Interview: Stronger Protection, Not Detection, Is Key To Stopping Advanced Cyber Threats

Sophisticated cybersecurity threats like ransomware are growing at a staggering rate, with the FBI reporting a 62% increase in attacks year-over-year. Menlo Security, a leading cloud security provider known for their isolation-powered technologies, classifies these advanced threats as “HEAT”– Highly Evasive Adaptive Threats. Their research indicates HEAT attacks rose by 224% in 2021; an increase they expect only to continue this year. 

At Infosecurity Europe 2022, Expert Insights sat down with Menlo Security’s Senior Director Of Cybersecurity Strategy, Mark Guntrip, who is responsible for articulating the future of threats to security leaders around the world. Prior to joining Menlo Security, Guntrip has been security strategist at Proofpoint, Symantec, Cisco, and several other leading cybersecurity providers. 

Our interview covers the Menlo Security platform, the reasons behind explosion in the number of high-level HEAT attacks, and why organizations need to move away from a focus on detection and response, towards “securing the front door” and bolstering perimeter defense. 

Can you give us an overview of the Menlo Security platform and your isolation technologies?

In the past and for many years, Menlo Security focused on isolation. And what we realized was that isolation is great for the web, but today we also have SaaS applications and private applications. And we need to be able to protect these areas, too. Because when you have a person working, they’re not just browsing the web, they’re using these other services as well. 

So, we took those isolation capabilities, which we still do offer as a product, and we put them at the core ofeverything that we do. We use the same core isolation technology, whether it’s web security within the browser, whether it’s SaaS applications like Salesforce, or whether it’s your private applications in the cloud. We create a single point, a single place for visibility, policy enforcement and threat protection, both inbound and outbound. 

And this platform is very much about threat protection. 

The office-based network is being used a little more now that everyone is back in the office, but organizations have to implement a solution that supports hybrid work – both in-office and remote workers. 

Looking at the solution we’ve put together, it’s very much around having a single platform, a single policy, a single point of visibility for all of your users, wherever they happen to work. And then on the threat prevention side, we are focused on HEAT attacks—Highly Evasive, Adaptive Threats—and how we can protect against them.  We’re baking that into our value proposition, but also deep into our products, the visibility that we give and how we stop them. And we’re really focusing on that as the unmet pain point for security. 

Can you talk us through this concept of HEAT attacks, why they’ve become such a challenge within the cybersecurity industry, and whether organizations can stop them?

Let’s take ransomware as an example here. There are many companies here at Infosecurity Europe that say they can solve ransomware. But you can’t just solve ransomware. There is a whole chain of attacks to stop before you get there. For us, stopping HEAT attacks is very much about that initial access. How do the attackers get that hook into the network, so they can download their tools, steal data, and whatever they need to do to get in and out? 

There’s a lot of talk around endpoint detection and response (EDR), and I think that as an industry we’ve over rotated a little bit. A lot of people are saying detection and response are now the first thing they do to stop threats. That has become the front door; you have to get past the detection and response tools. But if you look at the stats, the rate of malware increasing is always going up and to the right. 

I believe that’s a problem of our own making, because we’re now relying on detection as number one. But by definition, if you are detecting something, it has to be on your network already. The threats are already successful, and the hope is that you can identify and remediate them. So, for HEAT attacks we’re taking one step back, and asking how attacks get on your network in the first place. Because we believe we can prevent an attack before it happens. And that brings a whole lot of benefits to an organization. The security alert doesn’t happen. The investigation by the SOC team doesn’t happen. And you don’t have to explain the ransom to your board. 

If you look at the security stack that was built for prevention, it hasn’t changed for ten years. It’s built up from IPS (intrusion prevention systems) and firewalls, to URL reputation and sandboxing, and that’s where it stopped. Sandboxing is the last major thing that was adopted en masse. This means threat actors have had a decade to figure out how to get through these defenses. And that’s another genesis of HEAT attacks. What are attackers doing to get past each step along the way?

And that’s where we’re seeing the failing with endpoint detection and response today. So, there’s that entry point that is really unguarded at the moment.

How are Menlo’s technologies strengthening the entry point compared to the other technologies on the market today?

