The vendor invitations to “stop by and see our booth at RSA” are starting to populate my inbox, confirmation that RSA 2020 in San Francisco is just around the corner. Every year I look forward to learning about the latest innovations. Every year I’m also a bit disheartened that we haven’t managed to kill preventable threats “dead”. Vendors hawk new and improved solutions promising to eliminate threats from ransomware, phishing, and credential theft, and these web-based attacks continue to succeed. Can we break this cycle?
When I read traditional security approaches, I don’t see them breaking the cycle. These seven “practical” ways to prevent spear phishing attacks[i] don’t convince me they will prevent phishing.
- Educate, educate, educate. Spread the good word. Launch an organizational awareness campaign
- Use proven security awareness training programs. Develop internal cybersecurity heroes
- Empower and remind the security leaders and cybersecurity heroes in your organization to regularly monitor employee spear-phishing awareness with phishing simulation tools
- Identify metrics to ensure that your educational initiatives are changing behavior
- Limit access
- Keep patches and releases current
- Monitor and measure results
Approximately one-third of users will click links inside a phishing email opening your organization up to a breach.[ii] While user safety training is important to modify user behavior, it doesn’t take care of highly targeted attacks or compulsive clickers. To click is human. It only takes one errant click from anyone in an organization to impact everyone. Detection-based methods don’t solve the problem either. They are only moderately effective, and always need to adapt to attacker behavior. At the same time, attackers themselves are always pushing the envelope. The defender is never able to secure a definitive win over the attacker (cat and mouse game), until now.
Through a new, zero-trust approach we can break the cycle. First, change the conversation from “How can I detect everything and respond more quickly and effectively?” to “How can I prevent the attack from succeeding in the first place?”. Instead of trying to become a better firefighter, we can design structures that arsonists can’t ignite. Instead of wrapping human divers in protective suits so they can dive deeper, we can use Remotely Operated Vehicles (ROV) to enable the human operators to work in safe office environments while a tethered underwater mobile device with robotic arms works at dangerous depths. Unmanned aerial vehicles (drones) also validate isolation as a safe, productive approach to isolate humans from harm’s way. Isolation is a time-tested security method.
Second, ask “How can I shrink my attack surface?” In most organizations, your biggest attack surface is the web browser. Isolation moves browser-based attacks off your endpoints. The result is a 70% reduction in attack surface for endpoints and a 98% reduction in browser-based threats.[iii] Like the ROV operator, your experience is seamless, you can see and do everything on the internet from the safety of your desk. If your remote browser gets infected, your endpoint and local network are isolated and untouched. If your ROV, drone, or browser is damaged, you simply replace them, no one is harmed.
Now that we know how to isolate our biggest attack surface, the web browser, what’s the impact on attacks that mix social engineering and technology like phishing?
Zero Trust security, implemented as remote browser isolation, can make phishing a thing of the past. It doesn’t depend on user training or detecting good from the bad. When a user clicks on a web link in a phishing email, if their organization has deployed isolation, the ransomware attack will fail.
[iii] Innovation Insight for Remote Browser Isolation, Neil MacDonald, Gartner, March 2018.
Cyberinc makes corporate and government cybersecurity more reliable, scalable, and productive by securing the largest point of vulnerability, web access, by preventing attacks before they become breaches.
To learn more, download the Remote Browser Isolation white paper.