- Featured speaker Frank Dickson, IDC Research Director for Security Products, presented his new research: “Validating the Known: A Different Approach to Cybersecurity”
- He discussed why detection of malicious code can no longer protect your IT systems against cyberattacks
- Frank showed how new tactics based on “validating the known” can help boost IT security, and focused on application isolation as an example of a fundamentally different, innovative approach to preventing attacks and protecting enterprise assets
Thank you everyone who joined yesterday’s webinar. We had a fantastic audience who submitted many thought-provoking questions. If you missed the webinar, catch the on-demand version at your convenience.
Webinar Questions and Answers
I know that we need to improve our security stack. But where do we start?
Security at enterprise scale – with hundreds, sometimes thousands of users – can be overwhelming. There are two popular ways to go about it. The first approach is to select the users that you know are going to have the highest level of risk when it comes to security. One such group is the people at SOC – security professionals who are intentionally visiting potentially malicious websites to decide if they pose any risk.
Alternatively, your help desk can tell you which users need their machines reimaged most often. For example, human resource professionals receive a lot of unsolicited attachments. They open them, look at resumes, and frequently fall victim to attacks by the malware embedded in those attachments. This is also true for accounts receivable and accounts payable teams.
This approach allows you to design your security strategy based on real data. If it’s $500 to reimage a machine, reducing the number of machines that need remediation will demonstrate tangible ROI, which you can then take to the C-level executives in your organization.
Many Bromium customers have several full-time IT employees whose main job is to reimage compromised PCs. After implementing Bromium they can secure their machines against malware ingress points such as email attachments and malicious documents. Many customers dramatically reduce the need for reimaging on a daily or weekly basis, saving time and resources.
Application isolation involves a radical paradigm shift for an organization. How do you overcome objections from the IT security management?
Organizations are used to thinking about security in terms of anti-virus software and firewalls. That’s what they know. Application isolation is new, and selling it to executives as “another new security technology” could initially be met with resistance.
For decades, executives have spent money on security software, but for all that spending, they don’t feel any more secure. One issue is that security professionals tend to talk to the C-Suite in tech terms, such as: “I blocked 5,000 attacks and hundreds of malware samples on the endpoint.” An executive doesn’t understand if the news is good or bad. All they need to know is whether their organization is safe.
Change the conversation from technology to the ROI, business benefits, and effectiveness. You don’t want to talk to the C-Suite about whether we are defending above the kernel or below the kernel. You want to show them that if they spend X amount of money, they are going to get Y return. When you do that, the resistance is easier to overcome, and it’s easier to get executive buy-in on your solution.
For ROI, also look at how long it takes your teams to drudge through false positives, investigate alerts, etc. Organizations spend a lot of time, resources, and energy scrutinizing what often turns out to be false positives and missing false negatives.
With application isolation, you don’t have to worry about missing an attack, because even if an endpoint gets owned, it is completely isolated inside the micro-VM, and the malware has nowhere to go. Bromium allows threats to play out in an isolated environment, so we provide high-fidelity security alerts.
Is anyone else doing application isolation?
Yes. For example, Microsoft has Windows Defender Application Guard (WDAG), which focuses on security for its Edge browser. We have lots of information in our blog on what WDAG does, what it is, and what it isn’t, and how it works with Bromium. Microsoft focuses on browser security, whereas Bromium protects organizations from all primary attack vectors, such as documents, malicious downloads, emails attachments, etc.
Does Bromium replace anything in my security stack?
Bromium has many customers who drastically reduced the number of security agents on their endpoints. An average endpoint has 15-20 security agents, while many Bromium customers have just two – an EDR vendor solution and a virtualization-based security product. If compliance regulations require you to have anti-virus software, application isolation would not replace that.
Can Bromium record a “false positive”?
Bromium employs behavioral analysis to detect malicious activity by chaining together potentially malicious actions. Some actions such as PowerShell may look malicious and provide a false positive.
The great advantage of Bromium is that we protect before detection. Instead, attacks play out to completion in a micro-VM. It is hardware-isolated from the operating system, so there is no chance of infecting the endpoint. This gives Bromium a chance to analyze it and generate high-fidelity alerts with very few false positives.
Can Bromium accurately describe all malware, or is it beneficial to use other security programs with Bromium that might use NGAV approaches?
Yes, Bromium can describe all malware for supported applications within the most common attack vectors. Bromium provides the full kill chain for known and unknown threats using behavioral analysis.
Do you have return-on-investment calculations for Bromium?
Yes, you can use our online ROI calculator. It provides details on costs savings resulting from reduced time spent triaging threats and reimaging compromised machines.
Want to see Bromium in action? Request a demo.
To learn more about the Frank’s research, download the report Validating the Known: A Different Approach to Cybersecurity