Getting Real About Ransomware

By John Spiegel

[By John Spiegel, Director of Strategy & Field CTO, Axis Security]

In 2022, 66% of businesses worldwide were impacted by Ransomware in some form.  This may be breach, a 3rd party they depend on was hacked or sensitive data was leaked by another impacted entity.  And according to the most recent Version Breach report, no sector was spared.  Manufacturing, finance, retail, government to hospitals.  All impacted by this plague of cybersecurity.  Worse, the time to compromise (dwell time) is now less than a day!  The motivations are clear.  Grab sensitive data and then hold it hostage until payment arrives.  If payment is not provided, expose the data on the Internet which is either incriminating or will significantly impact a revenue stream the business is counting on.

Why is this happening?  Outside of the motivations for the attackers (which are covered in lurid details elsewhere), the problem is a mismatch of the intent of the business vs the legacy thinking of security.  The business has decided it cannot live within the four walls of its operations.  Rather, it has embraced Cloud, SaaS, PaaS and now remote work in the name of productivity and profits.  Result, data and employees are everywhere.  Security, on the other hand, still lives in the pre-Cloud era.  Even while new frameworks to secure the enterprise are available, security still relies on old methodologies even in an era of Cloud and AI.

In fact, security often rebuilds solutions of the past to protect our future.  Case in point, the enterprise firewall.  Born in the pre-Cloud timeframe (2005), it, in the majority of cases, the enterprise firewall is the security tool the company relies on.  Much like the famed Maginot Line built to protect France post WWI from the Germans, the firewall provides a clear demarcation between civilization and the barbarians. In firewall parlance, you are either behind the firewall (trusted) or outside the firewall (untrusted).  While the enterprise firewall can get granular about the policies to allow or disallow traffic, the ugly truth is, at a certain point the firewall rule base becomes overly complex and therefore risky to change.  Result?  While the focal point for security, this tool results in complexity which creates gaps in the lines of protection and thus businesses are exploited like the Germans did to the French in 1940.

How do we move beyond?

To make a meaningful impact on the scourge of ransomware, we need to realize we are in a new era.  The period of static defense is over.  Applications, data and employees are now distributed.  Additionally, businesses now rely on 3rd parties for critical business functions.   Thus business and security need to align by embracing two frameworks.  The first framework we need to move to is zero trust.

Framework One – Zero Trust

Coined by John Kindervag and Chase Cunningham, zero trust starts by assuming breach.  The concept is to build a resilient security strategy based on protecting the assets which matter most to the company.  It calls for segmentation of virtual and physical systems into series “air tight” compartments based on business function (called protect surfaces).  For instance, the key financial systems are to be segmented off with only need to access availability.  Doing so, reduces the blast zone of a compromise.  If an attacker breaches the website, the impact does not extend to the warehouse system, the customer relationship application or the credit card payment mechanism. The ability to move laterally within a company and explore the network for treasure becomes highly challenging.  Zero trust also calls for constant monitoring of the protect surfaces. It’s not enough to create a series of barriers and call it good.  Rather, you need to insert a feedback loop to understand if the mechanism is working or needs to be improved.  While Zero Trust has gained a lot of attention lately, adoption has been slow.  A recent report stated 61% of companies are still defining their Zero Trust initiative and only 35% say they will implement one “soon”.

Framework Two – SSE

The second framework to consider is the Security Service Edge (SSE).  SSE is a solution coined by the analyst firm Gartner in 2019 as part of the larger umbrella, Secure Access Service Edge (SASE).  What SSE looks to do is extend security services to where they matter.  Services to meet the employee, the data or the application where they live.  It starts by creating a security fabric using what are called Points of Presence (PoPs) where services such as secure web filtering, SaaS and data controls along with risk-based authentication measures are leveraged.  In the past, many of these services resided in the private data center as point products, separate and not integrated.  With SSE, these same services are improved and transitions to a Cloud delivered security service which operates as a cohesive, unified platform extended across the globe as opposed to living in a central corporate data center.  With SSE, traffic is routed to a global network where it can be both optimized and secured to provide both speed and security.  SSE can also leverage the concepts of zero trust to provide employees and 3rd parties access to only the applications and data they require to conduct their role in the business.  Ok, all sounds amazing and great, right? But how does Zero Trust and SSE help defend the business from Ransomware?

Bringing together – Aligning Security for the Modern Era

First, they work together to eliminate the “attack surface”.  Only authorized resources who pass a series of “risk-based authentication” controls (going beyond password and MFA) are allowed to access the specific applications assigned to them.  This greatly reduces the number of discoverable systems to a hacker as well as “cloaks” the rest of the systems off from lateral movement for reconnaissance and compromise.  Second, with SSE, traffic can be inspected for indicators of compromise.  As SSE leverages the power of the Cloud, encrypted packets can be decrypted at scale.  You are not limited to the size of a firewall ASIC where you need to decide what traffic to inspect vs pass through the system.  Additionally, you can apply treatments such as data loss prevention technologies to check whether sensitive files containing social security numbers are being downloaded from O365 and sent to Dropbox. Lastly, you can control the IT landscape of applications with an SSE based Cloud Access Security Broker.  This allows for granular controls over SaaS based applications as well as provides visibility into unsanctioned cloud applications and software (a vector of compromise).

It’s time to retire the static defenses of the past and align the business with security. While the enterprise firewall will remain as a tool in the toolbox for security, making the move to zero trust and SSE will provide the active defense required in today’s threat landscape (one defined by Ransomware).  The business requires Cloud and remote work.  Distributed IT is here to stay.  It’s now security’s time to step up their game!  Start making the move to Zero Trust and SSE today.


No posts to display