adaptive web isolation - etmg...changing hands on the dark web, or even an old laptop still running...

proofpoint.com

EBOOK

ADAPTIVE WEB ISOLATIONA PEOPLE-CENTRIC APPROACH TO STOPPING URL-BASED EMAIL ATTACKS AND KEEPING USERS PRODUCTIVE

https://www.proofpoint.com/us

http://proofpoint.com

2 ADAPTIVE WEB ISOLATION | A People-Centric Approach to Stopping URL-Based Email Attacks and Keeping Users Productive

3 GETTING THE UPPER HAND

5 CUSTOMIZED CONTROLS

5 CHOOSING AN ADAPTIVE ISOLATION SOLUTION

SIDEBAR – PAGE 5

ASSESSING USER RISK: THE VAP MODEL

7 CONCLUSION

A PEOPLE-CENTRIC THREAT LANDSCAPEThe biggest threat to your data isn’t a flaw hidden in the recesses of your server’s legacy code, a zero-day exploit changing hands on the Dark Web, or even an old laptop still running Windows 7.

Your biggest threat is most likely sitting in a cubicle near you. It’s welcoming visitors at the reception desk. It’s packing boxes in the stockroom. It might even be you.

That’s because people, not technology, are attackers’ biggest target—and organizations’ biggest risk. Today’s attacks rely on hacking human nature, not outfoxing your firewall. They trick your workers into opening an unsafe attachment or clicking on a dubious web link. And they con your customers into sharing login credentials with a website they think is yours.

Unlike systems, people can’t be patched. And you can’t stop people-focused attacks by doubling down on technology designed to protect things.

As tech journalist Ross Kelly put it, a store manager wouldn’t try to solve employee theft by spending on new security cameras. Yet when faced with what is, at its core, a people problem, organizations often focus their cybersecurity efforts on infrastructure-focused defenses.1

This guide can help you put the spotlight back on people. It explores how URL attacks work, why they’re so hard to stop, and how you can take a people-centric approach to managing them.

CONTENTS

1. Ross Kelly (Chief Executive Magazine). “Almost 90% of Cyber Attacks are Caused by Human Error or Behavior.” March 2017.


Email: still the top threat vectorGiven its central role in modern business communication, email is, not surprisingly, the No. 1 threat vector by a wide margin. More than 90% of malware is delivered through email,2 and the volume of attacks continues to grow.3

That’s because email the easiest way to reach the largest pool of potential targets. Everyone has an email address. Most businesses rely on it. And it uses a decades-old architecture that wasn’t designed with security in mind.

Email attacks come in several varieties. In many cases, attackers include a malicious file attachment and trick the recipient into opening it. In other attacks, they’ll include a URL link to an unsafe website. The link might redirect the user to a malicious file download or phishing page that tries to trick the user into entering login credentials.

The volume and share of attachment- and URL-based attacks are constantly shifting. But as Figure 1 shows, URL attacks always play a major role and have dominated so far this year.

10/1/18 11/1/18 12/1/18 1/1/19 2/1/19 3/1/19

Malicious URL Messages

Malicious Attachment Messages

Indexed Daily Malicious Message Volume by Attack Type, Q4 2018–Q1 2019

Figure 1: Indexed daily attack type trend

A URL onslaughtTraditional security tools, even those designed to stop phishing, struggle with today’s onslaught of URL-based attacks. According to a recent study, about 1 in 4 phishing emails bypass Office 365’s anti-phishing defenses.4

It’s easy to see why. Unlike attacks that use malicious file attachments, URL-based email campaigns contain no malicious payload. There’s no code to analyze, match against known malware signatures, or run in a sandbox. The risky code is not in the email itself but on the website the URL links to.

GETTING THE UPPER HANDSo why not just block the bad URLs? That’s easier said than done. Attackers can easily create new URLs—much faster than security tools can analyze them and update their blocklists. Bad URLs are also easy to disguise with link-shortening tools such as Bit.ly, which have legitimate business purposes and are therefore assumed benign. And it’s easy to host malicious code on popular file-sharing sites such as Dropbox and OneDrive, which have become a normal, trusted part of modern business.

Even under the best circumstances, some users will click on an unsafe URL that appears in an email. Attackers have grown skilled at researching their targets and using social engineering to exploit human nature. Some lures are just too well researched, expertly crafted, and psychologically potent to resist every time.

An unproductive approach: clamping down on usersVetting every unknown URL is difficult. Security security teams may be tempted to solve the malicious URL problem by blocking access to all but a few known safe URLs. Or they might consider monitoring workers’ web activity and intercepting unsafe traffic.

Neither approach is useful in today’s enterprise environment.

Restricting URLs to a pre-vetted list of allowed sites is a sure way to anger and frustrate users. In many cases, such a move could actually make data less safe. To get around what they see as a security-mandated roadblock, users might just move their work to unprotected personal devices or outside networks.

Even with the most patient users, maintaining an allowed list can quickly become a burden for the IT department. Keeping the list current—and dealing with a constant influx of requests from users for exceptions—can burden already-stretched IT departments.

