Recent nation state cyberattacks have created many mistaken beliefs regarding cybersecurity concepts and solutions. Adenike Cosgrove, Cybersecurity Strategist at Proofpoint, debunks the four most common misconceptions circulating the cybersecurity space right now.
Misconception #1: “Machine Learning is just a buzzword, ‘real enterprise solutions’ don’t use Machine Learning.”
Although it is true that Machine Learning is a buzzword across the industry, saying that ‘real enterprise solutions’ don’t use Machine Learning is completely false. When Machine Learning is properly implemented, it can help answer a whole array of data-heavy problems such as threat analysis and threat detection.
A limited number of cybersecurity providers are beginning to leverage Machine Learning throughout their portfolio to benefit from the advanced offering it can provide. It can help process relationships across billions of threat data points and help identify emails with violations for regulatory purposes. As the need grows to reconcile large amounts of data for greater insight, Machine Learning will continue to have a role in nearly every aspect of our business.
Misconception #2: “If your solution is good enough at catching bad stuff, you don’t need to sandbox.”
Having strong static analysis and reputation-based technologies can identify single stage malicious payloads. However, the modern attacks we are continuing to see are more sophisticated as they are multi-staged, specifically designed to bypass this type of static defence.
The first attack stage can contain no malware whatsoever. Its purpose? To penetrate a weak static system. Once inside, it identifies the operating system (OS), geolocation and other parameters confirming the profile of the target. It can simultaneously engage in VM evasion, logging and fingerprinting techniques before deciding if it’s appropriate to deliver its payload. If the target is in the wrong country, delivered to the wrong type of client or suspects that it’s on a VM, the attachments may never weaponise and simply remain harmless. However, when the right conditions are met, the malicious second stage is triggered, eluding an organisation’s static defence.
It’s critical that organisations implement a dynamic defence that detonates these threats safely by introducing sandbox capabilities. The sandbox is positioned up for debate, but since these are overwhelmingly email-based attacks, a solution that automates sandboxing at the mail gateway before threats can enter the corporate network or reach user mailboxes is far more effective.
Another reason dynamic defences like sandboxing would be dismissed is the higher volume of broad, commoditised attacks. These generic attacks are more easily picked up by reputation controls and are by definition not targeted. If the security vendor is simply attempting to ‘catch a lot of attacks’, then sandboxing is a difficult luxury to justify. However, when working with high risk, high-value customers, new or unseen targeted attacks do occur and these are generally of the multi-phase variety. Despite being less common, these targeted attacks do far greater damage and are much harder to detect. They are typically customised for specific organisations and unlikely to show up in a generic signature database. Sandboxing is often the only way to be shielded from these more sophisticated attacks.
Misconception #3. “A vendor that claims to spend the most revenue on R&D may not.”
R&D spending is important. It shows investors and the broader community the extent to which an organisation values and is committed to innovation and technology over other business expenses. And while the largest security vendors can easily outspend mid-sized or smaller vendors in every category when considering absolute dollars, it is more effective to consider the amount spent on R&D as a percentage of revenue when comparing vendors of different sizes, to show their degree of focus on product enhancement and rate of innovation.
Misconception #4. “Securing the enterprise means securing the network.”
Protecting the network is still important, but as businesses move resources, communications and services to the cloud and fewer assets and workloads are managed by corporate IT, they need to keep an eye on the most attractive target for criminals: their employees.
IT security spending today continues to reflect outdated priorities. According to Gartner, network security solution spending is predicted to surge to $13.3 billion by the end of 2019. The amount organisations spend on email security pales in comparison, despite the fact that, according to the SANS Institute, 95% of all attacks on enterprise networks are the result of successful phishing attacks. The goal of those email attacks is often to gain cloud credentials which can lead to catastrophic data loss.
Therefore, if you have spent most of your security budget on firewalls and endpoints, you’re missing visibility and protection into your cloud services and the people who use them. Fortunately, the majority of customers we spoke with are savvy about their situation. Just like email security before it, they know they need something above the baseline, above what Office 365 provides if they want to have legitimate protection for their cloud resources.
Attackers are highly democratic, they’ll attack just about any organisation and within each organisation, they will approach different targets with a combination of targeted and non-targeted threats. While solutions like sandboxing and dynamic threat analysis tools definitely represent a significant investment for businesses, if you don’t have them, you simply won’t gain insight into the attack until it’s too late.