Bad Clicks and Fallible Users: How Organizations Can Mitigate Insider Risks

Written by

No amount of user training can completely eradicate the risks posed by phishing. Phil Muncaster finds out what organizations can do about it.

Business leaders are always keen to remind employees that they are their most valuable asset. Yet as security teams are only too aware, staff also represent a significant source of cyber-risk. The bad news is that this risk is spiraling thanks to seismic changes to working practices and digital infrastructure investment over the past two years. In the US, a record number of publicly reported data breaches were recorded in 2021, while in the UK, nearly two-thirds of medium and large-sized businesses admitted they had been compromised. By some estimates, ransomware also hit record highs last year.

While training and awareness-raising programs are undoubtedly a crucial part of cybersecurity best practice, they only go so far. A determined attacker will always succeed eventually, and increasingly they have new techniques at their disposal to trick even conscientious users. So what can organizations do? Micro-virtualization may finally offer IT teams an opportunity to break out of the never-ending endpoint security arms race and gain a significant advantage.

Endpoints Under Fire

Endpoints represent the front line in the battle against today’s enterprise threats. Almost 70% of organizations in 2020 admitted to being breached via an endpoint attack. That’s because they sit at the intersection of data, human and machine. Unfortunately, the human is often targeted as the weakest link, especially in the current context of the hybrid workplace. Research shows that home workers are far more likely to take risks than their office-bound colleagues – such as uploading corporate data to non-sanctioned apps – even if they know it’s the wrong thing to do.

This leaves threat actors with plenty of options. While email remains the most common threat vector, they also use chat and video conferencing channels to share malicious links. Even malware loaded onto USBs remains a persistent, if limited, threat. The bad guys simply adapt as users get better trained and more aware of these risks. Researchers have discovered novel phishing and compromise techniques of late, such as thread-jacking and using platforms like Google Docs and Drive to spread malware.

Such activity raises the stakes significantly for security teams. Ransomware, data theft, cryptojacking, bot infection and other threats could result in major financial and reputational damage. The estimated average figure for the cost of data breaches today stands at a record $4.2m, but the impact can be significantly worse for ransomware victims.

Where Current Approaches Fall Down

Next-generation anti-virus (NGAV) and endpoint detection and response (EDR) tools represent the latest attempt by the cybersecurity industry to tackle endpoint threats. Yet such detection-based technologies are fallible, according to Ian Pratt, global head of security at HP Inc. Threat actors are able to test their malware against such tools, altering its design so that it can evade detection, he argues.

Real-world examples of such efforts are not uncommon. The latest, dubbed “SysJoker,” is backdoor code designed to run across multiple OS platforms. At the time of its discovery, its Linux and macOS versions were fully undetected in VirusTotal. According to some experts, there are other drawbacks to newer detection-based tools.

“EDR is difficult to manage, so it can be deployed but not properly managed or configured. This is why we see a significant increase in managed EDR deployments,” Gartner research VP, Peter Firstbrook, tells Infosecurity. “EDR and traditional AV also make judgments about code intentions before they restrict system access, so there are always false negatives.”

The Genesis of Micro-Virtualization

The answer could be micro-virtualization, an architectural approach to solving detection-based security deficiencies that draw on some of the engineering principles of zero trust. Of these, strong isolation is particularly relevant to micro-virtualization as a highly effective way “to render bad clicks harmless,” according to HP’s Pratt.

While working in a systems research group at Cambridge University, Pratt and his team developed the Xen hypervisor. The open-source virtualization platform is now used in some of the world’s most popular public clouds. It provides the strong isolation between different customer workloads essential to running secure IaaS clouds. These same isolation capabilities can be used to prevent malware from executing on endpoints.

During their research, the Cambridge University team realized that they could work with CPU vendors to request hypervisor capabilities be built into generic chip hardware to generate small virtual machines (VMs). This is the genesis of the micro-virtualization capabilities that HP and others use today.

