Etay Maor is Senior Director, Security Strategy for Cato Networks, a developer of advanced cloud-native cybersecurity technologies.
getty
Experts project global ransomware damage costs to reach $265 billion by 2031. It’s safe to assume the ransomware epidemic won't abate any time soon. For attackers, it’s easy money with little repercussions. For organizations, it’s a lot more than simply losing the ransom money. Ransomware can easily make businesses unviable.
What’s Really At Stake With Ransomware?
For starters, without data and applications, most operations come to a halt once ransomware hits. Even with a robust ransomware plan, full-scale restoration could take weeks. Second, attackers are now exfiltrating data before encrypting it. These so-called double-extortion ransomware attacks start a vicious cycle of blackmailing and repeated ransom demands.
Having sensitive data exposed publicly is worse than simply losing access to it. A flood of lawsuits and legal fines may follow, along with irreparable reputational damage. Many businesses can’t ever recover from these unquantifiable costs.
How Can SASE Help?
There's no panacea for ransomware. Prevention and containment are the only strategies when there's no cure. Even that requires ubiquitous security with global visibility and constant monitoring—cloud-native attributes of SASE (secure access service edge) that can help organizations build a multilayered defense for combating ransomware in three ways:
1. Prevention: Honing Threat Intelligence Feeds
Threat intelligence feeds from various open-source, shared communities and commercial providers can help identify prevalent ransomware and attack patterns. However, even high-quality feeds generate staggering numbers of false-positive alerts. Frequent false positives exhaust security teams and may delay response to legitimate ransomware alerts.
The intrusion prevention system (IPS) native to SASE nearly eliminates false positives with its ubiquitous visibility across networking and security events. In a SASE architecture, the IPS can use machine learning and artificial intelligence (AI) to correlate networking data, like the target domain or IP’s history with legitimate traffic, with indicators of compromise (IoC) from threat intelligence feeds to identify false-positive alerts.
Although traditional anti-malware prevents known ransomware strains based on global threat intelligence databases, SASE’s anti-malware component takes it a step further. It enjoys the same ubiquitous view of all user and location data to establish baselines and acceptable behavior patterns. And it correlates this data using machine learning and AI to recognize and block zero-day attacks and polymorphic malware.
2. Detection: Identifying And Blocking Suspicious Activities
The IPS can block perpetrators from remotely delivering ransomware to machines. But a machine may still be compromised via other attack vectors, like an infected USB device. Once the payload is delivered, the ransomware will try to establish a connection with the command-and-control server to communicate with the attackers to receive further instructions, exchange encryption keys and/or exfiltrate data. Typically, ransomware encrypts data only after this exchange occurs.
SASE’s IPS has a complete view of network events and knowledge of target IPS’s reputations. It can identify and subsequently block such attempts to communicate with command-and-control servers. For variants that encrypt local storage the moment they hit, the IPS detects the ransomware’s attempts to further encrypt network-attached storage via server message block (SMB) protocol. SASE’s IPS prevents the ransomware’s attempts to change file extensions and leave a ransom note. It also has unique access to data and capabilities to detect ransomware based on its characteristic network activities.
3. Containment: Preventing Lateral Movement
Another characteristic of ransomware is that it’s designed to move laterally across the network to compromise as many connected devices and data as possible. Once inside, ransomware can move freely without further authentication with a traditional perimeter security approach.
SASE’s zero-trust approach to application and resource access ensures that users and hosts can only access what they're exclusively authorized to, and authentication occurs for each access request. All network traffic is also constantly monitored for anomalies and malicious behaviors like trying to access unauthorized resources. This limits the attack surface and confines the ransomware to its initial target if it somehow gets inside. This way, ransomware can’t encrypt any significant amount of data.
Final Thoughts: Security Everywhere
Because of ransomware’s horrific implications, organizations may feel compelled to focus entirely on preventing the threat. Yet, believing that the risk of ransomware can be completely averted is unrealistic. But it makes sense to erect multilevel security defenses to ensure everything doesn't come crashing down with a single breached layer.
A holistic view of traffic and resources across all edges and locations is imperative. Separating security from networking information creates a fragmented view, providing visibility loopholes for attackers to leverage. Access to global data combined with deep analytics capabilities can virtually render ransomware harmless and fairly easy to recover from.
Finally, employees also play a vital role in preventing ransomware. Even SASE’s comprehensive security doesn't eliminate the need for employee cybersecurity awareness training to identify and thwart phishing attempts. Organizations simply don’t stand a chance against stealthy and vicious ransomware threats until they fill all the gaps and implement a defense-in-depth strategy.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
