Menlo Security Cloud Security Platform is FedRAMP® Authorized
Most Searched
Traditional security approaches are flawed, costly, and overwhelming for security teams. Menlo Security is different. It’s the simplest, most definitive way to secure work—making online threats irrelevant to your users and your business.
Video
Our platform invisibly protects users wherever they go online. So threats are history and the alert storm is over.
eBook
Traditional network security wasn’t built to address today’s complex enterprise environments. SASE fixes that problem.
Menlo Labs provides insights, expertise, context and tools to aid customers on their journey to connect, communicate and collaborate securely without compromise. The collective is made up of elite security researchers that put a spotlight on the threats you know and don’t know about.
Buyer's Guide
Menlo Labs provides insights, expertise, context and tools to aid customers on their journey to connect, communicate and collaborate securely without compromise.
Mark Guntrip | Aug 13, 2022
Share this article
Digital transformation, modernization of applications, cloud migration, and the new distributed workforce are pushing the work of state and local agencies to the Internet, where it is more vulnerable to malicious activity. These expanding threat surfaces are increasingly being exploited by threat actors — giving them that initial access to the network from which they can spread to other, more enticing targets.
What’s contributing to this gap in the arms race? Secure Web Gateways (SWGs), an agency’s typical primary tool for combatting web-based threats. They’re not up to the task of countering the increasingly sophisticated tactics of today’s threat actors.
Read on to find out why traditional SWGs are failing and what security teams should do instead to protect their organization from today’s web-based threats.
According to Gartner, Secure Web Gateway (SWG) solutions protect web-surfing PCs from infection and enforce company policies. They work by filtering malware from user-initiated Internet traffic and enforcing corporate and regulatory policy compliance. These gateways must, at a minimum, include URL filtering, malicious-code detection and filtering, and application controls for popular web-based applications.
Given that 90 percent of today’s breaches stem from the web and email, SWGs are an increasingly critical component of an enterprise security strategy. They are the main line of defense against web-based malware, drive-by attacks, credential theft, and the most common and disruptive type of attack, ransomware. More than 70 percent of organizations were hit by ransomware attacks in 2021, according to the 2022 CyberEdge Cyberthreat Defense Report — a staggering increase from 55 percent in 2018. These attacks shut down businesses, disrupt public infrastructure, and cost organizations billions of dollars in ransom payments at a time when the world continues to struggle to recover from the global pandemic, increasingly volatile geopolitical tensions, and other disruptions ranging from supply chain crises to rising inflation.
The fact that SWGs are ill-equipped to stop these attacks is a major drain on enterprise resources. The Cyberthreat Defense Report also found that two-thirds of organizations that pay a ransom end up having their data exposed on the Internet anyway. The only way to reduce this risk is to stop the initial breach from occurring.
Traditional SWGs were designed more than a decade ago for a world that doesn’t exist anymore. Ten years ago — heck, five years ago — most work was conducted in the data center, but as applications and data have been decentralized and moved to the cloud, traditional SWGs have been unable to keep up. As a result, malicious actors have used this decentralization to their advantage and evolved their tactics. They are now extremely successful at evading detection on the edge of the network, which enables them to breach end devices through vulnerabilities in the browser. From there, all they must do is wait patiently and slowly probe the environment until the time is right to deliver their payload.
Called Highly Evasive Adaptive Threats (HEAT), these attacks are used by threat actors who employ highly evasive techniques to bypass traditional web security measures and leverage web browser features so they can deliver malware or compromise credentials. If successful, HEAT attacks render all browser-based security defenses helpless. These include sandboxes, file inspections, network and HTTP-level inspections, malicious link analysis, offline domain analysis, and indicator of compromise (IOC) feeds.
Specific techniques include HTML smuggling, sending malicious links through unprotected channels (such as text messaging, social media, professional web networks, collaboration software, SMS, shared documents, shared folders, and SaaS platforms), hiding malicious content inside web page source code, and using benign websites to deliver sophisticated malware. Essentially hiding in plain sight, these HEAT attacks can trick traditional SWGs into assuming they are legitimate traffic.
Not all is lost. While traditional SWGs operate on a block-or-allow decision tree based on known threats, a new breed of cloud-native SWG solutions extends protection to unknown threats. These cloud-native SWG solutions leverage isolation technology — which assumes that all content is malicious — to eliminate the requirement to make an allow-or-block decision. All content, malicious or not, is isolated in a remote browser in the cloud.
With no access to the end device, any malware is effectively neutered, whether it’s been detected or not. It’s simply unable to make that initial breach or deliver its intended payload. And, since most content comes from the Internet or through email, routing traffic through a cloud-native control point allows organizations to apply the appropriate policies to all traffic and all users without impacting performance or the user experience.
Well, no. Not all SWGs are created equal. Many solutions still rely on a detect-and-respond approach and only isolate content by rule — for example, by isolating risky or unknown sites.
They may fail to block malicious content delivered from a website with an established reputation that was recently compromised, or they may fail to find malicious code obfuscated in a web page’s source code. At that point, the threat has likely already delivered its payload to the endpoint and started to move laterally across the organization. These are the exact exceptions and rules that threat actors have become experts at exploiting.
To be truly effective against threat actors’ evasion techniques, anti-phishing and advanced isolation technology needs to be at the center of your SWG — meaning that all content and all websites are treated as malicious and isolated by default. This Zero Trust approach to security stops both known and unknown threats from entering your agency and infecting your endpoints.
Posted by Mark Guntrip on Aug 13, 2022
Tagged with Awareness, Blog, HEAT, State & Local, SWG
Protecting the Remote Workforce
To talk to a Menlo Security expert, complete the form, or call us at (650) 695-0695.