Intelligent CISO Issue 11 | Page 68

decrypting myths can identify single stage malicious payloads. However, the modern attacks we are continuing to see are more sophisticated as they are multi-staged, specifically designed to bypass this type of static defence. The first attack stage can contain no malware whatsoever. Its purpose? To penetrate a weak static system. Once inside, it identifies the operating system (OS), geolocation and other parameters confirming the profile of the target. It can simultaneously engage in VM evasion, logging and fingerprinting techniques before deciding if it’s appropriate to deliver its payload. If the target is in the wrong country, delivered to the wrong type of client or suspects that it’s on a VM, the attachments may never weaponise and simply remain harmless. However, when the right conditions are met, the malicious second stage is triggered, eluding an organisation’s static defence. It’s critical that organisations implement a dynamic defence that detonates these threats safely by introducing sandbox capabilities. The sandbox is positioned up for debate, but since these are overwhelmingly email-based attacks, a solution that automates sandboxing at the mail gateway before threats can enter the corporate network or reach user mailboxes is far more effective. Another reason dynamic defences like sandboxing would be dismissed is the higher volume of broad, commoditised attacks. These generic attacks are more easily picked up by reputation controls and are by definition not targeted. If the security vendor is simply attempting to ‘catch a lot of attacks’, then sandboxing is a difficult luxury to justify. However, when working with high risk, high-value customers, new or unseen targeted attacks do occur and these are generally of the multi-phase variety. Despite being less common, these targeted attacks do far greater damage and are much harder to 68 detect. They are typically customised for specific organisations and unlikely to show up in a generic signature database. Sandboxing is often the only way to be shielded from these more sophisticated attacks. MISCONCEPTION #3. “A vendor MISCONCEPTION that claims to spend #3. the most “A vendor to revenue on that R&D claims may not.” spend the most revenue on R&D may not.” Sandboxing is often the only way to be shielded from these more sophisticated attacks. R&D spending is important. It shows investors and the broader community the extent to which an organisation values and is committed to innovation and technology over other business expenses. And while the largest security vendors can easily outspend mid-sized or smaller vendors in every category when considering absolute dollars, it is more effective to consider the amount spent on R&D as a percentage of revenue when comparing vendors of different sizes, to show their degree of focus on product enhancement and rate of innovation. MISCONCEPTION #4. “Securing the enterprise MISCONCEPTION #4. means securing the the network.” “Securing enterprise means securing the network.” Protecting the network is still important, but as businesses move resources, communications and services to the cloud and fewer assets and workloads are managed by corporate IT, they need to keep an eye on the most attractive target for criminals: their employees. IT security spending today continues to reflect outdated priorities. According to Gartner, network security solution spending is predicted to surge to US$13.3 billion by the end of 2019. The amount organisations spend on email security pales in comparison, despite the fact that, according to the Adenike Cosgrove, Cybersecurity Strategist at Proofpoint SANS Institute, 95% of all attacks on enterprise networks are the result of successful phishing attacks. The goal of those email attacks is often to gain Issue 11 | www.intelligentciso.com