As part of Solutions Review’s Premium Content Series—a collection of contributed columns written by industry experts in maturing software categories— Chad Skipper, the Global Security Technologist at VMware, shares insights on preventing ransomware and lateral movement threats.
The proliferation of ransomware is sobering. In 2016, on average, a business fell victim to a ransomware attack every 40 seconds at the cost of $1 billion annually. By the end of 2019, it was every 14 seconds. According to Cybersecurity Ventures., the current frequency is every 11 seconds, with global damage estimated at around $20 billion.
Along with the ransomware numbers, cyber-attack severity is growing as threat groups innovate and infiltrate more organizations. It’s time for those in the security trenches to double-down on technologies that help our businesses gain complete visibility – as you can’t protect what you can’t see. Ultimately, this will help us defend against cyber-attacks, like ransomware, more effectively.
This is especially urgent as many ransomware attacks involve some type of double extortion. That’s when bad actors trade the stolen data and sell it to third parties as well as ransom the same data back to the business, effectively doubling their gain. This is becoming a favored tactic of well-funded syndicates specializing in ransomware as a service. Adversaries remain upwards of 287 days before businesses even detect they’ve been breached, according to IBM’s X-Force Threat Intelligence Index 2021. And that’s beyond unacceptable.
At the heart of a better approach is to improve visibility. Traditional, appliance or agent-based security solutions can’t see internal traffic. That leaves you blind to malicious activity for long periods of time. In other words, if you can’t see it, you can’t protect it. And perimeter firewalls designed for north-south traffic today are ineffective at delivering the control and performance needed to defend dynamic workloads. What’s needed is a distributed, granular enforcement model for securing east-west traffic that starts with visibility into every network packet.
I’m an advocate for 100 percent visibility, especially into east-west traffic, through observability which increases fidelity and efficacy while reducing operational cost and complexity. Today, VMware delivers three core technologies providing visibility into every single packet traversing multi-cloud environments:
Intrusion Prevention/Intrusion Detection
With VMware’s distributed firewall capabilities, teams can see nefarious actions quickly, including remote code execution or the beginning of an adversary’s command and control activity. If a bad actor gains control, VMware NSX Distributed IDS/IPS detects east-west movement between servers, for example, which can be due to open ports inside a data center that allow bad actors to continue exploiting vulnerabilities within the environment. A better defense is to apply micro-segmentation when an application or workload is deployed, effectively reducing the blast radius of a compromised host.
Organizations are in great need of insights, and getting them is best accomplished by inspecting all payloads shared within multi-cloud environments. A full system emulated network sandbox is integrated into the VMware hypervisor to enable inspection of payloads (even encrypted traffic) being shared across the infrastructure. This technology detects malicious artifacts and prevents them from being executed and proliferating. This hypervisor-enabled network sandbox is ideal for preventing the lateral spread of malware within your multi-clouds.
Network Traffic Analysis and Detection Response
Another best practice is to choose a technology that baselines all the traffic inside the multi-cloud environment, cataloging protocols to detect anomalous activity. Because not all anomalies are malicious—it could simply be an unusual time for someone to access a system—this technology also assesses whether the anomalous network is even security-relevant. We leverage the labeled behaviors and network traffic generated by analyzing millions of samples daily. And we use our deep security domain expertise to make sure that we pick the right features and suitable algorithms. Our technology uses individual threat actor events from initial access discovery to lateral movements to data collection to exfiltration and destruction to create a timeline of what that threat actor does to help pinpoint threats. The technology significantly reduces false positives by labeling behaviors and network traffic rather than analyzing millions of samples daily.
The end goal, of course, with all three actions is to prevent attackers or reduce dwell time in the organization—a goal only possible by ensuring visibility into every single packet inside of the network. When it comes to preventing disruptive ransomware attacks, I believe the more we security pros can help our organizations see, the better we will be at helping our businesses keep data safe.
- 3 Keys to Preventing Ransomware and Lateral Movement Threats - June 24, 2022