5 Common Misconceptions about Cybersecurity, Debunked

Proofpoint attended Microsoft's Ignite conference for the first time ever last month. And we plan on returning.

We loved talking with current and prospective customers about how Proofpoint’s security partnership can make their use of Office 365 compliant and secure across email and cloud environments.

In addition to talking about our own products, we spent a lot of time debunking common misconceptions around cybersecurity concepts and solutions with our booth visitors. We thought it might be helpful to expose the top 5 misconceptions we heard on the conference floor and provide straightforward answers in case your team is grappling with similar issues.

Misconception #1: “Machine learning is just a buzzword, 'real enterprise solutions' don’t use machine learning."

Not all machine learning is equal, and it has indeed become a buzzword in recent years. But saying that “real enterprise solutions” don’t use machine learning is wrong. Machine learning, when properly implemented, can help answer a host of data-heavy problems such as threat analysis and threat detection.

Machine learning is something Proofpoint leverages throughout our products wherever appropriate. It helps us process relationships across 300 billion nodes of threat data and helps us identify emails with violations for regulatory purposes. As the need grows to reconcile large amounts of data for greater insight, machine learning will continue to have a role in nearly every aspect of our business.

Misconception #2: “If your solution is good enough at catching bad stuff, you don’t need to sandbox.”

Having strong static analysis and reputation-based technologies can identify single stage malicious payloads. However, many modern attacks are multi-staged, specifically designed to bypass this type of static defense.

The first attack stage can contain no malware whatsoever, easily penetrating a static system. Once inside, it identifies OS, geolocation, and other parameters confirming the profile of the target. It can simultaneously engage in VM evasion, logging, and fingerprinting techniques before deciding if it’s appropriate to deliver its payload. If the target is in the wrong country, delivered to the wrong type of client, or suspects that it’s on a VM, the attachments may never weaponize and simply remain harmless. But when the right conditions are met, the malicious second stage is triggered, eluding an organization’s static defense. 

Implementing a dynamic defense that detonates these threats safely within a sandbox is critical. Where the sandbox is positioned is up for debate, but since these are overwhelmingly email-based attacks, a solution that automates sandboxing at the mail gateway before threats can enter the corporate network or reach user mailboxes is far more effective.

Another reason dynamic defenses like sandboxing may be dismissed is the higher volume of broad, commoditized attacks. These generic attacks are more easily picked up by reputation controls and are by definition not targeted. If the security vendor is simply attempting to "catch a lot of attacks," then sandboxing is a difficult luxury to justify. However, when working with high risk, high-value customers, new or unseen targeted attacks do occur, and these are generally of the multi-phase variety. And despite being less common, these targeted attacks do far greater damage and are much harder to detect. They are typically customized for specific organizations and unlikely to show up in a generic signature database. Sandboxing is often the only way to be shielded from these more sophisticated attacks.

Misconception #3. “A vendor that claims to spend the most revenue on R&D may not.”

R&D spending is important. It shows investors and the broader community the extent to which an organization values and is committed to innovation and technology over other business expenses.

And while the largest security vendors can easily outspend mid-sized or smaller vendors in every category when considering absolute dollars, it is more effective to consider the amount spent on R&D as a percentage of revenue when comparing vendors of different sizes, to show their degree of focus on product enhancement and rate of innovation.

For example, while one of Proofpoint’s biggest competitors claims to spend the most revenue on R&D, they only spend about 12%. We spend about 20%.

Misconception #4. “Securing the enterprise means securing the network.”

Protecting the network is still important. But as businesses move resources, communications, and services to the cloud, fewer assets and workloads are managed by corporate IT. And the most attractive target for criminals today is your employees.

But IT security spending today continues to reflect outdated priorities. According to Gartner, network security solution spending is predicted to surge to $13.3 billion by the end of 2019. The amount organizations spend on email security pales in comparison, despite the fact that, according to the SANS Institute, 95% of all attacks on enterprise networks are the result of successful phishing attacks. And the goal of those email attacks is often to gain cloud credentials which can lead to catastrophic data loss.

So if you have spent most of your security budget on firewalls and endpoints, you still need visibility and protection for your cloud services and the people who use them. Fortunately, the majority of customers we spoke with were savvy about their situation. Just like email security before it, they know they need something above the baseline, above what Office 365 provides if they want to have legitimate protection for their cloud resources.

Misconception #5. “You need to be big in order to catch threats. A wide install base gives you the best insight into what threats are targeting the enterprise.”

It’s easy to convince customers that bigger is better. In a similar fashion, a wider install base like a bigger net, catches more fish every time, right? When we really dig into how effective threat protection is, that assumption starts to fall apart.

You don’t need to be big to catch threats. A single company “catches” threats. As mentioned in our sandbox response above, it’s what you do with those threats that matters.

The reality is that the vast majority of attacks against customers are commodity threats. Big or small customers all receive commodity attacks. They do not discriminate. These are non-targeted, non-specific attacks that go out to hundreds of thousands of different customers globally. These types of attacks are what reputation-based solutions are great at catching, and after you catch the first one, you’ll get the rest.

The next level of attacks may contain staged payloads, specifically designed to defeat static defenses, and whether you’re a big vendor or small vendor, if your sandboxing technology is not smart enough to fool these little guys into detonating, or if you don’t have sandboxing technology at all, then your customers are going to have a rude awakening when they receive weaponized attachments and URLs that start compromising accounts. Sandbox infrastructure, threat analysts, analysis tools, etc., are not cheap. Without these things it doesn’t matter how big you are— you won’t gain insight into the attack until it’s too late.

Attackers are highly democratic, they’ll attack just about any organization. And within each organization, they will approach different targets with a combination of targeted and non-targeted threats.

Proofpoint can provide a current breakdown of the most targeted individuals within your organization called Very Attacked Persons (VAP). These individuals do not necessarily map to your VIPs such as your CEO, CFO, etc., but for whatever reason they receive the most threats in the organization and therefore are your most likely points of data loss, financial fraud, or account compromise.

Learn more

If you are interested in learning more or still have outstanding questions on these or any other topics, please reach out to us. We would be happy to help clarify further.

In the meantime, if you were at Ignite, hopefully, you had a chance to learn all that you needed to from Microsoft and other participating vendors including Proofpoint. Like every year, there were many exciting announcements. And please come by our booth next year and say hello.

Subscribe to the Proofpoint Blog