There have never been more cyberattacks, and the problem has grown exponentially since millions of people were forced to work from their home networks due to the coronavirus pandemic. Organizations are now faced with the thorny problem of how to keep enterprise data and systems safe from a universe of threats in need of only one small mistake or opening.
Global spending on security products and services is expected to increase to $151.2 billion by 2023. Yet no matter how many layers of security companies put in place, successful cyberattacks continue to increase at a worrying rate.
SEE: Zero trust security: A cheat sheet (free PDF) (TechRepublic)
To deal with this deluge of new threats, dozens of the world’s biggest organizations are turning to isolation technologies and techniques to protect employees from the kind of common mistakes cybercriminals are increasingly taking advantage of.
“With isolation, you are choosing not to detect anything. That’s the beauty of it. All you’re really doing is taking the entire internet and entire active content on websites and moving it to the cloud and letting it run its course there so you never pay any attention to whether something is good today or bad,” said Kowsik Guruswamy, chief technology officer of Menlo Security.
“If you take out the initial part of the kill chain, which is that people click on links and people go to websites and get infected, then it doesn’t matter what the infection does. Isolation posits that if you can stop that initial vector, it doesn’t matter whether it’s a RAT (remote access trojan) or trojan. We never have to determine the goodness or the badness of anything in order to isolate. We never need threat intelligence to make a policy decision to isolate or not.”
Menlo Security now uses versions of isolation technology to protect eight of the ten largest banks in the world, critical infrastructure, and large government agencies.
SEE: SSL Certificate Best Practices Policy (TechRepublic Premium)
Guruswamy said the company protects hundreds of other clients from cyberattacks by eliminating the threat of malware from the web, documents, and email, even going so far as to offer customers a $1 million guarantee ensuring 100% protection against all malware, including exploits, ransomware, zero days, and more.
The company has created a fun tutorial illustrating exactly how isolation technology works, but Guruswamy explained that almost all threats these days, especially malware, originate from either corrupted email links or malicious forced downloads that come from redirected advertisements on dangerous websites.
“If you step back, it’s that first point in the killchain that matters the most because after that, once the piece of malware gets into the endpoint PC or Mac, then it’s really up to the creative nature of these bad actors to do whatever they want to do,” Guruswamy said.
“From Menlo’s perspective, if we can take out that first infection vector, then you have no problem whatsoever. That’s where the isolation technique comes in.”
For decades, CISOs have been trapped on the hamster wheel of endlessly trying to figure out which links or files are good and which links are bad to protect the unaware employees of an organization who cannot tell the difference. Still today, enterprises deploy suites of tech ranging from signatures to machine learning, crowdsourcing, and deep learning.
SEE: TechRepublic Premium editorial calendar: IT policies, checklists, toolkits, and research for download (TechRepublic Premium)
But, as Guruswamy noted, security teams have to be right 100% of the time and cyberattackers only have to succeed once to hit the jackpot.
First organizations, generally connected to the government, tried to manually air-gap work devices, forcing employees to literally use one computer that was connected to the internet and another that was entirely disconnected to the web. Others began trying the same idea but with container techniques or hyperledgers but the problem then revolved around how to scale this for enterprises with thousands, or hundreds of thousands of employees.
Chris Rothe, co-founder and chief product officer at Red Canary, said isolation is an effective technique to use for endpoints infected with RATs but also can be used as a preventive tool.
“Other forms of isolation like browser sandboxing can be used to make it more difficult to get a RAT on an endpoint in the first place. For instance, if a user’s endpoint functions as a dumb terminal and they use it to log into a virtual desktop then it’s most likely a RAT would land in the virtual environment rather than locally on the user’s endpoint,” Rothe said.
“That virtual desktop can be destroyed and rebuilt frequently which would then remove the RAT. Reactive isolation of a compromised endpoint is very widely used in incident response programs. You have to stop the bleeding before cleaning up, and removing a RAT and isolation is an effective way to do that even if it just means unplugging the network cord from the wall.”
Guruswamy echoed those ideas and said the team at Menlo stepped back and thought about where most threats originate: Browsers.
SEE: Ransomware attack: Why a small business paid the $150,000 ransom (TechRepublic)
“What if we can scope this isolation to really be around browsers because that’s really where the starting point is. That’s where we live our lives, that’s where we watch news, entertainment, do our job, and manage payroll. Menlo’s idea was to run a browser in the cloud on behalf of the user. So when you go to any website, what actually happens is that in real time, the Menlo browser opens your link in the cloud,” Guruswamy explained.
To make it a bit clearer, he said to think of a regular employee going to cbsnews.com. With isolation, the browser on the user’s laptop or computer never actually goes to the website. The user has no idea, but the cbsnews.com page is opened in the Menlo cloud system.
“You are able to turn your browser into a passive viewing device. You can still interact with it, still copy paste, click do all that stuff. For the most part, you have no idea as a user that you’re being isolated.”
SEE: Watch out for these subject lines in email phishing attacks (TechRepublic)
Menlo’s technique and platform has been particularly useful for larger enterprises that have struggled to protect endpoints for thousands of workers.
Guruswamy added that the technique also works in the context of email. Every click on every email link ends up getting isolated in the cloud so that if a link ends up triggering a driveby download or phishing attempt, isolation keeps the endpoint safe.
Since millions began teleworking, Guruswamy said Menlo has worked with a number or enterprises who needed isolation to help protect disparate users.
“We have a customer in Australia that replaced their on-premises proxy with Menlo a few years ago, and they haven’t had a single listed virus on any of their endpoints in four years,” Guruswamy said. “It’s now to the point that the CISO now jokes that the security team is bored.”