Thursday, May 4, 2023

Stop Blaming Users for Breaches: Three Strategies for Protecting Users

  • Most breaches rely on social engineering to trick users into performing actions they shouldn’t. Breaches typically start with “a user clicked…”
  • The role of IT and security departments is providing a safe environment for users to do their job, including risky activities like opening files and links. When breaches occur, usually they aren’t the users’ fault since clicking on things is their job.
  • Security awareness training, though worthwhile, is not foolproof. Enterprise organizations should implement three strategies for protecting their users across protection, visibility and isolation.

Most breaches start with a user clicking on something. It could be a link in an email or social media website, an email attachment, a file downloaded from a browser, a file opened from a USB drive, etc. What varies is the type of malicious payload. An Office or PDF document, an executable (e.g. .exe or .msi), a OneNote file, a script or HTML file, a zip archive with malicious embedded files; the malicious payload or exploit changes, but the delivery method does not. It still starts with “a user clicked…”

It’s not the users’ fault

Having worked in IT and cybersecurity for many years, I must admit that I have done my fair share of user blaming. We are often quick to talk about how users are incompetent or untrainable. We blame them when things go wrong. In reality, it is more often our own failing as IT and cybersecurity professionals to build a secure system that works and is easy to use.

We tell users not to click on things and then we give them a PC, applications, and a job that requires them to click on things. It’s not fair. If you work in finance and your job requires you to process invoices that arrive via email as PDF attachments, we should not blame you when you open the “wrong” PDF. Yes, many companies still request that invoices be sent as PDF documents via email for processing! If you work in human resources and open Word documents that are resumes, we should not blame you when you open the “wrong” Word document. End users need to click on and open things to do their jobs, and it’s not fair to expect them to be cyber experts who can miraculously determine whether something is malicious or not prior to clicking.

We can’t patch people

We patch our IT systems, but we cannot patch user behavior. The adversaries know this. That is why they simply keep tricking users into clicking on things. Nearly every organization I speak to conducts phishing tests on their users and every single one of them still has a meaningful percentage of users that click. It only takes one user clicking to initiate the breach. We cannot educate our way out of this. The bad guys will always find at least one person in your organization to click. This doesn’t mean we shouldn’t educate users, we should. But we should steer clear of the traps of blaming users for our failure to protect them or relying on education as the solution to this challenge.

Three strategies for protecting users

End users and their computing devices are on the front line in the cyber war. We need proper technology and strategies to protect our users. Failure to implement proper protection is like sending a soldier into battle without armor or a weapon. There is a myriad of things we need to do to protect users on Windows PCs; limiting administrator permissions, keeping software patched, implementing zero trust, etc. Many of these things are “basics”, I’m not going waste time covering all the basics, but I will cover three key strategies that enterprise organizations need to implement: Protection, Visibility, Isolation.

1. Protection

It all starts with good protection. This is where anti-virus (AV) or next-generation anti-virus (NGAV) comes into play. There are a lot of great vendors in this space, including many new ones. While we need an NGAV tool, it is not enough by itself. The reality is that most organizations that have suffered a ransomware attack or some other breach, were running AV on the devices that were affected. If AV or NGAV alone was enough, there would be no more breaches. A properly implemented quality NGAV tool is just the first step.

2. Visibility

The next strategy is having a good visibility tool. This is often referred to as endpoint detection and response (EDR), extended detection and response (XDR), etc. Whatever we call it, it really comes down to having visibility of what is running on your devices and the behavior of those applications. For example, a user might download a new .exe file. This could be the first time this specific executable has ever been run on a PC in your environment. The executable starts reading files from the user’s network shares and OneDrive folder. The executable also makes a network connection to a server in a foreign country and starts uploading data at a high rate of speed. What’s happening? Your data is being exfiltrated. Sadly, the AV let the bad executable run. However, if you have a good visibility tool, you might be able to spot this anomalous activity or unusual behavior and take appropriate action to minimize the damage.

The difficult part is ensuring your behavioral rulesets are programmed to alert on the unusual behavior and that you have the security analysts to act upon it. Historically, these tools have been expensive and labor intensive to implement and operationalize. Thankfully, there are now some great vendors in this space leveraging the power of the cloud with AI and machine learning, which is making these tools less labor intensive and reducing the cost. We have also seen a consolidation of tool sets where many vendors now offer both protection and visibility capabilities as part of a unified platform.

However, just like AV tools will fail properly detect all malware, visibility tools will also not catch everything in time before severe damage occurs. Visibility is an important part of the strategy, but it is not enough.

3. Isolation

The third strategy that should be implemented along with your protection and visibility tools is isolation. To understand isolation, think of your PC as your house. When you open an email attachment, you are inviting that attachment into your living room. When you click on a hyperlink in email, you are inviting that website into your living room. Do you know whether that content is good or bad? If the content turns out to be malicious, you are hoping that your NGAV stops it at the door before it gets into your living room. If NGAV does not stop it, and it starts behaving strange while in your living room, you are hoping that your visibility or EDR tool will spot that the content is acting suspicious and escort it out of your house before it hurts you.

The problem with both the NGAV and EDR approach is that you have already opened your front door and let the content into your house. Because the bad guy is already in your home, there is chance that severe damage will still occur. With isolation, we ask the question whether you really need to invite the content into your home to interact with it? With isolation, instead of inviting the email attachment, downloaded file, or website into your home, we invite the content into a virtual container and let the user interact with it from outside the container. With this approach if the content does something malicious or suspicious, it is acceptable because it was never actually invited into your home. It is like interacting with someone in a Zoom or Teams meeting. If a person does something bad in a virtual meeting, you can simply end the meeting. The person was never really in your house!

There are two key approaches for implementing and running isolation containers: cloud and on-device. With a cloud-based approach to hosting containers, a website or file is run in a container that is not running on your network or PC, it is running in a 3rd party cloud environment. The end user simply views the pixels or video output of the remote container in their browser. With an on-device approach the container runs locally on the user’s device and leverages the power of hardware-based virtualization to isolate the container away from your Windows OS and internal network.

Both cloud and on-device isolation containers have advantages and disadvantages when compared with each other. However, both approaches significantly reduce the threat faced by end users.

HP Sure Click

Here at HP we pioneered the use of hardware-based isolation containers for Windows PCs with our Sure Click technology. With Sure Click we create a virtual safety net for end users to protect them when they click on high-risk content. Whether it is an email attachment, file downloaded from the Internet, a file opened on a USB drive, or website link a user has clicked on, Sure Click is there to isolate the content. If the content turns out to be malicious, the malware is isolated inside a container and cannot harm the user’s PC or your internal network. Check out our video demoing how Sure Click protects users from risky clicks.

End users are on the front lines in today’s cyber battles. It’s our job as IT and cyber professionals to give them the tools and systems to allow them to safely do their job. In the end, all of us will eventually click on something we shouldn’t. I know I have clicked on things I shouldn’t. If you use a PC connected to the Internet and you have email, chat, or social media, you will eventually click. It’s time to stop blaming users and start protecting them! This means implementing strategies that include protection, visibility and isolation.


The post Stop Blaming Users for Breaches: Three Strategies for Protecting Users appeared first on HP Wolf Security.

from HP Wolf Security

No comments:

Post a Comment