There is no doubt that macros are being increasingly used to execute malicious code around the world and we have all know what impact it can have on an organization when they strike. But sometimes team members just need to run macros to get their work done. So, what do you do?
As a security professional, you want to prevent macros from running because it's safer and you don’t have to work until 3:00am to clean up the mess if a macro has caused chaos in your environment. However as a user, you just want to be able to do your work and not have to jump through hoops just to open a spreadsheet with a macro.
How do you find that balance between keeping your environment secure and keeping your users happy and productive?
There are several different ways to approach this and like anything, each have their pro’s and cons. So let’s explore a few.
Lock It Down
The Australian Signals Directorate (ASD) recommend disabling office macros as part of their “Essential Eight” strategy and Microsoft have within their Office suite “Protected Mode and Macro Blocking Feature” to help prevent macros from being executed.
This is a good approach and can be easily achieved via group policy. However, it does make it hard for end users who legitimately need to run macros to perform their work as it will require additional administrative overhead delay to allow the user to run macros contained within the document.
So while this is a good approach, I will give this one a Milli Vanilli. It sounds good, but you still need to find someone who can actually sing.
Put It in the Box
The other common approach is to use sandboxing technologies. The sandboxing approach has increased in popularity over recent years and they take the stress out of determining if the macro is malicious or benign. However while sandboxing is a good approach, the bad guys are increasingly finding ways to evade sandboxing technologies. And while these technologies constantly evolve to better protect against these evasion techniques from the bad guys, it only takes one malicious macro to ruin the whole party for everyone.
So, I will give this one a Justin Bieber. While very successful and popular, you know it is not the whole package.
Strip It Out
The latest technique which is quickly gaining momentum is to structurally sanitize documents which removes macros before delivering the document to the end user. This enables the best of both worlds because the macro has been removed when the user receives the document which prevents any sort of malicious code from executing on their device. The beauty is, it is still in the administrators control because they can review the macros if the user requires it for legitimate reasons.
The administrator can use various tools to check the legitimacy of the macro, but it always remains in the control of the administrator which is a good thing.
So, I will give this one an Aretha Franklin. Sometimes overlooked but when you think about it you say R.E.S.P.E.C.T.
So I hear you ask. “How do you strip out the macros before it gets to the user?” Glad you asked.
Today, it is embedded active content in email and attachments which is the largest cause of Advanced Persistent Threats (APTs) striking an organization. However, since this is targeted at specific individuals or organizations, it is frequently not picked up by traditional security solutions. Detecting APTs is a challenge for most organizations, so the simple removal of all active content is all that is required to protect against these types of threats.
Of course, if it is removed in error (a false positive), then a rapid release mechanism can be enacted by the IT team after it has been reviewed.
The diagram below highlights the document Structural Sanitization process at a high level using Clearswift’s ARgon for Email solution.
ARgon for Email is a great complimentary solution for organizations that don’t necessarily want to swap out their current email security solution just yet, but want to have the protection they need to keep their organization safe. As the diagram above shows, ARgon for Email sits in the middle of your existing infrastructure and monitors the email traffic (in both directions) to ensure that all active content is structurally sanitized.
For existing Clearswift customers who already utilise the Secure Email Gateway and/or the Secure Web Gateway, the Structural Sanitization feature is easily and quickly switched on by purchasing an additional license.
Structural Sanitization is just one of the features that users can take advantage of. As with all Clearswift products, simplicity is the key. We have a strong focus on automating best practice data protection processes and security procedures to both prevent threats and protect critical data.
Clearswift's Next-Generation Email Security
Clearswift's award-winning Secure Email Gateway offers an unprecedented level of cyber-attack protection and outbound data loss prevention for secure email collaboration. See how Clearswift can work for your organization.