On the Serengeti, wildebeest have survived for millennia by using a simple strategy: safety in numbers. It’s great for the species, but each animal can only hope that another one will take one for the team.
That may be an acceptable risk for wildebeest, but it’s not acceptable for companies. As we discuss in our third annual State of the Web report, the Internet remains a dangerous place to do business. We rate 42 percent of the top 100,000 sites on the web, as ranked by Alexa, as risky, either because they use or connect to software that is vulnerable to attack, are known to have been used to launch an attack or distribute malware in the past, or have suffered a security breach within the past year. That doesn’t mean all of those 42,000 sites will deliver an attack or fall victim to one—but it does suggest that they very well could.
Our researchers’ findings are important not because they reveal massive, headline-grabbing security holes. On the contrary, the report shows some of the nuanced, subtle ways that cybercriminals can exploit traditional measures of trust on the web. We all have go-to websites we’ve used for years without considering the risk. Many of these sites carefully watch for malicious activity by criminals—say, efforts to embed malware that will display bogus pop-ups to tempt visitors. But did you know that every website you visit results in an average of 25 calls by that site to “background” sites that provide content such as video clips and online ads? While plenty of security vendors offer tools to stop attacks, there are few, if any, tools to monitor these background connections.
Our report also debunks the myth that's been perpetrated by legacy web security vendors for years--that there is such a thing as the "Risky Web," and that it is clearly demarcated from something called the "Safe Web". For example, if there are still CISOs who put any faith in a site’s category, it’s time to stop. It turns out the safe-sounding Business and Economy category contained more “known bad” sites than the smaller Gambling category (though a much higher percentage of gambling sites are “known bad”). Or how about trusting a site’s URL? To raise the odds, they can get a user to click, many phishing sites are now created on legitimate, well-known hosting sites. Just because you see a popular domain in the URL doesn’t mean it’s safe to click.
The results underscore Menlo’s belief that in a world where no security technology is foolproof, it’s time for a new approach. CISOs have invested millions of dollars in a variety of often-incompatible tools, not to mention training programs and posters urging employees to be careful about where they click. Sticking with this status quo is likely to become even more expensive. According to Gartner, global spending on security will rise from $90 billion in 2017 to $113 billion in 2020. And yet no credible source—or non-credible source, for that matter—is predicting any slowdown in the number or scale of cyberattacks in that timeframe.
We believe that browser isolation platforms such as ours are the only new approach that can end this expensive cat-and-mouse game. Simply put, this solution executes all web activity (including links to background sites) on servers in our cloud platform—making it impossible for malicious code to make it onto your employees’ PCs and other devices. Our customers’ end users may never know it, but what they’re interacting with on their screens are not actual websites, documents, and emails, but non-executable, malware-free renderings.
We hope you find our State of the Web report helpful, and that it is a catalyst for you to give us a call. While there are plenty of fine legacy products on the market sold by hard-working, credible vendors, the sad truth is this: Given the inherent riskiness of the Internet—if you haven’t started isolating web content in the cloud—you still face a significant chance that you could fall victim to an attack.
You'll still be a wildebeest.
To download Menlo Security's "State of the Web 2017" report, please click here.