At the same time, monitoring users’ web activity is expensive and may violate privacy rules such as Europe’s General Data Protection Rule (GDPR).

Restricting URLs to a pre-vetted list of allowed sites is a sure way to anger and frustrate users.

2. Josh Fruhlinger (CSO). “Top cybersecurity facts, figures and statistics for 2018.” October 2018.3. Proofpoint. “Q1 Threat Report.” May 2019.4. Warwick Ashford (ComputerWeekly.com). “A quarter of phishing emails bypass Office 365 security.” April 2019.


A better approach: web isolationWeb isolation is an approach that can meet everyone’s needs. The technology keeps users’ personal web activity separate from the enterprise network.

Users are free to visit any site they choose using their browser of choice. But rather than rendering HTML code on their local PC, isolation technology uses a remote proxy server to manage users’ activity in a secure container. High-risk content, including executable code, is stripped out, and a sanitized form of the page is sent to user’s browser. Any unsafe content users would normally encounter never enters the endpoint—or the enterprise.

Corporate Network

Proofpoint Isolation Internet

With web isolation, users get freedom and privacy. The IT department isn’t burdened with complaints and exemption requests. And security teams don’t have to deal with unmonitored risks from personal email and web browsing.

Other benefits include: ■ Enhanced user privacy (because their physical location

is masked)

■ Data loss prevention (because employees can’t upload sensitive information in the isolated environment)

■ Less strain on existing security defenses (because no code needs to be scanned or sandboxed by the organization itself)5

The best approach: adaptive isolationWeb isolation solves many of the security issues inherent with personal email and web browsing. But for some use cases, it can be too restrictive. For example, someone in marketing may need to download a photo from an ad agency using a file-sharing site. Or someone in purchasing may need to upload a signed invoice to a vendor’s website.

That’s where adaptive isolation comes in. Instead of isolating all browsing sessions and keeping them insulated from the environment, organizations can allow users to exit the isolation—once the URL is verified safe—and interact with the full version of the website. By applying isolation to specific URLs, website categories or users, organizations can keep threats out of their environment without impeding users’ work.

Adaptive isolation adds another, more flexible layer of protection to existing cyber defenses. It can be applied selectively and adjusted as circumstances warrant. For the users most at risk (as determined by their vulnerability, attack profile and privilege), security teams might require isolation for all URLs that appear in emails. For others, isolation might be required only for certain categories of URLs, with the option to exit. And as users’ risk profiles change, so can these controls.

5. Osterman. “Why You Should Seriously Consider Web Isolation Technology.” December 2018.

ClickedAll Users

VAP

URL Defense (Click Time) +Isolation Policy

Isolation Environment

Risky URLs

All URLs

Clicked


CUSTOMIZED CONTROLSIn today’s people-focused threat landscape, there’s no such thing as one-size-fits-all security. Trying to protect everything and everyone to the same degree and in every circumstance is needlessly costly to the organization and creates unnecessary burdens for low-risk users.

Instead, a people-centric approach applies tailored security to people according to their unique vulnerabilities, attack profile and privilege. While it aims to keep everyone protected, it gives special attention to those most at risk. That means the people most likely to fall prey to attacks, those being targeted in the most serious attacks, and those in the position to do the most harm if compromised.

An adaptive people-centric approach is also flexible, adjusting security controls as users’ risk profile changes. That resilience is critical in today’s fast-changing threat landscape. Attackers are always changing their targets, tactics and tools. Organizations must be able to take a similar approach with their defenses.

CHOOSING AN ADAPTIVE ISOLATION SOLUTIONUnderstanding the need for adaptive security controls is easy. Selecting the right ones is more complicated.

You should start by outlining the insight you need for a people-centric defense. Then you’ll need the ability to apply the right controls to the right people in the right channels at the right time.

Getting people-centric insight and accurate threat detectionAdaptive isolation starts with knowing where to apply it. That means detecting unsafe URLs and identifying users who present a higher level of risk.

The most effective solutions detect the whole spectrum of URL-based attacks, including malware and non-malware threats. On the malware side, that includes hosted macros, injected code, fake update installers and the like. Other threats include phishing and fraudulent websites.

Just as people are unique, so is their value to cyber attackers and their risk to employers. They have distinct digital habits and weak spots. They’re targeted by attackers in diverse ways and with varying intensity. And they have unique professional contacts and privileged access to data on the network and in the cloud.

Together, these factors make up a user’s overall risk in what we call the VAP (vulnerability, attacks and privilege) index.

VulnerabilityUsers’ vulnerability starts with their digital behavior—how they work and what they click. Some employees may work remotely or access company email through their personal devices. They may use cloud-based file storage and install third-party add-ons to their cloud apps. Or they may be especially receptive to attackers’ email phishing tactics.

AttacksAll cyber attacks are not created equal. While every one is potentially harmful, some are more dangerous, targeted or sophisticated than others.

Indiscriminate “commodity” threats might be more numerous than other kinds of threats. But they’re usually less worrisome because they’re well understood and more easily blocked. Other threats might appear in only a handful of attacks. But they can pose a more serious danger because of their sophistication or the people they target.

