브라우저는 기업에서 없어서는 안 될 애플리케이션이지만 일반적인 보안 제어의 사각지대입니다.가장 널리 사용되는 비즈니스 애플리케이션인 브라우저는 위협 행위자의 주요 표적이 되었습니다.브라우저 보안을 통해 기업은 가장 중요한 기업 자산을 보호할 수 있습니다.
Browsing Forensics provides visibility into browsing sessions, where many attacks and breaches begin. Browsing Forensics provides the missing link in most security solutions.
The browser has become the most widely used application in the enterprise, with the majority of enterprise user's time being spent using the app. This shift is a direct result of a combination of factors, including:
Applications are increasingly moving to the cloud — the average enterprise Software as a service (SaaS) portfolio now comprises 342 apps.The vast majority of SaaS apps are accessed via web browsers, which reduces the need for dedicated clients, and keeps the apps platform-agnostic.
Digital transformation has made browser security a critical aspect of any enterprise security posture.
The pervasive use of the browser in the enterprise has introduced a gap in the security team’s visibility. Menlo Security Browsing Forensics delivers the capabilities that these security professionals need.
Between using cloud apps, collaboration tools, email, and more, it is safe to say that the average enterprise user spends the majority of their day working in the browser. Despite its popularity, however, traditional security tools, such as firewalls, SWGs, or intrusion detection and prevention systems (IDPS) provide an incomplete, piecemeal view of the user’s actions during their browsing sessions. The lack of visibility has directly led to the increase of attacks that target the browser - growing threats include phishing and social engineering, as well as exploits that take advantage of browser vulnerabilities. Because of the lack of visibility, it is possible that many phishing attacks, which can be used to gain a beachhead in the enterprise, go unnoticed until the threat actor has gained sufficient access to stage a major attack, such as ransomware…and by then, it’s too late.
Browsing Forensics provides visibility into user browsing behavior and actions, including screenshots, user inputs and page resources. This information provides security teams with the data they need to determine the appropriate course of action with no ambiguity or inference, reducing exposure time and improving operational efficiency. Browsing Forensics enables important use cases in the SOC and in Securing Application Access.
The ability to perform an investigation that includes the details of user actions in select browsing sessions provides a myriad of benefits, from initial triage to incident response, threat hunting, compliance/audit, and more.
The precise number of alerts that a SOC analyst will see every day depends on many factors, including the size of the organization, the complexity of the environment, and the specific security tools that are in place.
Studies have shown, however, that an analyst could see thousands of alerts each day, many of which are false positives or do not require immediate attention. Deciding which alerts to follow up on can be a judgment call, based on analyst experience, the security tool stack, and the sheer effort involved in tracking down something that might turn out to be nothing.
Tools that feature automatic correlation between alerts can help, as can study of indicators of compromise (IOCs) and other information from threat feeds. The problem with these tools is that they rely on existing data, rendering them useless in the case of zero-hour exploits. The most common method for investigating suspicious traffic is to perform a packet capture and painstakingly recreate the event. This method is time-consuming, and often requires extensive work between different tools and the teams that operate them.
Alerts that are known to generate many false positives and that require excessive time to triage may simply not get investigated at all.
With Browsing Forensics, teams can quickly connect the dots between a triggering security event and the details of the incident. With the user’s browser session details, screenshots, user inputs, and network resources, the analyst can confidently determine the appropriate next step based on viewing the user session.
A proactive approach to threats, rather than a reliance on data that someone else compiled and published at some point in the past, is often considered the best way to develop protections specific to the enterprise. Once again, however, the issue is not the willingness to investigate a threat but the absence of the malicious page.
Phishing is a great example. While phishing pages can remain active for some time, many are taken down after a matter of hours. The reason is simple — the longer the page remains live, the more time security teams have to study the pages themselves and learn about the attackers. Still another factor is that phishing pages, like many other web pages, are highly dynamic.
Browsing Forensics can help threat hunters in two ways. First, if users within the organization inadvertently visited a malicious domain that was not blocked, such as a Zero Hour Phishing site, Browsing Forensics can capture the screenshots, domain, category, user inputs and the network resources. This information can be safely captured and analyzed by the threat hunter team using the Forensics Viewer. The second is the threat hunter team can visit known malicious sites, with appropriate caution, and capture site details using Browsing Forensics.
The problems faced by incident response teams can combine all of the issues faced by other security teams, with the added pressure of confronting an imminent attack. These teams are tasked with not just containing the threat, but establishing the root cause of the incident, as well. Because devastating attacks such as ransomware may have begun with a successful phishing threat that had gone undetected, getting to the bottom of an attack can sometimes be difficult, if not impossible.
Browsing Forensics captures the details of user interactions and can highlight exactly what was compromised and when. This provides the context to the IR team so they know what they are dealing with and when it originated, saving valuable time.
The enterprise browser has evolved the functionality required for users to access the applications and data they need to do their jobs. But simple capabilities are sometimes not enough to compel enterprises to abandon legacy access methodologies, such as VDI or VPN, even though these access methods are expensive and often insecure. By enabling browser-based access to applications, as well as visibility inside the sessions, threats in the following use cases can be addressed:
In many cases, data leakage and even breaches can be tracked to inattention or the negligent actions of authorized internal users. These issues can be particularly difficult to trace, as the users in question have appropriate permissions to access the resources. If access is enabled through the browser using Menlo Secure Application Access, and visibility into these sessions is possible with Browsing Forensics, then the correct controls can be enforced, such as read-only access, copy/paste or upload/download controls.
Enabling third-party access to users, including contractors, partners, or even those involved in M&A activities, has long been a challenge. If access is enabled through the browser with Menlo Secure Application Access, and visibility is provided with Browsing Forensics, it is possible to ensure that browser policies are consistently enforced. Such traceability is also vital to providing records of compliance.
By enabling access to applications via a browser, it is possible for users to access applications appropriately in a Bring Your Own Device (BYOD) model. By using Menlo Secure Application Access, applications are protected from any issues or compromises on the non-managed user device. Browsing Forensics, in addition to the policy controls available with SAA, can track and capture all BYOD user sessions, ensuring access controls are appropriately enforced and BYOD user are conforming to required corporate standards, such as not saving documents to their local machines.
브라우저 보안 백서