With so many cybersecurity pros drowning in an ever-rising tide of hack attacks on their computer systems, an emerging approach to defending those systems may be the life preserver they’ve been looking for.
The approach doesn’t involve beefing up perimeter defenses, carefully scrutinizing network traffic, or applying analytics to employee behavior — but it’s aimed at the biggest security threat to all organizations: the Internet.
“Every security vendor in the world tries to figure out if something is good or bad,” explained Kowsik Guruswamy, CTO of Menlo Security. “If it’s good, we let it through. If it’s bad, we try to block it.”
However, that approach — as the day-to-day reports of data breaches show — hasn’t been working.
“We need something very different — something that will take the malware problem off the table,” Guruswamy told TechNewsWorld.
One approach is essentially to isolate an organization’s systems from the Internet, as Menlo does. Its Menlo Security Isolation Platform runs all Web content in a container in the cloud, or on a network appliance, so it never touches an organization’s endpoints.
Using something called “Adaptive Clientless Rendering,” it allows any browser to interact with the Web content without affecting a user’s experience, without any client software, and without any perceivable latency.
Good, Bad, Who Cares?
With 90 to 95 percent of all cyberthreats originating in email or on the Web, isolation technology like Menlo’s can neutralize a substantial amount of danger for connected companies.
“Everything for a browsing session is executed in a container in the cloud,” Guruswamy said.
“Whether a website is serving up malware or not, it doesn’t matter, because everything is executed in the cloud, and there’s no way for bad stuff to leak from the container and come to your end point,” he explained.
“Isolation as a technology has been proven to provide guaranteed security for over 20 years,” Guruswamy pointed out. “The problem when people tried it before was that it required endpoint software, which is very brittle, or it was always at crossroads with user experience.”
Menlo addressed those challenges by performing the isolation functions in the cloud, without any endpoint software and with a good user experience.
“As an end user in an enterprise that’s deployed our isolation platform, you will not know that there’s something sitting between you and the Web,” Guruswamy said.
“Everything will look the same to the user, but none of the active code from the Web reaches the endpoint,” he added.
Appliance Approach
While Menlo emphasizes a cloud approach to isolation, Spikes Security is emphasizing the network appliance tack.
Spikes’ appliance, called “Isla,” runs all Web content in virtual machines on the hardware, where it’s transformed into a benign threat-free format and delivered to users via a patent-pending technology.
“Cybersecurity is impossible without solving the browser problem,” observed Branden Spikes, CEO and CTO of Spikes Security. “We have solutions for everything else, but the browser continues to get hacked.”
Trying to weed out the bad from the good on the Internet is a losing cause, he told TechNewsWorld. “Security products for years have had this common approach that depends on the capability to detect bad stuff, then strip it out or clean it. Our approach is to assume everything is bad.”
Isolating malicious activity in cloud containers or network appliances can raise the bar for attackers of corporate systems, but it won’t eliminate one popular form of attack.
“If a user is tricked into doing something, that’s a social engineering problem,” Spikes said. “I don’t think there’s any technology in the world that can solve that.”
Better Hybrid Cloud Security
Security is sometimes given as a reason some organizations choose to deploy a hybrid cloud. They want the benefits of cloud computing, but they’re just not ready to trust a cloud services provider with mission-critical data. The problem, though, is that hybrid clouds create their own security problems.
Mixing physical and virtual networks reduces the visibility administrators have into their nets.
“That loss of visibility creates security gaps,” said Deepesh Arora, vice president of product management for Ixia, which shipped an addition to its Net Tool Optimizer last week for enabling seamless, single-pane-of-glass visibility into hybrid cloud deployments.
Because of those gaps, Arora told TechNewsWorld, “you’re losing track of what’s really going on your network. In the event of an attack, you won’t have clear insight into how it’s developing.”
With Ixia’s new tool, “you can get insight into what’s going on in the physical network and the virtual network, and correlate it so you can get a fuller view of where things are,” he said. “As a result, you can better tune the performance of your network and also improve your security posture. By knowing what’s out there, you’re elevating your security awareness.”
Breach Diary
- June 29. American Federation of Government Employees files class action lawsuit against the U.S. Office of Personnel Management over massive data breach. It alleges OPM was negligent because it failed to heed warnings about its cybersecurity defenses.
- June 29. The U.S. Justice Department is investigating Scott Sweetow, ATF deputy assistant director for strategic intelligence and information, for sending employees’ personal information to his personal account from his work email, CNN reports.
