It is now vital to reinvent our approach to security, so organisations can stay ahead of hackers, says Ian Pratt, Global Head of Security for Personal Systems, HP Inc.
Today’s threat landscape is constantly evolving, and the COVID-19 pandemic has created even more opportunities for cybercriminals, as the attack surface widens. Thriving darknet marketplaces are making it easier than ever to launch timely campaigns, so whenever there is a new opportunity, cybercriminals are quick to look for ways to exploit it. This ability to move quickly and innovate means organisations can no longer rely on looking for known threats, making it harder than ever to detect threats in real-time and putting organisations at risk. This is why it’s vital that we reinvent our approach to security so that organisations can stay a step ahead of hackers. But where to start?
Detection
Modern cybercrime is well-funded and well-resourced, and has become a professional, commoditised industry worth more than $680 billion. Cybercriminals are rapidly adopting new models, technologies, and techniques, innovating at pace to create new threats to bypass detection-based security and break into critical IT systems. Detection is often evaded using polymorphic malware, and occasionally even zero-day exploits may be deployed, but many simple approaches are very successful too. For example, in October, HP identified a large-scale TrickBot campaign using Microsoft’s ‘Encrypt with Password’ feature. This helped malicious documents slip past network security and behavioural detection tools, as the malware was only deployed if users entered the password sent in the phishing email.
Detection-based security tools not only suffer from frequent false negatives, but also generate copious noise due to false positives that have to be triaged. In fact, research shows that some SOC teams are receiving over 10,000 alerts per day, which they must sift through to find true threats. This can result in alert fatigue, meaning threats to the business can be missed. Once hackers have bypassed defences, the clock really starts ticking as they will use their initial point of compromise to move laterally to other systems, often by obtaining credentials, whereupon they can insert backdoors, exfiltrate data, destroy backups, and crypto-lock data.
The other challenge that organisations face is that the main target for attacks is most often endpoints, or more specifically, the users of those devices. Security tools are meant to protect users – firstly, by ensuring that malicious links and files do not make it into their inbox or browser in the first place, and secondly, by detecting malicious content when a user clicks on it. However, once again this relies on technology’s ability to detect and stop malicious actors in real-time, which as explained above, is inevitably prone to frequent failure.
As a result, users are still finding themselves having to act as a last line of defence against increasingly sneaky attackers. 2020 saw a 176 percent increase in malicious Microsoft Office files, and hackers have now also been using the COVID-19 pandemic as a lure to infect users; for example, through fake notifications from government agencies or reports on new treatments, tricking them into clicking on malicious files or links. User education can only take things so far; eventually, someone will unwittingly expose the company to compromise – and more worryingly, most of them will not even know they have been compromised at all.
Security needs to be built from the ground up
It’s time to reinvent how we approach security, by building it in from the chip up. Key to this is making the shift to a protection-first model, one that doesn’t rely on detection but instead uses sound security engineering practices – such as fine-grained isolation, the principle of least privilege (PoLP), and mandatory access control. This approach is embodied in micro-virtualisation, where risky workloads – such as opening web links, downloads and attachments – are performed within hardware enforced micro-VMs (virtual machines), isolated from the rest of the device or network. This way, it doesn’t matter if a document or web page is riddled with malware, because the hacker has nowhere to go, nothing to steal and no way to persist. This means users can go back to their day jobs and click with confidence.
By isolating key attack vectors – such as browsers, email and downloads – organisations are able to drastically reduce their attack surface, as all the most common avenues to compromise endpoints become dead-ends. Furthermore, when threats are executed within micro-VMs, the full kill-chain of the attack is captured into a detailed ‘flight recorder’ trace, providing the security operations centre (SOC) team with rich, high fidelity threat intelligence and indicators of compromise (IOCs) that can be used to help defend other systems.
Incremental innovation in security is failing to disrupt threat actors. A new, hardware-powered approach is needed that stops putting the burden of security on users by isolating threats, ensuring they cannot infect PCs or spread through corporate networks. This is just the tip of the iceberg and marks the beginning of a virtualisation revolution in security, where users no longer fear opening links and attachments, and organisations can let their teams focus on their day jobs without worrying about making security mistakes.
