Dustin Webber is CSO at Conceal, was a founder of GE’s elite DFIR team, and CTO and co-founder of Critical Stack.
A new concept has emerged in cybersecurity that promises to take cybercrime prevention to a new level of efficacy: isolation. The process is analogous to taking a package (the payload) that may contain a bomb (malware, ransomware, spyware, etc.) to a safely isolated area where, no matter how powerful it may be, it can be detonated without causing harm.
The trick is to study the explosion and put it back together to build better intelligence. This concept is similar to the technology behind the Large Hadron Collider (LHC). The LHC does this by smashing particles together and recording the explosion to see what’s inside. We use isolated computers with every operating system and force the payload to execute and study it the same way.
There is certainly a need for a better prevention method against the plethora of ransomware and malware exploits currently taking place. A recent survey of 1,200 security decision-makers revealed that organizations have deployed, on average, 76 different cybercrime solutions. But in spite of this effort, 82% stated they had been surprised by a security event that slipped by the controls they had in place.
The primary problem is that malware authors are getting braver and very technical. They are continually coming up with new ways to evade detect-and-contain systems. In the first five months of this year, 44.43 million new species of malware were detected by the independent IT security institute AV-TEST, bringing the total number of malware to over 1.3 billion.
Granted, the vendors of cybersecurity systems are busy designing countermeasures, and many of them are effective for detection and response, at least for a while. But in this ongoing battle between offense and defense, the malware authors are bound to win some of the battles—and that can mean disaster. According to one report, in 2021, the average payout for a ransomware attack was $541,010—and many companies have no viable choice except to pay.
Isolation Begins At The Browser
The point is, if malware gets into a computer, it’s too late. And since the vast majority of malware uses the browser as a way to deploy its malicious payload, this is the logical place to set up roadblocks and determine when isolation is required.
To be successful, a security application capable of executing preliminary screening must reside on every computer system. Achieving a secure computer environment without being on the system is impossible. The term “agent” or “sensor” is often used for this type of application.
These have acquired a negative reputation because older generations of agents and sensors created network overhead, complications during deployment and were difficult to manage. Today, these issues have been minimized, if not eliminated.
In an isolation system, the application on the computer intercepts every protocol that requires a browser and click event and either lets the payload through or sends it to an isolated virtual machine in the cloud that is fully separate from the network. If a URL is resolved to a downloadable file, it will be further tested and either allowed to be delivered to the browser or kept in isolation. Incidentally, although this process sounds complex, the pre- and post-processing involved are fast enough so that users don’t notice it.
Always Deny By Default
The isolation approach is designed to err on the side of caution. Only activity that is safe beyond doubt is allowed to continue. The sessions that go into isolation stay there unless the test results are conclusive. It’s the deny-by-default policy that should be universal for most things.
Isolation is an appropriate technology for any company concerned about ransomware and other forms of malware. Some tips for success:
• Make sure you account for all computer devices. Lack of coverage is a common problem with security software in general, and isolation is no exception.
• Make sure your users understand how the system works. This is not difficult, as there is practically no learning curve.
• Control what software you allow to be installed on company computer systems. Each new piece of software is a new attack vector.
Given the endless expansion of attack surfaces and the relentless efforts of cybercriminals to penetrate networks, a new approach to prevention, forget detection, is certainly worth exploring. It’s time to start asking why we can detect computers that are compromised but not prevent it from happening.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?