I like to think of it as us replacing the “front door”. Sandboxing, which is the old threat detection was considered the front door but the time has come to change that. Our offerings are all powered by our isolation core that we have baked in across web, email, SaaS apps and private applications. This is giving the threat actor something that they haven’t seen before; they haven’t had a decade to figure out how to move past it. And by moving the browser that the attacker or the website user sees into our cloud, we get traditional visibility into what’s going on. 

So, when if an attack comes through and gets executed in the browser, it happens in our browser. So, we can see it, and then we can figure out if it’s bad or not. It’s that additional step that gives you control and gives visibility. Because if you don’t have that, it’s already on the endpoint and it’s too late. 

So, we put in barriers for attackers, we put in the visibility, and the ability to see what the end user is seeing when they’re being targeted and as they’re being attacked. And that can also come down to phishing attacks. 

What’s being displayed as a webpage can be changed when it’s in the browser; attackers can change scripts and logos when they are trying to phish you. But we can see what the end user sees, and display that all the way down, preventing them from giving their data. 

We’ve heard a lot in recent months about the importance of Zero Trust and SASE. What importance do you place on these frameworks and where does Menlo Security sit within them?

I’ll talk about three things here, SASE, SSE and Zero Trust. Starting with SASE, I think the SASE definition is entirely valid. We actually have an OEM with VMWare, so security components of the VMWare SASE solution, are Menlo. That’s our SASE go to market strategy, and I think that’s entirely valid. Organizations can select which pieces they choose or need to implement for their business needs and ignore others that don’t make sense for them.

And then, taking one step back is the SSE (Security Service Edge) definition from Gartner, which I don’t think fits the market in terms of requirements from organizations or the value it delivers. So, what they did was take the CASB market, the Secure Web Gateway market, and Zero Trust Network Access, and they pushed them all together, with the premise of consolidation down to a single vendor. And that has made SSE really, really broad in terms of what they’re expecting a single solution to do. I don’t know of a single vendor out there that is great at doing all of those things. They’ll be great at some; they’ll be okay at others. And so, I think SSE is actually taking a step backwards in terms of implementing effective security and can put a lot of additional risks back in an organization.

Because yes, it’s great if you can get everything from one vendor. But then what if that one vendor gets exploited? Or that service has an outage? Or that one vendor is acquired and suddenly doesn’t support it anymore. There’s a lot of operational risk in there. So, SASE, yes, but SSE is way too broad. 

And when it comes to Zero Trust, I mean you could walk to every booth in here and they’ll give you a different definition of what Zero Trust means. From a Menlo Security perspective, we have a ZTNA (Zero Trust Network Access) solution, which is great, and that’s one element of it. But for most companies, when they talk about Zero Trust, it’s about not trusting the user. It’s wanting them to prove that they are who they say they are, and that their machine is appropriately patched, security services are enabled, and all the applications are approved.

But then once that user connection has been established, often companies still don’t know what’s going as data flows to and from the application. Our approach to Zero Trust is that absolutely the user needs to prove who they are, but we also need to make sure we are not trusting what the user does, in case they or the application is compromised.

So, we’re really trying to look across the whole chain of the user, the data, and the application. And Menlo Security stays in line for all of that; it all goes through our isolation core. We can apply real-time policies to stop threats, make web pages read-only, prevent sensitive data from leaving, whatever you want to do. But it needs to be broader than just Zero Trust Network Access and stretch out to every single point in your communications. 

What is your final advice to organizations looking to improve their protection against HEAT attacks, and their cybersecurity resilience in general?

With my Menlo hat on, what you should do is go to our security assessment took kit that we rolled recently. We have a website built up real-world HEAT attacks, where you can see if they evade the security you have implemented. If it gets through all of your security controls, you may want to think about putting in something additional. If it doesn’t, then great, you’ve figured it out. So, we’re trying to let companies know what susceptibility they have, how big that problem could be. 

But more generally, being at the show here, I think my guidance would be to not assume that what you are doing is good enough. There is ransomware in the press every week. Therefore, what we are doing is not good enough. So, take the time to figure out what else that you could be doing, and not just spending more money on the same technologies and assuming that you’re going to be more secure. 

So, whether that’s Menlo Security, or some of the other innovative companies here that are looking to add that additional layer in so that we can make it harder for those threat groups, then that is going to make it better for everyone. 

 Find out more about Menlo Security here: https://www.menlosecurity.com