GUIDE

PROTECTING
THE END USER
A PEOPLE-CENTRIC APPROACH TO MANAGING
VULNERABILITY, ATTACKS AND PRIVILEGE
proofpoint.com
2 PROTECTING THE END USER | A People-Centric Approach to Managing Vulnerability, Attacks and Privilege

TODAY’S ATTACKS 3 WHY PROTECTION

STARTS WITH PEOPLE
TARGET PEOPLE, NOT
Organizations spend billions on cybersecurity
tools each year. Why isn’t it working?

INFRASTRUCTURE.
SIDEBAR - PAGE 3

ART OF THE STEAL

The real-life account of a cloud
account compromise that netted
millions for attackers—no
Organizations are spending more than ever on malware needed.

cybersecurity and getting less value from it. Attacks

4
keep getting through. Sensitive information keeps
falling into the wrong hands. And data breaches keep ASSESSING USER RISK:
making headlines. THE VAP MODEL
How to access users’ risk by weighing
their vulnerability, attacks and account
It’s time for a fundamental rethink. Traditional privileges.
cybersecurity models were built for an earlier era— VULNERABILITY
when the prevailing security model was to lock ATTACKS
down the perimeter and deal with threats after they PRIVILEGE
got though. The approach barely worked then; it’s
hopelessly broken now.
SIDEBAR - PAGE 5
That’s because people, not technology, are attackers’
biggest target—and your biggest risk. This change in
VAP SNAPSHOTS
Three examples of how the VAP
the threat landscape requires a fresh mindset and new model might apply in a workplace.
strategy, one that focuses on protecting people rather
than the old perimeter.

But what does this new approach look like in practice?

This guide explores that question by outlining the
6 MITIGATING END-USER
RISKS: A BLUEPRINT
FOR PEOPLE-CENTRIC
foundational elements of security in the modern era.

It describes the factors that play into end-user risk.

PROTECTION
What you’ll need to reduce vulnerability,
It explains how to mitigate these factors. And it stop targeted threats and manage
privileged access.
recommends concrete steps you can take to build a
REDUCING VULNERABILITY
people-centric defense.
STOPPING ATTACKS

MANAGING PRIVILEGE
3 PROTECTING THE END USER | A People-Centric Approach to Managing Vulnerability, Attacks and Privilege

People always make the best exploits

WHY PROTECTION STARTS WITH PEOPLE As business shifts to the cloud, so have attackers. Cloud
It’s clear that the usual defend-the-perimeter model of cybersecurity infrastructure may be highly secure, but the people who use them
isn’t working—and hasn’t worked for years. More than two thirds of are often vulnerable.
IT security professionals polled in a recent Ponemon study expect
That’s why today’s attacks exploit human nature rather than
cyber attacks to “seriously diminish their organization’s shareholder
technical vulnerabilities. More than 99% of today’s cyber attacks
value.” And more than believe their cybersecurity posture is leveling
are human-activated.3 These attacks rely on a person at the other
off or even declining.1
end to open a weaponized document, click on an unsafe link, type
Blame two converging trends: the perimeter is dissolving, and attackers their credentials, or even carry out the attacker’s commands directly
are shifting their focus away from technology and towards people. (such as wiring money or sending sensitive files).

And the walls came tumbling down Credential phishing, which tricks users into entering their account
There’s a simple reason perimeter defenses aren’t working. In today’s credentials into a fake login form, is one of the most dangerous
cloud-enabled mobile economy, there’s no longer a perimeter to examples. In the cloud era, those credentials are the keys to
defend. Work takes place on devices organizations don’t support, on everything—email, sensitive data, private appointments and
infrastructure they don’t manage, and in channels they don’t own. trusted relationships.

As Gartner puts it, the IT department “simply does not control the In the third quarter of 2018, for example, corporate credential
bounds of an organization’s information and technology in the way phishing attempts quadrupled vs. the year-ago quarter.4 And email
it used to.”2 fraud rose 77% over the same timeframe.5

ART OF THE STEAL Cloud account compromise nets millions

for attackers—no malware needed

The following is a real-life account of a company we worked with As the meeting wore on, a senior finance person received an urgent
in the wake of an email fraud attack. Some details have been email from the CEO’s account. The CEO was busy negotiating a
omitted for privacy. deal, it stated. To close the transaction, he needed a large wire
transfer, and quickly. The finance person complied, unable to check
Last year, a CEO was stuck in an intense meeting, carefully
with the CEO directly.
negotiating a deal with a key business partner. Hundreds of miles
away, cyber attackers with control of his Office 365 account were But the email wasn’t from the CEO. The account information wasn’t
working on their own, sneakier transaction. the business partner’s. And the normal fiscal controls weren’t
applied. The attackers had looted millions of dollars—all without a
Exploiting the meeting’s sensitive nature—and the trust of the
single malware infection, phishing email or technology exploit.
executive’s direct reports—they stole millions through fraudulent
wire transfers. Their only tools: email, patience and a little social
engineering.

