75% of companies that were hit by ransomware last year had up to date endpoint protection solutions in place. Why didn’t that help stop the attacks? Let’s take a look at the most common approaches to ransomware prevention, and why they haven’t been able to provide a solution for enterprises.
Approach 1: EPP/EDR Agents and Web/Email Gateways
EPP/EDR solutions are actually great at stopping ransomware – when the threat is known or uses techniques that are clearly malicious. But malware is getting better – it can act legitimately in ways that fool detection systems. And attackers can test their ransomware to see if endpoint solutions detect them. So they’re less likely to try an attack that they know isn’t effective.
Approach 2: Phishing Training
It doesn’t matter how good your anti-phishing training is. It still only takes one mistake from one user to undo all that good training. And training wears out. One study from the Cyentia Institute found that 40% of anti-phishing trainees still fail phishing tests. Educationalone isn’t the answer.
Approach 3: App Whitelisting
Theoretically, you can just restrict your users to apps and sites that you’ve pre-approved. But this will cause major damage to user productivity. Be prepared for your IT team to spend all day dealing with exception handling and your users to work to find ways around your draconian controls. On top of all that, attackers can still leverage signed legitimate software.
Approach 4: Browser Security Controls
Browsers have built-in security mechanisms that prevent some browser exploitation. But there were around 30 critical vulnerabilities just in Chrome last year. And the attack surface of browsers continues to grow. They’re essentially mini operating systems. They’re also highly targeted by attackers, and they’re constantly looking for zero days.
Approach 5: Content Disarm and Reconstruction
CDR takes potentially malicious documents and tries to detonate them by removing scripts, macros, and other potentially malicious content embedded in these documents. However this approach only works for certain document types. It doesn’t defend against malicious app installers, executables, websites, or peripherals. It can also remove some document functionality or corrupt some documents.
So what unites these flaws? What do they have in common that renders them vulnerable?
They all have the same design flaw: They mix multiple security domains on a single OS. Sensitive data is sitting on the same endpoint as risky/malicious applications. This affects all endpoints and is the primary reason that we see ransomware being so successful.
To solve this, we need a solution that can:
Protect against Zero Day Attacks
- Protect Apps, Browsers, and operating systems
- Requires minimal user training
- Requires a minimum of IT overhead
- Doesn’t mix multiple security domains on the same OS.
Isolate Endpoint Threats with Hysolate
We can reduce the risks of ransomware by using a separate OS for risky activities that can contain endpoint threats. Every time an employee clicks a suspicious link or file, that potentially malicious content will be seamlessly launched in a separate OS.
That’s what OS isolation does – admins pre-define what types of apps, sites, and resources can be opened in the ‘corporate’ OS and then any other activity is automatically redirected to a local OS running on the user’s device. Because this ‘risky’ OS looks exactly like a standard Windows desktop, there’s no added training for users. IT managers can set policies that apply to multiple users, reducing IT overhead. And because OS Isolation doesn’t rely on a database of ‘known’ malicious behavior, it will continue protecting against malware for years to come.