Turning The Tables On Tomorrow's Threat Agent 

Long gone are the days of every worker being a nine-to-five commuter. While some employees retain a preference of working in the office all the time, many are embracing the willingness of employers to offer flexible alternatives such as remote and hybrid models. 

Research shows that UK staff went to the office 3.8 days per week on average pre-pandemic, this having dropped to 1.4 days per week in 2022.  

While the new normal is undoubtedly improving workplace cultures and driving forward a new frontier that centres around enhancing the employee experience, in the case of security, it has had dramatic implications. No longer are staff members all accessing the internet behind a security perimeter – where applications were all controlled, and VPNs could be used on a remote basis where necessary to replicate safe sessions.  

Today, employees can readily use the internet to access corporate networks housing sensitive and personal data within key applications and SaaS platforms from a range of devices in a variety of locations. As a result, the web browser has now become the biggest attack surface and target for threat actors, many of whom are leveraging and exploiting it successfully.  

These changes in working patterns have undermined the methods that security practitioners traditionally relied upon to secure their organisations. Indeed, firms have been forced to re-evaluate their business needs and develop entirely new strategic roadmaps, leaving CISOs scrambling to find ways in which to bake in security best practices. 

Understanding Of Modern Security Requirements Is Improving 

During the past three years, the picture has thankfully become somewhat clearer.  Today, organisations typically require a consistent set of security policies for all users - be it an employee in the office, or an engineer commuting and using a cellular network. Regardless of the device they are using and app they need to use, there needs to be a clear security framework that guides universal best practice across the board.  

Unfortunately, firewalls and VPNs simply aren’t designed to deliver that. Instead, organisations are now tapping into cloud services that can effectively manage comprehensive security permissions and deliver key insights, detailing exactly who each user is, and what they can respectively access on the corporate network.  

This has become a highly intelligent process. More advanced security setups can manage privileges and assess the security posture on an ongoing basis, adapting permissions based on the type of user, location of that user, what systems they’re trying to access, and when they’re trying to access them.  

It is critical that companies adapt in this way. Not only has security become a more complex undertaking with many different moving parts, but the threat landscape has also changed dramatically. 

According to Statista’s Cybersecurity Outlook, the global cost of cybercrime was estimated to be $8.44 trillion in 2022 – over seven times the $1.16 trillion reported in 2019. Resultantly, security has fundamentally become a boardroom issue. It cannot be an afterthought. Instead, the CISO now needs to be a major part of business decision making. 

CISOs are there to add value, applying security as an integral part of the technology stack. To achieve this effectively, they must have an ongoing understanding of each new product, how customers will consume them, and the inner workings of the architecture underpinning each solution.  

Responsibility isn’t solely on the CISO, however. A culture in which security becomes a leading priority needs to be instilled throughout the organisation – every enterprise will have different models and workforce structures, and there are many roles that need to be thinking about security more actively. 

Interestingly, a Gartner study found that 88% of boards regard cybersecurity as a business risk rather than solely an IT problem. The threat of ransomware and nation-state-backed threat outfits has changed cyber perceptions, with those at the top table becoming increasingly aware of the challenges.  

Bolstering Defences In The Face Of Evasive & Complex Threats 

This growing appreciation provides CISOs with the opportunity to bridge the gap between technical professionals and the broader C-suite.  They are now enjoying greater influence over boardroom discussion to ensure best practices are instilled more readily. However, given the continual advance of new threats, this is the bare minimum that is required. 

Today, the browser is the new office. Where previously you’d have had to have gone into a conference room to have a meeting, employees are now typically spending 75% of their working days on a web browser or using web conferencing applications.  Unfortunately, as we have mentioned, threat actors are aware of this and the opportunities it presents, adapting their techniques accordingly.  

There has been a significant uptick in the use of evasive attack methods leveraged by nefarious actors, enabling them to bypass traditional security tools such as secure web gateways (SWGs), firewalls, phishing detection tools and malware analysis engines.  

Known as Highly Evasive Adaptive Threats (HEAT), these attacks are actively exploiting the web browser as the attack vector, rendering a decade or so of security investments focused on network perimeter protection almost obsolete. 

It’s a frustrating reality that has left many security departments having to completely rebuild their defences from scratch. Yet the dangers of HEAT simply cannot be ignored. Research conducted by the Menlo Labs team revealed that there had been a 224% increase in HEAT attacks in H2 2021 - a trajectory that only seems to have continued through 2022.  Menlo Security also surveyed 505 IT decision makers at firms with at least 1,000 employees across the US and UK last year found more than half (55%) of organisations encountered advanced web threats at least once a month, with one in five facing them on a weekly basis. 

There are several increasingly concerning signs.

  • Hackers now looking to overcome two factor authentication through social engineering campaigns to access corporate assets, for example. And it is clear that browser-based attacks are not just becoming more common, but more successful. Indeed, almost two thirds of the respondents (62%) to our survey had seen a device compromised by a browser-based attack in the previous 12 months alone.  
  • Further, it is also clear that some of these attacks could have been avoidable. Indeed, the survey shows that less than three in 10 organisations have advanced threat protection solutions in place on all endpoint devices used to access corporate applications and resources, while almost half (45%) had not added any new capabilities to their network security stack in the previous year.   