The attackers had taken control of the CEO’s account months

earlier after guessing his password in a brute-force attack. (In this
kind of attack, cyber criminals systematically try hundreds or even
thousands of passwords until one works.)

Undetected, the attackers set up an email forwarding rule. This

move gave them free-ranging access into the company’s most
sensitive business. They knew the partner meeting was coming,
what it was about, and that the CEO would be unreachable by
phone or in person.

1
Ponemon Institute. “2018 Study on Global Megatrends in Cybersecurity.” February 2018.
2
Rob van der Meulen (Gartner). “Build Adaptive Security Architecture Into Your Organization.” June 2017.
3
Proofpoint. “The Human Factor 2017.” December 2016.
4
Proofpoint. “Quarterly Threat Report Q3 2018.” December 2018.
5
Ibid.
4 PROTECTING THE END USER | A People-Centric Approach to Managing Vulnerability, Attacks and Privilege

ASSESSING USER RISK: THE VAP MODEL Vulnerability

Just as people are unique, so is their value to cyber attackers Users’ vulnerability starts with their digital behavior—how they
and risk to employers. They have distinct digital habits and weak work and what they click. Some employees may work remotely or
spots. They’re targeted by attackers in diverse way and with varying access company email through their personal devices. They may
intensity. And they have unique professional contacts and privileged use cloud-based file storage and install third-party add-ons to their
access to data on the network and in the cloud. cloud apps. Or they may be especially receptive to attackers’ email
phishing tactics.
Together, these factors make up a user’s overall risk in what we call
the VAP (vulnerability, attacks and privilege) index. How your people work
Assessing vulnerability that stems from how people work is mostly
straightforward—though it’s not always easy, or even possible,
with traditional cyber defenses. It starts with knowing what tools,

Understanding platforms and apps they use.

People-Centric Risk
The more granular your visibility, the better. Gauging vulnerability on
the user level, for instance, is feasible only when you have accurate
user-level visibility. When you do, you can weigh factors such as:

SECURITY • What cloud apps they use

• How many and what devices they use to access email
• Whether those devices are secure
• Whether the user practices good digital hygiene
ATTACKED • Whether they use multifactor authentication consistently
Targeted by
threats What your people click
The second part of measuring vulnerability is figuring out how
susceptible your users are to phishing and other cyber attacks.
Short of letting attackers in and seeing who opens a malware file or
wires money to an attacker (not ideal for obvious reasons), phishing
VULNERABILITY PRIVILEGED simulations are the best way to gauge this aspect of vulnerability.
Work in high Access to valuable
risk ways data/systems Simulated attacks, especially those that mimic real-world
techniques, can help identify who’s susceptible and to which
tactics.

Someone who opens a simulated phishing email and opens the

COMPLIANCE attachment might be the most vulnerable. A user who ignores it
would rank somewhat lower. And users who report the email to the
security team or email administrator would be deemed the least
vulnerable.
Highly
regulated Attacks
roles All cyber attacks are not created equal. While every one is
potentially harmful, some are more dangerous, targeted or
sophisticated than others.

Indiscriminate “commodity” threats might be more numerous than

Access to Involved in other kinds of threats. But they’re usually less worrisome because
regulated sensitive they’re well understood and more easily blocked. Other threats might
data activities appear in only a handful of attacks. But they can pose a more serious
danger because of their sophistication or the people they target.
5 PROTECTING THE END USER | A People-Centric Approach to Managing Vulnerability, Attacks and Privilege

VAP SNAPSHOTS HIGH MEDUIM LOW

Here’s how the VAP model might apply to workers in a typical organization.

