices such as fine-grained isolation, the principle of least privilege (PoLP), and mandatory access control.
Protection-first also means micro-virtualization, where risky actions – such as opening web links, downloads and attachments – are performed within hardware enforced micro-VMs, isolated from the rest of the device or network. This way, it doesn’t matter if a document or web page is riddled with malware, because the hacker has nowhere to go, nothing to steal and no way to persist. Users can go back to their day job and click away with confidence.
By isolating key attack vectors like browsers, email and downloads, organizations can dramatically reduce their attack surface. The most common avenues to compromised endpoints become dead-ends. When threats are executed within micro-VMs, the full attack kill-chain can also be captured into a detailed “flight recorder.” This provides the SOC team with rich, high fidelity threat intelligence and indicators of compromise (IOCs) that can be used to help defend other systems.
DO rethink your approach to security:
Incremental innovation in security is failing to disrupt committed threat actors. We need to stop placing the burden of security on end users with a new, hardware-powered approach that isolates threats, ensuring they cannot infect PCs or spread through corporate networks. This is just the start. It marks the beginning of a virtualization-powered revolution in security, which promises to maximize user productivity and minimize cyber risk.