Ransomware, and Why Organizations of All Sizes Should Evaluate Network Segmentation

You’ve probably read or discussed the news articles and public disclosures.

A major bank gets hacked, the personal data of a 100 million customers falls into the wrong hands, and it costs the bank hundreds of millions of dollars to fix.

A major U.S. municipality is held ransom for database control, forcing it to rely on old-school data-keeping methods as it courageously defies the extortive criminal demands.

How can these kinds of attacks succeed in today’s cyber-vigilant day and age?

The aforementioned are just the high-profile cases. Below the radar of the headlines, smaller companies encounter spoofing ploys, ransomware and evolving malware, and every day too many of them get compromised or deceived into sending funds to a cybercriminal.

There will always be human errors and cyber-villains seeking to capitalize, so, what is it that we can actually change? The answer lies in an evolving security architecture and how we define next-generation network segmentation.

Traditional Security Architectures Pose Risks

Nearly every harmful corporate cyber-assault is a lesson in unsound traffic patterns, of network blind-spots, of organizations not sufficiently insulating enterprise jewels, not properly segmenting network traffic and not adequately shoring up endpoint protection and access control against powerful automated takeover attacks.

It’s nobody’s fault really. The private network has changed, gotten more complex, become a WAN without boundaries. You have users connecting into the private network while they’re plugged into data transaction points outside your network security team’s control on the Internet and in the cloud, some of these access points potentially vulnerable. Do you want to allow traffic and files from Internet and multiple cloud access points to merge with important private network traffic and databases via common pathways? From a smart central security perspective, the twain should never meet.

What’s more, cybersecurity skills, especially in cloud network security, are in short demand, and network and IT departments have to wear many other hats in their jobs. It gets challenging to structure network patterns to keep roaming users connected and satisfied while also prohibiting sneaky lateral movement of suspicious or known threats. A zero trust network approach must not result in an unintended plethora of zero-access lines. Connection hurdles can hurt your business: employees still need to get data and communicate.

Network Segmentation, Microsegmentation, and Access Control

Your users are traversing myriad websites and Internet access points, downloading tools, plugging in at public charging stations and then connecting to private enterprise assets. Network segmentation is about restricting direct gateways into the heart of the business so traffic flow patterns don’t inadvertently put the organization at high risk. But network segmentation has been difficult and expensive due to the amount of resources and effort needed to reconfigure distributed physical equipment such as VLANs, routers and switches.

A next generation of network segmentation, microsegmentation (or software-defined segmentation) is the partitioning of workloads from one another, including in the cloud, between multi-cloud access points, and between data centers and databases.

Gartner wrote: “Microsegmentation (also referred to as software-defined segmentation, zero trust network segmentation or logical segmentation) uses policy- and workload-identity-driven firewalling (typically software-based) or network cryptography to isolate workloads, applications and processes in data centers, public cloud IaaS and containers. This includes workloads that span on-premises and multiple public cloud IaaS providers.”

What this translates into from a security perspective is when some of your databases and servers are hosted they creep out of your view and control, so keeping the workloads of these different transaction points separate is mandatory in order to protect your most precious enterprise data and digital assets.

Workstation Microsegmentation

Securing this larger, more distributed attack surface without talking about endpoint agents (i.e., software-defined networking on portable laptops and other human-manned mobile workstations as well as virtual machines) is unrealistic. These devices are all part of your network, whether you’re in the cloud or not, and an initial point of potential compromise.

It’s a hybrid, multi-cloud network for many organizations, not just one big tidy cloud environment. More-granular segmentation is needed in both cloud environments and your endpoint-defined private network.

Microsegmentation tends to merely represent a granular, cloud- and data-center-workload-focused approach to segmentation. But your segmentation should not be restricted to just data centers and clouds when you have to also protect end users connecting to each other, to the cloud, and to on-premises network assets.

OPAQ offers both network segmentation and microsegmentation at the endpoints, that is, on the devices that connect or traverse Internet, cloud and multi-cloud access points. Each protected endpoint, whether stationary or mobile, carries security and segmentation policy, ensuring that these devices don’t act as the conduits for infection with each other or networks, servers or databases.