Embracing A Security-First Culture 

For many, there continues to be an issue around prioritisation. Given the threat landscape, security now more than ever before needs to be a forethought. Yet approaching things in such a manner is easier said than done in the case of organisations that have always made operational changes first before implementing security adaptations on top.  

It’s about embracing a security-first culture – a shift that can be accelerated via a few simple strategies.  

Specifically, CISOs should focus on building a greater consciousness of security within the workforce, enabling every worker to be more adept at spotting suspicious activities such as social engineering attempts. The good news is that a growing number of roles are coming to the realisation that they have a responsibility to practice good security hygiene. CISOs may operationalise this mentality, but it is becoming everybody’s responsibility to embrace it.  

Further, organisations should ensure security parameters extend to all endpoints capable of accessing the corporate network. This can go a long way in enabling firms to thwart any kind of threat.  Perhaps the most important realisation is that there is no quick fix when it comes to the cyber security of an organisation. Good management principles must apply, centred around hiring well, training well and executing towards a roadmap that is forward looking whilst prioritising security. 

Of course, everyone is looking for the next shiny new widget or silver bullet technology capable of keeping everyone safe, but the reality is that the strongest teams are the ones that are consistently deliberate with their intentions, taking longer to steer the ship whilst doing so in a way that’s secure and safe and executed according to the needs of the business.   

Isolating The End Point 

In the case of browser threats, a good starting point for mitigation is removing user interaction and traffic from the browsers themselves as much as possible. This might sound like an impossibility given the criticality of the browser to modern day working models, but it’s easily achieved with the right supportive solutions. 

Isolation technology can be used to isolate the end point from the Internet browser, re-writing it and then delivering it as a clean stream.   

This prevents any malicious code from ever reaching user endpoints by moving the point of execution to a disposable, cloud-based container that acts as digital air gap between the browser and corporate networks. It also reduces the number of alerts reaching the security operations centre (SOC) which can exacerbate alert fatigue – a major issue facing security professionals as they attempt to navigate the demands of the new normal. 

Addressing Security Alert Fatigue 

We’re confident that this approach will soon become the mainstream model for internet security. It’s not necessarily about eliminating proactive detection and identification. Instead, it’s about creating clean working environments while dramatically reducing the burdens on the SOC from alerts and false positives.  

Threat intelligence teams are already looking at massive amounts of data. They don’t want to have to sift through even more to find one needle in a haystack. The more customers can address alert fatigue whilst upgrading their security posture, the better. 

Nick Edwards is VP Product at Menlo Security

You Might Also Read:

Cyber Security Strategies Need To Evolve Alongside The Enterprise:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

 

 

 

« Crypto Company Loses $200m To Hackers
WhatsApp Will Not Comply With British Regulations »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Feitian Technologies

Feitian Technologies

Feitian Technologies provides authentication and transaction security products for financial institutions, telecoms, government and leading business enterprises.

Asavie

Asavie

Asavie provide solutions for Enterprise Mobility Management and secure IoT Connectivity.

Actiphy

Actiphy

Actiphy provides a tried and proven backup and disaster recovery software solution to ensure business continuity at all times.

Industrial Cyber Security

Industrial Cyber Security

Industrial Cyber Security provides specialist consulting services in enterprise and SCADA system security.

ShadowDragon

ShadowDragon

ShadowDragon develops digital tools that simplify the complexities of modern investigations that involve multiple online environments and technologies.

OGiTiX

OGiTiX

OGiTiX Software AG is a German software manufacturer specializing in Identity and Access Management.

i-Sprint Innovations

i-Sprint Innovations

i-Sprint is a leader in Securing Identity and Transactions in the Cyber World for industries that are security sensitive.

Cybersecurity & Infrastructure Security Agency (CISA)

Cybersecurity & Infrastructure Security Agency (CISA)

CISA leads the national effort to defend critical infrastructure against the threats of today and to secure against the evolving risks of tomorrow.

AU10TIX

AU10TIX

AU10TIX’s smart forensic-level ID authentication technology links physical and digital identities, meets compliance mandates, and ensures your customers know their trust and safety come first.

Simply Hired

Simply Hired

Simply Hired is a job search engine that collects job listings from all over the web, including company career pages, job boards and niche job websites.

World Informatix Cyber Security (WICS)

World Informatix Cyber Security (WICS)

World Informatix Cyber Security provides a range of cyber security services to protect valuable information assets to global business and governments.

Phished

Phished

Phished is an AI-driven platform that focuses on the human side of cybersecurity. By combining fully automated training software with personalised, realistic simulations of cyberattacks.

GuardYoo

GuardYoo

GuardYoo's SaaS platform allows cybersecurity professionals to perform Compromise Assessment remotely from anywhere in the world.

Black Girls In Cyber (BGiC)

Black Girls In Cyber (BGiC)

Black Girls In Cyber's mission is to increase industry awareness and diversity in cybersecurity, privacy, and STEM for women of color.

Defimoon

Defimoon

DeFimoon is the International Blockchain Development & Security Agency. We provide professional services and solutions at the highest quality on world-leading chains.

Blue Goat Cyber

Blue Goat Cyber

Blue Goat stands at the forefront of cybersecurity, particularly in medical device security and penetration testing.