PrivilegePrivilege measures all the potentially valuable things people have access to, such as data, financial authority, key relationships and more. Measuring this aspect of risk is key because it reflects the potential payoff for attackers—and harm to organizations if compromised.

ASSESSING USER RISK: THE VAP MODEL

ATTACKEDTargeted by

threats

PRIVILEGEDAccess to valuable

data/systems

VULNERABILITYWork in high-

risk ways


Whatever tactic attackers use, the solution must be able to detect threats quickly and accurately. The most effective solutions draw on timely, actionable threat intelligence. Detection should be based on real-world threats, active attack campaigns, and deep insight into attackers’ tools, tactics and motives. These are all essential to knowing which URLs to isolate and whether users can safely exit isolation and load the unrestricted web page.

In addition to detecting unsafe URLs, your solution should also be able to identify which users are most at risk from them. That means being able to tell which ones are most vulnerable, attacked and privileged.

Measuring vulnerability: how your people work and what they clickAssessing vulnerability that stems from how people work. It weighs factors such as:

■ What cloud apps they use

■ How many and what devices they use to access email

■ Whether those devices are secure

■ Whether the user practices good digital hygiene

■ Whether they use multi-factor authentication consistently

The second part of measuring vulnerability is figuring out how susceptible your users are to phishing and other cyber attacks. Phishing simulations and performance in security awareness assessments are the best ways to gauge this aspect of vulnerability.

Someone who opens a simulated phishing email and opens the attachment might be the most vulnerable. A user who ignores it would rank somewhat lower. And users who report the email to the security team or email admin would be deemed the least vulnerable.

Assessing attacks: not all threats are created equalRich threat intelligence and timely insight are the keys to quantifying this aspect of user risk. The factors that should weigh most heavily in each users’ assessment include:

■ The cyber criminal’s sophistication

■ The spread and focus of attacks

■ The attack type

■ Overall attack volume

Gauging privilege: access is everythingUsers with access to critical systems or proprietary intellectual property, for instance, might need more stringent isolation controls, even if they aren’t especially vulnerable or aren’t yet on attackers’ radar.

The user’s position in the org chart is naturally a factor in scoring privilege. But it’s not the only factor—and often, not even the most important one. For attackers, a valuable target can be anyone who serves as a means to their end.

Respecting privacyOf the main benefits of web and personal webmail isolation is giving users the ability to freely browse the web without encroaching on their personal privacy.

An effective isolation solution should comply with GDPR worker-privacy rules. And when users remain in an isolated browsing session, their activity should remain completely anonymous.

Naturally, high-risk users should be subject to tighter security controls than low-risk users. But both deserve the same privacy protections and browsing rights, especially when granting them doesn’t come with additional risks.

About 1 in 4 phishing emails bypass Office 365 anti-phishing defenses.


Enabling, not hindering, businessEffective isolation should deploy quickly and stay out of users’ way as much as possible.

For most organizations, cloud-based services are easier and faster to deploy. The best solutions can scale up quickly and allow users to self-provision.

Once in place, the isolation solution should be practically invisible to users. Workers should be able to keep using the browser they prefer—along with their bookmarks, customizations and settings. In other words, the technology should adapt to users, not the other way around.

Finally, web isolation should render web content safely, quickly and smoothly. That includes videos, interactive content, Adobe Acrobat (PDF) files and more. From users’ point of view, isolation technology that can’t display rich versions of the websites they use isn’t much better than blocking them altogether.

Gaining flexibilityMost businesses collaborate with all sorts of outside entities, usually through the web. Sometimes, users need full access to a URL to upload and download documents,

That’s why your isolation solution should let users exit the isolated environment once a URL has been analyzed and deemed safe. That flexibility allows users to work with business-critical services without compromising your environment.

CONCLUSIONIn today’s environment, effective cybersecurity is more about people than technology. Securing the organization starts with protecting the people within it.

Web isolation—especially adaptive isolation described in this guide—can be an effective way of dealing with the growing volume if URL-based email attacks. Choosing the right solution is critical for organizations seeking to stop URL-based threats—without becoming a roadblock to users and their work.

To learn more about how Proofpoint can help you take an adaptive, people-centric approach, visit www.proofpoint.com.

proofpoint.com 0819-002

about proofpointProofpoint, Inc. (NASDAQ:PFPT) is a leading cybersecurity company that protects organizations’ greatest assets and biggest risks: their people.

With an integrated suite of cloud-based solutions, Proofpoint helps companies around the world stop targeted threats, safeguard their data, and

make their users more resilient against cyber attacks. Leading organizations of all sizes, including more than half of the Fortune 100, rely on

Proofpoint to mitigate their most critical security and compliance risks across email, the cloud, social media, and the web. No one protects people,

the data they create, and the digital channels they use more effectively than Proofpoint.

© Proofpoint, Inc. Proofpoint is a trademark of Proofpoint, Inc. in the United States and other countries. All other trademarks contained herein are

http://www.proofpoint.com

adaptive web isolation - etmg...changing hands on the dark web, or even an old laptop still running...

Documents