“CPUs in the desktops, laptops, tablets and phones that we all use today have the ability to create very high performance, secure, lightweight virtual machines and we can use that ability to implement micro-virtualization that provides excellent security and is transparent to the user,” Pratt explains.

“This is a practical architectural solution to the problem – something that elevates us out of the arms race with the bad guys. It isn’t just a bit better. It’s a seismic shift: protection that doesn’t rely on detection.”

Eric Hanselman, chief analyst at 451 Research, tells Infosecurity that “silicon-based isolation” like this promises to “leverage a root of trust that’s difficult to subvert.”

“Being able to isolate each application running on an endpoint can offer some unique protections,” he adds.

How Do Micro-VMs Work/Help?

The principle behind micro-virtualization is relatively simple. The CPU-based hypervisor spins up new micro-VMs with their own OS instances and apps quickly and cheaply. A micro-VM is created every time a user opens a new task, like clicking on a URL or opening a document. It only has access to the resources it needs for that task and no more, and there’s minimal impact on the user experience. Pratt claims HP’s technology creates these VMs rapidly and cheaply in under 100ms, and users can have tens of them running concurrently, even on laptops that are several years old.

Any malware that is installed by a risky click is contained in that VM, unable to talk to other hosts or services, so threat actors can’t move laterally or access any sensitive information. When it’s closed, the VM is disposed of, and with it, the malicious code. This makes it useful for mitigating both known and zero-day threats. Forensics teams can also use the technology to run useful behavioral checks against new malware.

“Micro-virtualization provides a positive security model. That is, it prevents damage by containing all documents in an isolated VM that limits the attacker’s ability to gain persistence or to change the state of the OS. It doesn’t have to decide if code is good or bad before restricting it from the system resources,” Gartner’s Firstbrook explains.

However, there’s another use case: protecting an organization’s crown jewels if an underlying OS is compromised. This could be used to protect privileged users such as system administrators and the high-value assets they manage. Threat actors often target these roles, seeking to move laterally from the endpoint to high-value remote services. In this context, micro-virtualization could save organizations the expense otherwise spent on issuing standalone privileged access workstations, Pratt argues.

No technology can be 100% free from vulnerabilities, and 451 Research’s Hanselman admits that vulnerabilities have been identified previously in processors and micro-virtualization software. Yet the benefits would seem to outweigh such risks. HP claims that no customer has ever reported malware escaping micro-VM isolation in over five billion clicks on email attachments and web pages.


From the maker of the world's most secure PCs and printers, HP Wolf Security is a new breed of endpoint security. HP's portfolio of hardware-enforced security and endpoint-focused security services is designed to help organizations safeguard PCs, printers and people from circling cyberpredators. HP Wolf Security provides comprehensive endpoint protection and resilience that starts at the hardware level and extends across software and services. For more information, visit www.hp.com/wolf.

*Based on HP’s unique and comprehensive security capabilities at no additional cost among vendors on HP Elite PCs with Windows and 8th Gen and higher Intel® processors or AMD Ryzen™ 4000 processors and higher; HP ProDesk 600 G6 with Intel® 10th Gen and higher processors; and HP ProBook 600 with AMD Ryzen™ 4000 or Intel® 11th Gen processors and higher.

**HP’s most advanced embedded security features are available on HP Enterprise and HP Managed devices with HP FutureSmart firmware 4.5 or above. Claim based on HP review of 2021 published features of competitive in-class printers. Only HP offers a combination of security features to automatically detect, stop, and recover from attacks with a self-healing reboot, in alignment with NIST SP 800-193 guidelines for device cyber resilience. For a list of compatible products, visit: hp.com/go/PrintersThatProtect. For more information, visit: hp.com/go/PrinterSecurityClaims.

***HP Security is now HP Wolf Security. Security features vary by platform, please see product data sheet for details.


Brought to you by

What’s hot on Infosecurity Magazine?