by Raimund Genes
What’s the number one challenge facing CISOs today? It’s not compliance, budgetary concerns, securing cloud computing or even data breaches – as important as all of these issues are. It’s ransomware. Every day there seems to be a new outbreak. The latest is a double-edged attack campaign apparently combining ransomware and DDoS. But while many cybercriminals are keen to exploit your organisation’s weakest point – its users – via web and email channels, some are looking to attack other parts of the IT infrastructure such as the network and servers.
That’s why CISOs need to ensure their organisation implements layered protection covering all possible weak points. It’s the only way to ensure you stand the maximum chance of avoiding ransomware infection.
A global threat
It’s difficult to effectively gauge the global scale of the ransomware problem facing us today. But Trend Micro alone blocked 99 million such threats between October 2015 and April this year. And that’s likely to be just the tip of the iceberg. Be in no doubt, this is now a major enterprise threat which can lead to business disruption, loss of productivity, damage to brand reputation and potentially even legal repercussions.
Ransomware used to be a mainly consumer and end user problem. But that’s changing, as the black hats go after targets they think will generate a bigger RoI, and find ways of bypassing traditional tools. So while many organisations think it’s enough to put security in at the email and web gateway, they may be leaving themselves exposed to other avenues of attack. No security is 100% effective, so what if an infected end user accesses a file server that hasn’t been patched, for example? Failing to put in place adequate server security might have just locked all your users out of their data.
The answer is layered security covering the gateway, endpoint, network and server. Let’s take a look at each layer in turn.
Web and email gateway
The most popular vectors for ransomware are still malicious email attachments and URLs. So put security in here and you can stop the vast majority of ransomware threats from ever reaching your employees. Even if you’re using a cloud platform with its own security protections, you might want to enhance this with a third party vendor. Some important capabilities to look out for include:
- Malware scanning and file risk assessment
- Sandbox malware analysis
- Document exploit detection
- Web reputation
When it comes to the web gateway, it’s all about real-time web reputation, sandbox analysis and scanning for zero-day and browser exploits.
Whatever your email/web filters don’t stop can be picked up at the next level – the endpoint – further protecting staff from ransomware. Look out for vulnerability shielding for unpatched flaws, and security solutions which offer behavioural monitoring and app whitelisting capabilities.
It’s not all about the email and web channels. Other network protocols are at risk too. Network visibility is therefore essential if you’re to root out ransomware at this layer. With the intelligence this generates you can scope and remediate the issue and take steps to lock down avenues of future attack.
You need a solution which can detect possible ransomware across all network traffic, ports and protocols; features advanced sandbox analysis; and can integrate with email, web, endpoint and server security to share intelligence.
Servers are where your most valuable data resides, so it’s only natural that ransomware attackers are increasingly focusing their efforts here. Efforts to secure them are complicated by today’s modern IT computing environments which often see a mix physical, virtual and cloud systems – creating gaps that the black hats are more than capable of exploiting.
Lock down risk by choosing security which features virtual patching capabilities. This will shield them from exploits of software flaws that could be used to inject ransomware. It will also keep end-of-support systems like Windows 2003 safe. Security should also be capable of raising the alarm if ransomware is attempting to infiltrate the datacentre, and block any lateral movement to additional servers. You can find more on Trend Micro’s approach to securing the data centre here.
In the end, it’s all about taking preventative measures to minimise the risk of a ransomware infection. That means layered defence. But it should also include best practice steps including network segregation, user education, automated back-ups and tightening user access controls.
Head over to stand D25 at Infosec to discuss this and other topics further with us: 7th-9th June 2016!