It is tempting as a security practitioner to think you can prevent every attack. Especially in a people-strapped industry, why wouldn’t you want to? If we could just use technology and prevent attacks, we wouldn’t need that many new security practitioners after all.
Prevention is definitely a good strategy, and has prompted much investment from both the VCs and security teams. For instance, recently we’ve seen remote browser isolation (RBI) – essentially using disposable containers for internet browsing – grow in popularity. RBI was even named one of the top security technologies in 2017 by Gartner.
In a connected world of botnets, malware and DNS spoofing, it’s easy to see why this gated approach to web browsing is appealing. It’s a buffer that can help protect your business from unwanted intrusions. But in order to be successful with RBI and really any preventative strategy, organizations must “always be threat modeling”.
The prevention fallacy
There is more than one way to hack a network, and both attackers and defenders are aware of this. Defense-in-depth is very necessary, and includes technologies that range from preventing basic attacks through to the most sophisticated threats. However, approaches that focus exclusively on prevention can sometimes miss just how permeable the organization’s border is.
Take firewalls, for instance. They may keep out tons of blatantly hostile traffic, but most people now know that firewalls have holes of their own. Email phishing techniques often completely bypass that security measure. We also need to think about new and emerging platforms like Slack. How will your email phishing detection capabilities adapt to this new medium for attacks? Continuing down that slippery slope, what if someone experiences an attack on their home computer that gives the attacker remote access to your network? What if someone finds a USB drive in the parking lot and plugs it into their computer to try and find the owner?
Long story short, preventative measures like firewalls play an important role in heading off attacks from the outset. Prevention, however, is only a good strategy as long as it’s not the only strategy. Protecting against the various vectors, levels of sophistication and attack goals requires coordinated, complete and constantly evolving detection and response as well.
To many, RBI might sound like one of the newer impenetrable lines of defense. In a rush to deploy it, organizations can fall victim to this prevention fallacy. Instead, security teams would do well to keep an organizational threat model that they evolve as the types of threats change, but also as they consider new technologies. Let’s briefly work through an example.
Building a threat model that includes RBI
The idea behind RBI, and containerization more generally, is that you can isolate web browsing hosts or other high-risk behaviors and ensure the company’s “crown jewels” – your mission-critical data and infrastructure – are protected by simply being inaccessible from those hosts. This is clearly something that can play into the defense-in-depth strategy.
How might something like this impact your threat model?
If my organization were looking at a solution like this, I would think about how an attacker would try and evade the solution. How might employees intentionally or unintentionally bypass the solution?
For instance, most users will need to be able to interact and download files to their system. Does that provide an attacker with access to the environment? If so, what is actually stopping an attacker from compromising the device? Can that compromise be avoided? What are the risks associated with the third party that will now be managing my virtual browser? What is that provider’s patch policy and how does it compare to my own? How do they protect data at rest? Who has access to the environments they provide and maintain? Is there multi-tenancy on the server where the containers are hosted? What is the impact of an attacker breaking out of a container? Does that affect other companies’ data?
As with any preventative technology, RBI impacts the threat model in ways that can be uncovered by asking these and other questions. Identifying those impacts will help you mitigate threats and insert measures for detection and response that will improve your overall security posture.
Setting the stage for RBI success
In many ways, RBI can be thought of as akin to the moat around a castle. On one hand, there are plenty of attackers who won’t be able to get across it, but more sophisticated threats will still find ways into the kingdom. Your knights – your human assets – are still vital for ensuring safety. Without the moat, your knights may be overwhelmed by the volume of attackers, but without your knights, the moat alone wouldn’t keep you secure.
In cybersecurity, RBI isn’t a standalone defense. You need security analysts to detect and respond to any advanced attacks that inevitably find their way past the container. However, analysts are not effective against the more sophisticated threats if they are bombarded with unsurmountable volume.
In the end, it’s clear to me that while defense in depth (from a prevention standpoint) should be ever evolving and incorporating technologies like RBI to more effectively handle new threats, so too should the investigation side of the cycle. If and when an attacker gets past the RBI moat, we need our analysts to find and stop them quickly.
Today, true incidents are missed – sometimes for months or years – which can severely impact the organization as a whole. This in turn means the impact of the incident has the chance to continue growing, sometimes exponentially. To have success with RBI and other prevention tools, we need to focus on making the investigative process much more intuitive, providing the appropriate context at each step and allowing analysts to complete investigations in seconds or minutes instead of hours or days. By doing so, we can actually empower analysts (yes, our knights) to proactively hunt threats and do what they do best – keep our organizations safe.