Menlo Security Cloud Security Platform is FedRAMP® Authorized
Traditional security approaches are flawed, costly, and overwhelming for security teams. Menlo Security is different. It’s the simplest, most definitive way to secure work—making online threats irrelevant to your users and your business.
Our platform invisibly protects users wherever they go online. So threats are history and the alert storm is over.
Traditional network security wasn’t built to address today’s complex enterprise environments. SASE fixes that problem.
Menlo Labs provides insights, expertise, context and tools to aid customers on their journey to connect, communicate and collaborate securely without compromise. The collective is made up of elite security researchers that put a spotlight on the threats you know and don’t know about.
Menlo Labs provides insights, expertise, context and tools to aid customers on their journey to connect, communicate and collaborate securely without compromise.
Mark Guntrip | Feb 07, 2023
Share this article
In a word, today’s threat landscape is relentless. According to Check Point Research, cyberattacks reported globally in 2022 increased by 38% compared to 2021—reaching an all-time high in Q4 of 1168 weekly attacks per organization. This includes increasingly sophisticated ransomware, drive-by attacks, phishing and Highly Evasive Adaptive Threats (HEAT) that target web browsers and employ techniques to evade multiple layers of detection in current security stacks. Often delivered through the web, these attacks are designed to give malicious actors initial access to the victim’s network, so they can lay in wait, worm their way through the network in search of high-profile targets and ultimately deliver their malicious payload.
The main reason today’s threat landscape can be described as relentless is the deluge of alerts generated by security monitoring tools—many of which actually come from legitimate business activity. Digital transformation, a hybrid workforce, and an increasingly distributed infrastructure are facilitating new behaviors across the network, leading to an avalanche of alerts. For example, an employee logging on from a new location or downloading a set of data they’ve never accessed before is enough to trigger an alert. A user accessing a personal dropbox account from a company managed laptop could trigger an alert. These qualify as abnormal events, but put within the right business context, are actually quite innocent.
Yet, despite this benign intent, each of these events poses a risk to the security posture of the organization and needs to be investigated, prioritized and closed—creating a massive workload for security operations center (SOC) teams. Given the volume, variety and veracity of both legitimate attacks and innocuous events, SOC teams are under immense pressure to identify and respond quickly to keep the organization safe. This is starting to take its toll.
SOC technicians are on the front lines of these attacks, responding to alerts that have flagged abnormal activity in the network or on an endpoint. It takes a lot of time to investigate each event, determine its threat level, flag it for appropriate remediation and close the ticket. At a certain point, threat identification turns into a cyber version of finding a needle in a haystack—causing fatigue, burnout and a distorted distribution of SOC resources.
Understandably, responding to hundreds of alerts every day can leave SOC technicians a bit weary—especially when you consider that at least a fifth of alerts end up being benign, according to recent research. Yet, each event requires a human to investigate, analyze the findings and make a recommendation for remediation. Even an army of SOC technicians working around the clock would not have the time to conduct a proper investigation into the thousands of alerts that are flagged each day. In order to fulfill their mission to protect the network from today’s highly sophisticated threats, SOC teams need to be both efficient and effective.
Spending all your time investigating SOC alerts means that your technicians are not able to spend time on other, more strategic security projects such as advanced threat intelligence. This makes it more likely that a truly harmful event goes undetected, breaches the network and causes disruption—either through data exfiltration, taking remote control of critical business systems, or both.
It’s math. There is only so much time in the day to investigate SOC alerts, and there are simply too many for a reasonable number of technicians to deal with them all. Organizations can’t just throw money at the problem (outsourcing SOC operations to a managed service provider, for example) due to budgetary constraints. Churn is also an issue. Burnout creates turnover, and new technicians need time to be on board and get up to speed. Most critically, however, is the fact that most organizations continue to rely on a detect-and-respond approach to cybersecurity.
Organizations need to layer in a proactive, preventative approach in front of their existing security stack while automating event monitoring and response. This two-tiered approach stops malicious events from happening in the first place and takes detection and remediation of the large number of alerts that aren’t an issue out of the hands of humans. This allows SOC technicians to focus on the truly malicious threats targeting the organization.
Prevention technologies such as isolation technology are the only way to stop malware and other threats before they gain initial access to an end device. Isolation works by creating a virtual air gap between users’ browsers and the Internet, preventing any content—whether it’s good or bad, known or unknown—from accessing the endpoint. Instead, fetching and executing content happens in a remote browser in the cloud where HEAT attacks can be identified, quarantined and eradicated without getting close to their intended target. This preventative approach through isolation eliminates the event from happening in the first place—dramatically reducing the amount of alerts generated in the SOC.
The remainder of the alerts can then be investigated and resolved through automation. Consolidating these alerts on a single pane of glass with the proper business context allows for easy, seamless remediation through a rules-based engine without any human interaction required. Alerts that need to be escalated can then be sent to a technician who now has the time, context and motivation to conduct a proper investigation.
Working together, prevention and automation reduce alerts, prioritize events that need further investigation and keep the organization safe from today’s highly sophisticated HEAT attacks.
Posted by Mark Guntrip on Feb 07, 2023
Tagged with Awareness, Blog, Global, HEAT, Isolation, Threat Trends
To talk to a Menlo Security expert, complete the form, or call us at (650) 695-0695.