Microsegmentation doesn’t have to be impossible for small and midsize enterprises or new branch offices, all in the crosshairs of powerful distributed attacks. Neither should the ability to rapidly roll out next-gen network security policy to endpoints, which nowadays is crucial for small and midsize enterprises and large-enterprise branch offices alike. Your endpoints are your weakest links, a ‘way in’ for the sophisticated attack and bad actor. Segmenting cloud and database workloads is smart, but a lateral spread can still afflict your workforce and cost you if you don’t bolster your endpoints with advanced security policy including network segmentation by host and user groups.

Don’t underestimate the threat of malicious lateral movement through your security architecture.

Find out more.

Endpoint Control

Request a demonstration.


From Russia to WannaCry, Bad Actors are Hard to Nab

ka_0011-2David Strom is editor of the email newsletter, Inside Security. He also consults to vendors on emerging technologies, products, strategies, and trends. Strom, formerly the editor-in-chief of Network Computing, has authored two books on the topic.

OPAQ: What are hackers looking for lately when it comes to attacks on business and is there a focus on particular verticals?

DS: Yes, any vertical where there is money. It’s all about whaling attacks and CEO phishing attacks. Any business that is successful is a target, which is scary. Malware is getting a lot sneakier, too. There are all sorts of ways to hide the attacks by using registry exploits, PowerShell and other things that make use of the internals of Windows infrastructure to elude detection. But even when malware authors aren’t using these techniques, their attacks are still sitting on the corporate network for months. Too many people still have their head in the sand. You may be a $1 million or $2 million corporation and think that your business is too small to target. But everyone is a target now. You really need to have the best defenses as possible.

OPAQ: We’ve all heard enough about Russia and the elections, yet not quite enough about why these attacks happened, and what government or political organizations can do to ensure they never happen again?

DS: Russia began with Estonia, and then they moved on to the country of Georgia, and later they hit German destinations and, of course, the United States. Estonia, even, is pretty sophisticated when it comes to digital policies and protections. The problem is that people are not doing a great job of examining what data is leaving their networks. It used to be that everyone was focused on what was coming into their networks, but the real issue is what is leaving. I can grab a database and move it offsite very quickly into a Dropbox account and no one’s the wiser. People aren’t scrutinizing the right side of the equation. You need some kind of intrusion detection system that works in both directions and looks at what is entering and leaving networks and can distinguish between ordinary and abnormal activity.

OPAQ: In recent news related to the WannaCry ransomware outbreak, Marcus Hutchins was arrested and charged with creating and distributing the Kronos banking malware. We rarely hear about the bad actors being discovered and arrested. Any thoughts on why so?

DS: First on Marcus, it’s not even clear that he is a bad guy. It’s not like an accident on the freeway where you get hit and someone sees the accident in plain sight. A lot of this stuff is not readily observable. We need tremendous cooperation between private and government researchers to track these people down. Organizations can put lures called honeypots on their network to bring in the bad actors. Yet, that might not even be legal in some cases. A private business may not have the right to prosecute because the digital fingerprint isn’t always clear. Or if the individual is from another country, they might not be able to do anything about it. Attribution is very difficult: it’s a hall of mirrors. I could try to break into GM and when they come after me, I could say no, they are hacking me! The legal system is way behind on these matters. Even with a lot of technical knowledge, I think it’s going to be really hard to prosecute Mr. Hutchins.

OPAQ: Which new advancements in enterprise security technology are interesting to you and why?

DS: New password and authentication technologies are very exciting. Passwords are still the biggest weakness in companies. We can make this much more automated with the latest single sign-on and password management products. We also need better defense mechanisms, especially on phones and tablets. A lot of people use their phones on enterprise networks. But let’s say my kid downloads an app on my phone that’s infected with malware. The next day I go to work and login to the network from my phone. Very quickly that malware can sniff out passwords across the network. Google has done a terrible job in handling malicious apps in the Play Store but it just came out with Google Play Protect, which automatically screens devices in the background for malware. The third area is ransomware-as-a-service. This will get stronger because that’s where the money is. I can have no skill whatsoever and put together a ransomware campaign with a few mouse clicks and make a lot of money. Corporations have to do a better job of making regular data backups and inspecting their network traffic to combat ransomware attacks.

OPAQ: Any thoughts on the security-as-a-service market and how it will grow in the coming years?

DS: Putting security in the cloud is definitely the wave of the future. We will see many more MSPs doing consolidation in this area to broaden their offerings. