Modern ransomware uses advanced attack techniques that make it difficult to detect and remediate, resulting in greater financial implications for many organisations. To have a chance of getting ahead of attackers, defences also need to evolve. Here, Trevor Dearing, Technical Director, EMEA, Illumio, highlights how Zero Trust segmentation can stop ransomware in its tracks, as well as how Illumio works with CISOs to implement robust ransomware prevention strategies.
How has modern ransomware evolved to a point where it’s now difficult to remediate an attack?
Even though ransomware still uses many traditional exploit methods, the middleware – the bit that controls the ransomware – has got more sophisticated.
Many reports highlight that it can take up to 160 days to detect ransomware as it will often sit and do nothing for a while. Trying to detect it with things like behavioural anomaly detection becomes quite difficult.
In addition, the bad guys are using more acceptable methods of delivery. For example, they’ll deliver a piece of ransomware in a spreadsheet or a Word document, where you don’t necessarily have to click on a website link to become infected.
Some of these things make ransomware difficult to remediate against and we’re seeing that reflected in the uptick of incidents, as well as the fact that attackers are targeting industries where organisations may be less sophisticated and resilient in their responses.
What are the financial implications of these types of attacks for organisations?
Each year, the Ponemon Institute releases its Cost of a Data Breach Report. It says that on average, the cost of a breach is around US$3.6 million. The reality is that the longer it takes to identify, mitigate and resolve an attack then the higher the cost.
The impact of the changing techniques is that, because they’re slower, the impact can be bigger as they infect more resources. Attackers are always looking for the highest value so if you’re a manufacturer, they’re looking to stop your manufacturing function and if you’re a customer-facing organisation, they’re looking to lock up your customer database. The impacts can be much bigger.
What are the shortcomings of existing security practices for ransomware prevention?
Historically, there’s been an overreliance on detection. For many years we’ve tried to be much more sophisticated in how we detect an attack and we’ve got better at that, having moved away from signatures and using more threat intelligence feeds.
But because of the way that ransomware moves and the way it works, it becomes quite difficult to detect. Once detected, remediation can be quite quick, dependent on what the impact is. The danger is that by the time ransomware is detected, it could have spread significantly and it then takes a long time to resolve. We need to mix the detection with an amount of prevention and protection in the front end.
How does an ‘assume breach’ posture prevent total infection?
By assuming that they’re going to get attacked, organisations can put preventative measures in place early, rather than waiting to deal with the aftermath of an attack.
To move around, ransomware uses ports like RDP or SSH, for example. If we can control that and stop the movement then it becomes much easier to control and remediate those attacks, ultimately lessening the impact and reducing the cost implications.
What are the key benefits of Zero Trust segmentation when it comes to ransomware prevention, particularly when used alongside additional controls?
If you can start to ring-fence applications and stop them from communicating with other applications or databases on ports that ransomware will typically use, you can do this.
We have examples of customers who have experienced an attack where perhaps 10 servers get infected out of a thousand but, by using Zero Trust segmentation alongside other controls, they’re able to remediate, clean up, roll back and do all the things required to stop ransomware on those servers.
It means that instead of a breach where you’re losing data and it’s costing money, you’re stopping it there and then in its tracks.
While there isn’t a single silver bullet to stop ransomware, you need to go through several stages.
First, build your protection and have the capability to hit an automated big red button if you do detect ransomware. That brings the shutters down and stops everything from moving. Then use the remediation controls that exist within your next-gen antivirus or your EDR to find where it is and remove it.
How can organisations ensure scalability of Zero Trust and how important is automation for this?
We always say, ‘don’t try and eat the whole elephant’. Do it a piece at a time. When looking at the origins of Zero Trust and the documents written around that at the start, it identified the need to identify the key assets that you want to protect.
To stop thinking about an attack surface and start thinking about a protected surface.
Once you’ve identified those things you want to protect, you can then effectively ring-fence them and isolate them in stages, starting with the things that are most important and then working through the others.
People get very daunted by Zero Trust as it can seem like a huge project, but if you take it slice by slice, you can do it in any organisation at any scale.
How does Zero Trust segmentation also enable protection against other threats?
Everyone gets very focused on ransomware because it makes for some shocking headlines, but there are a lot of other attacks out there. Many use the same delivery mechanisms as ransomware so if we can stop those, we can stop any attack that uses that method.
Any attacker will want to get into an organisation, find high-value assets and attack, either stealing the data or blocking it or whatever it happens to be. So, by segmenting, you’re stopping that sort of activity from happening. It’s as valid for other attacks as it is for ransomware.
How does Illumio support CISOs to implement a robust Zero Trust strategy for ransomware prevention?
The key to what we offer is simplicity. We use the firewall within the workload to be able to control communication between any two workloads. By doing that, we can block and allow certain different types of traffic.
It’s done either from an automated perspective through an API or third party, or you have a map of your organisation where you can click on links and apply rules, or just apply a global rule that says, ‘stop RDP, stop SMB’, for example.
Zero Trust is different to traditional security, where in the past you were trying to identify what was bad and stop it. It’s now about identifying what is good and allowing it and that gives you a much easier population to approach.
By being able to do that with a couple of clicks of the mouse makes a difference.
With Illumio, once you’ve clicked, you’re away and the fact that you can test any rules that you put in place before you enforce them just makes that whole process much simpler.
- To watch the video interview, click here.