Chief Information Security Officers (CISOs) face an ever-expanding threat landscape driven increasingly by AI-powered attacks targeting the weakest link – end users. 

Recent reports show that over 85% of successful breaches originate from end-user actions, whether intentional or not. Social engineering and credential-based attacks remain prevalent, often enabled simply by a user clicking a malicious link. 

Plus, the security landscape is expanding exponentially.  It goes beyond computers and mobile devices. It now encompasses the Internet of Things (IoT) and the plethora of other gadgets emerging in our digital ecosystem. As security leaders, we face the dual challenge of protecting an expanding terrain while coping with the tide of sophisticated cyber-attacks accelerated by AI.

During the Fortify Experts monthly CISO discussion Forum, eliminating end-user threats took center stage. The question was asked:

“Is there a silver bullet for stopping end-user compromises?”

People Problems

Many leaders stated that end-user security is more about a people problem than it is about a technical problem.

One health care CISO, aptly stated, “I can’t imagine there’s any silver bullet. I’m a strong believer in investing in a security-aware culture.”

Another CISO from the mortgage industry echoed this view while outlining their integrated awareness program spanning simulated phishing, gamification, custom training, and persistent security messaging. He relayed how security awareness extended to their call center operations, illustrating the multi-faceted nature of security across their organization.  

He noted that threats continually evolve so the program must build a security culture that evolves with it.  “Hit the button, protect the house,” symbolizes their mantra for individual responsibility towards collective security—this theme resonated with all present.

 “Hit the button, protect the house.”

The MGM breach was discussed as it was caused by a simple socially engineered password change request at the help desk.  This gave hackers access to a hypervisor server.  This access was then elevated to the controller which updated all 100 hypervisor servers with the ransomware, thereby, shutting off user access to the entire firm.

A global chip manufacturer CISO discussed their “defense in depth” approach across people, process, and technology controls.

He described the importance of technical controls in complementing the human aspect of security. His team deploys real-time training and utilizes conditional access controls to contain potential security breaches. He stated, “People are the new perimeter,” highlighting the shift in focus to user-centric security strategies in response to AI-accelerated threats.

People are the new perimeter”

He also emphasized that for security to better connect with employees, they hired “softer science” expertise for awareness efforts versus solely leveraging their hardcore technical team.

In exploring solutions, a security leader from a global chemical company spoke about positive reinforcement as a better strategy than chastising users for security slip-ups. He advocated for championing individuals who exhibit security-savvy behaviors, using them as the springboard to inspire others within their domains, thereby creating a ripple effect of security consciousness.

Multiple CISOs highlighted integrating threat intelligence into defense strategies by analyzing real-world attacks against their users. One suggested, that recycling actual phishing messages resonates better than purely simulated ones. He also added:

“When educating staff, keep phishing training intervals to no more than six weeks apart to maximize efficacy and engagement.”

A higher education CISO also monitors metrics like the ratio of users reporting phishing tests versus falling for them.  This allows them to continually tune their program. 

Other suggestions focused on the importance of stressing face-to-face interactions, departmental roundtables, and potentially implementing a speaker series to foster a more relatable security culture.

Security Training Platforms:

Leaders also discussed the efficacy of security and phishing training platforms.

  • KnowBe4This has been the standard for the industry but some leaders said KnowBe4 has become less-responsive, more expensive, and no longer has cutting-edge training.

Two newcomers that might be worth checking out are:

  • HoxHuntHoxhunt maximizes training outcomes by serving every user a personalized learning path that measurably changes behavior.
  • OutThink – Leverages uses Human-Based Intelligence and User Surveys to create more behavior and role-based targeted security training using a gamified approach.

Isolation Browsers:

Leaders also discussed Browser-Based Products that may enhance end-user security:

  • Island Browser: Provides an isolation browser for protection & data governance. However, it’s not useful on non-cloud, legacy apps. Also, it does cost more and has a higher learning curve creating more user friction.
  • LayerX Chrome Plugin: An Israeli-based low-cost, newcomer that is a simple Chrome extension plugin. This reduces user friction. One CISO is now running it across 250,000 desktops. I received a demo from Ramon Herzlinger (ramon.h@layerxsecurity.com) last week and was impressed with its monitoring and browser control capabilities. If you want to see it in action, contact Ramon and let him know where you heard about it!
  • Chrome Enterprise Browser: This is Google’s new enterprise offering with enhanced browser security and control. It may be worth investigating.

However, all of these browser technologies reside on the end-user device and are susceptible to malware. It also doesn’t eliminate the vulnerable hypervisor layer.

STIG Viewers & Containerized Workspace: 

A few leaders expressed an interest in technologies like DoD STIG containers and isolation-based browsers. One security leader discussed using STIG containers to build secure VDI-type access for third-party contractors—a notable strategy for managing supply chain security.

  • Military-based STIG Viewers: DoD-approved secure configurations to establish a secure viewer for each application. 
  • Containerized VDI Workspaces:  Instantly Deployable STIG like desktops. Docker-based, impenetrable VDI workspaces that require no end device agent and eliminates the hypervisor layer (replaces Citrix & VMWare).  This solution can dramatically increase security. Watch: The Hamina Case Study

One leader suggested launching an Isolation Browser from within a Containerized Workspace to create the ultimate End-User Isolation solution. 

“That may be the silver bullet for some companies.”

While we may never eliminate all end-user compromises, by combining robust training,  layered technical role-based controls, and leveraging modern isolation technology, end-user risks and the threat landscape can be dramatically reduced. 

In Summary:

Thanks to the input of the security leaders who joined our CISO Forum which provided such insightful advice on how to leap your security program forward. If you are a security leader and would like to participate in our monthly CISO Forums where we discuss valuable and actionable information as well as best practices and challenges, please register here.

Join us in May as we continue to dissect and discuss the evolving landscape of cybersecurity.

What: CISO Executive Round Table – Shortcuts to Becoming CMMC Compliant

Details:  With DoD CMMC compliance requirements quickly approaching, we will discuss ways to shorten the path to becoming compliant.

When: May 16, 2024, 01:00 PM Central Time

Where: Registration @ Zoom: https://us02web.zoom.us/meeting/register/tZAocuyqrTkuG9bCSndw61aj5R4WoGnbtBZD 

About Tim Howard

Tim Howard is the founder of 5 technology firms including Fortify Experts which helps companies create higher-performing teams through People (Executive Search and vCISO/Advisory consulting), Process (NIST-based 3rd party security assessments and Leadership Coaching), and Technology (security simplifying solutions).

How I can help you:

  1. Join over 30,000 People Getting Free Security Leadership Improvement Advice Follow me on LinkedIn. www.linkedin.com/in/timhoward
  2. If you want to raise the expertise or performance level of your security team, Contact me.
  3. If you don’t have a Clear Picture of Your Cybersecurity Maturity Level or Need a Strategic Improvement Roadmap Contact me.
  4. Join our interactive Monthly CISO Forums.
  5. If you are looking to simplify cybersecurity, check out Fortified Desk. The secure, instantly deployable workspace.

Leave a comment