Jane Barker, CEO Maggie Brown, EA Ed Jeong, Engineer

[email protected] [email protected] [email protected]

Vulnerability Vulnerability Vulnerability

No ThreatSim action, uses outside Poor ThreatSim score, uses Perfect ThreatSim score, uses outside
networks and devices, inconsistent use company-issued equipment networks and devices, inconsistent use
of multifactor authentication on network of multifactor authentication

Attack Attack Attack

Top 10% of all users in MaxThreat score, Mostly commodity threats, but some Top 1% of all users in MaxThreat score,
with 30-day total in the top 5% are socially engineered and targeted with 30-day total in the top 3%

Privilege Privilege Privilege

Has access to sensitive data in Has little access to sensitive data but Has access to highly valuable data
Office 365 and corporate network can email for the CEO and has sensitive data
access to calendars

Jane scores well on phishing Maggie works solely on the Ed has excellent digital hygiene
simulations. But she is also corporate network during work practices; he doesn’t fall for
highly mobile, logging into email hours using her company-issued PC. simulated phishing attacks,
and file shares from several But she occasionally opens emails promptly reports suspicious
devices on- and off-network. Her in phishing simulations. And given messages and accesses
high-profile status makes her a her role, she may be susceptible to company resources only when
target of malware and phishing email fraud that spoofs the CEO on a VPN. But he is targeted in
attacks, many of them advanced or other executives. Along with a a larger-than-average number
and highly targeted. She has large volume of commodity email of attempted attacks, many of
access to highly sensitive data. threats, she receives some socially them highly sophisticated. While
And she wields authority over engineered and targeted email. his network and file access is
many high-level employees, While she doesn’t have access to limited to his own department,
including people who can make sensitive information, she can send many of these files have highly
wire transfers. emails on behalf of the CEO and valuable IP.
has access to executive calendars.
6 PROTECTING THE END USER | A People-Centric Approach to Managing Vulnerability, Attacks and Privilege

Rich threat intelligence and timely insight are the keys to quantifying
this aspect of user risk. The factors that should weigh most heavily in MITIGATING END-USER RISKS: A
each users’ assessment include:

• The cyber criminal’s sophistication

BLUEPRINT FOR PEOPLE-CENTRIC
• The spread and focus of attacks PROTECTION
Protecting against all the factors that play into user risk requires a
• The attack type
multipronged approach. In the VAP model, that means:
• Overall attack volume
• Reducing users’ vulnerability
You should also weigh these factors in context of what departments,
groups or divisions the individual user belongs to. For instance, • Stopping the threats that target them
some users might seem not at risk based on the volume or type • Managing their privilege to safeguard the valuable things they
of malicious email sent to them directly. But they may actually have access to
represent a higher risk because they work in a highly attacked
department—and are therefore more likely to be a key target in
the future.
Reducing vulnerability
The first step to making users more resistant to cyber threats is
making them more aware of the risk. That’s why cybersecurity
Privilege awareness training is the foundation of making users less vulnerable.
Privilege measures all the potentially valuable things people have
The most effective training programs are engaging and hands-on.
access to, such as data, financial authority, key relationships and
They’re based on active, real-world attack techniques. And given
more. Measuring this aspect of risk is crucial because it reflects
that attackers are always evolving their methods, they’re current and
the potential payoff for attackers—and harm to organizations if
updated regularly.
compromised.
Security awareness education cannot be a once-a-year chore
Users with access to critical systems or proprietary intellectual
endured in the confines of a training room. Like any aspect of
property, for instance, might need extra protection, even if they
long-term behavior change, it’s a continuous process. Effective
aren’t especially vulnerable or aren’t yet on attackers’ radars.
training programs:
The user’s position in the org chart is naturally a factor in scoring
• Assess users’ knowledge
privilege. But it’s not the only factor—and often, not even the most
important one. For attackers, a valuable target can be anyone who • Educate them on current threats
serves as a means to their end. • Reinforce those lessons with frequent reminders

According to our research, individual contributors • Measure changes in behavior over time
and lower-level managers account for Especially vulnerable users may require follow-up instruction.
Highlighting and correcting mistakes in real time is critical. Users

67%
who fall for phishing emails (real or simulated), for instance, should
learn what they should have looked for before clicking—while the
incident is still fresh. Follow-up lessons should be tailored and
relevant to each user.

of highly targeted malware The most resilient users not only recognize threats that come their
way, but also report them. The sooner a threat is reported, the sooner
and phishing attacks
security teams can move to block it at the gateway and, if it has
already been delivered, pull it from users’ inboxes. Streamlining the
Attacks against executives and reporting process strengthens your defenses across the environment.
upper-level managers
rose 4 points to about a third Stopping attacks
of all attacks.6 Today’s cyber attacks are unrelenting, come in many forms, and are
always changing. Even with the best training, some users will click
on some threats some of the time.