- June 30. Greg Rattray has been moved from his post as CISO of JPMorgan Chase to head of global cyber partnerships and government strategy, BloombergBusiness reports. During Rattray’s tenure as CISO, Morgan suffered a massive data breach and lost several top security team members.
- June 30. Hershey reveals it’s investigating a possible data breach of its computer systems following reports of payment card abuse after usage at Hershey Park.
- July 1. Multiple banks are reporting fraud on payment cards used at Trump hotels in Chicago, Honolulu, Las Vegas, Los Angeles, Miami and New York, Krebs on Security reports.
- July 1. Harvard University reports the discovery of an intrusion into its computer systems on June 19. Although uncertain about which data may have been compromised, it recommends that login credentials be changed at eight colleges and administrations affected by the attack.
- July 1. Home Depot files court papers in class action lawsuit resulting from massive 2014 data breach denying responsibility for any losses suffered by financial institutions because of the attack.
- July 1. California law takes effect requiring all smartphones sold in the state to have a “kill switch” to enable their owners to disable the devices remotely.
- July 1. MasterCard will launch a pilot program in the fall that allows consumers to authorize online purchases using a selfie or fingerprint scan, CNN reports.
- July 1. China enacts law that includes provisions that multinationals and industry groups say could be used to force companies to build backdoors into products that could be used for cyberespionage.
- July 1. National Association of Professional Agents announces data breach compliance and certification program that aims to help clients proactively prevent data breaches while offering certification of compliance with state and federal data security regulations.
- July 2. Orlando Health in Florida starts notifying some 3,200 patients that their personal information was accessed without authorization by an employee who was fired after an investigation into the incident.
Upcoming Security Events
- July 8. Determine if the incident is a breach and ensure compliance with [patient privacy] breach laws. 2 p.m. ET. Webinar sponsored by Iatric Systems and ID Experts. Free with registration.
- July 16. Security Revenue is Shifting from Core to Advancing Vendors. 1 p.m. ET. Webinar sponsored by TBR. Free with registration.
- July 18. B-Sides Detroit. McGregor Memorial Conference Center, Wayne State University, Detroit. Free.
- July 21. “As A Service” Offerings and Clients’ Cybersecurity Concerns Drive Changes in IT Services Portfolios. 1 p.m. ET. Webinar by BTR. Free with registration.
- July 22-24. RSA Asia Pacific & Japan. Marina Bay Sands, Singapore. Registration: before June 21, SG$700; after June 20, SG$850.
- July 25. B-Sides Cincinnati. Cincinnati Museum Center, 1301 Western Ave., Cincinnati, Ohio. Free.
- August 1-6. Black Hat USA. Mandalay Bay, Las Vegas, Nevada. Registration: before June 6, $1,795; before July 25, $2,195; after July 24, $2,595.
- August 4-5. B-Sides Las Vegas. Tuscany Hotel and Casino, 255 E. Flamingo Rd., Las Vegas, Nevada. Free.
- August 6-9. Defcon 23. Paris Las Vegas, 3655 S. Las Vegas Blvd., Las Vegas, Nevada, and Bally’s, 3645 S. Las Vegas Blvd., Las Vegas, Nevada. $230, cash only at the door.
- August 24-25. Gartner Security & Risk Management Summit. Hilton Hotel, 488 George St., Sydney, Australia. Registration: prior to June 27, AU$2,475; after June 26, AU$2,875; public sector, AU$2,375.
- Sept. 12. B-Sides Augusta. GRU Harrison Education Commons Building, 1301 R.A. Dent Blvd., Augusta, Georgia. Free.
- Sept. 16-17. SecureWorld Detroit. Ford Motor Conference & Event Center, Detroit. Registration: open sessions pass, $25; conference pass, $175; SecureWorld plus training, $545.
- Sept. 22-23. SecureWorld St. Louis. America’s Center Convention Complex, St. Louis. Registration: open sessions pass, $25; conference pass, $175; SecureWorld plus training, $545.
- Sept. 28-Oct. 1. ASIS 2015. Anaheim Convention Center, Anaheim, California. Through May 31: member, $895; nonmember, $1,150; government, $945; student, $300. From June 1 through Aug. 31: member, $995; nonmember, $1,250; government, $1,045; student, $350. From Sept. 1 through Oct. 1: member, $1,095; nonmember, $1,350; government, $1,145; student, $400.
- Oct. 12-14. FireEye Cyber Defense Summit. Washington Hilton, 1919 Connecticut Ave. NW, Washington, D.C. Registration: before Sept. 19, $1,125; after Sept. 18, $1,500.