6
Proofpoint. “Protecting People: A Quarterly Analysis of Highly Targeted Cyber Attacks.” November 2018.
7 PROTECTING THE END USER | A People-Centric Approach to Managing Vulnerability, Attacks and Privilege

Protecting users means stopping not just some types of attacks but technology, users can browse the internet freely without exposing
the whole spectrum of threats—ideally, before they reach the inbox. the corporate network to threats. They can also check their personal
email without introducing new risks or giving up their privacy.
Malware threats
Most organizations understand the dangers of malware. What they
may not appreciate is how it actually enters their environment and Managing privilege
the role that people play in putting it in motion. To do their job, many users must access sensitive data and other
resources. Managing privilege isn’t about broadly denying access
or making work cumbersome for authorized users. Instead, the goal
Consider the typically security budget.
is better controlling access to help mitigate the effects of account

+80%
compromise and unapproved access to sensitive data.
of spending goes toward Fine-tuning access is the first step to managing privilege. Front-line
traditional infrastructure- retail workers shouldn’t have access to files created by the finance
focused defenses department. A healthcare CEO probably doesn’t need to download
patient records. By making sure the right people—and only those
even though most cyber attacks today target people, usually through email.7 people—get what they need, you can limit exposure if those users
are compromised.

And whether it’s a banking Trojan, credential stealer, ransomware, or Mitigating privilege-related risks also involves knowing when a
remote-access Trojans (RATs), most malware requires the victim to act. privileged account may have been compromised. Unusual logins or
activity should trigger stepped-up authentication measures or quickly
Non-malware threats
cut off access. Attackers who take over a privileged account have
Traditional security deals with malware-based threats (though far
free rein over any sensitive data the real account owner has access
too often only after they have entered the environment). But many of
to. And anyone who gains control of an email account can exploit
today’s most serious threats don’t involve malware at all. Instead of
people who trust it—inside and outside of the organization.
hacking technical vulnerabilities, they exploit human nature.
At the same time, apps and third-party add-ons installed by users
Examples of non-malware threats include:
on their own may have access to sensitive data. They should be
• Phishing routinely audited to ensure that they’re safe. Even apps that aren’t
• Credential theft overtly malicious may be poorly designed or have vague security and
privacy policies, making them too risky to have privileged access.
• Email fraud (also known as business email compromise, or BEC)
• Cloud account compromise
Because these threats use social engineering rather than malicious
payloads, they can be harder to detect and block with infrastructure-
NEXT STEPS:
focused defenses. BUILDING A PEOPLE-CENTRIC DEFENSE
Web-based threats In today’s cloud-enabled, mobile, digitally transformed workplace,
The web, including web-based social media tools, is one of the protection starts with people. That’s why you need a solution that
biggest sources of threats. Most people check personal email and addresses all aspects of end-user risk outlined in the VAP model.
use the internet for personal browsing during the workday. Much of That means:
this activity is uncontrolled and potentially dangerous.
• Reducing users’ vulnerability
Securing the vast reaches of the internet without impeding actual • Preventing, defending against, and responding to attacks that
work is difficult, if not impossible. Trying to inspect users’ personal target them
activity—especially as more of it is encrypted by default—is costly,
• Monitoring and managing their network privilege to prevent
slows network performance, and won’t catch all threats. It also
unsanctioned access to sensitive information
creates potential privacy and security issues. Short of blocking
personal web use altogether—an extreme approach that would At Proofpoint, we have always advocated a people-centric approach
upset most users—securing this gaping security hole is a challenge. to advanced threats and compliance risk. Our solutions focus on
protecting end users, the data they create and the digital channels
A far simpler approach: isolating personal web activity so that it
they rely on every day.
never touches your environment to begin with. Using web isolation

7
Gartner. “2017 Security Spending Forecast.” August 2017.
 To learn more about how we use the VAP model to protect people
across email, the web, cloud apps, the web, social media
and more, visit proofpoint.com/us/solutions/protecting-end-users

ABOUT PROOFPOINT
Proofpoint, Inc. (NASDAQ:PFPT) is a leading cybersecurity company that protects organizations’ greatest assets and biggest risks: their people. With an integrated suite of cloud-based solutions,
Proofpoint helps companies around the world stop targeted threats, safeguard their data, and make their users more resilient against cyber attacks. Leading organizations of all sizes, including
more than half of the Fortune 100, rely on Proofpoint to mitigate their most critical security and compliance risks across email, the cloud, social media, and the web. No one protects people, the
data they create, and the digital channels they use more effectively than Proofpoint.

©Proofpoint, Inc. Proofpoint is a trademark of Proofpoint, Inc. in the United States and other countries. All other trademarks contained herein are property of their respective owners.

proofpoint.com 0119-011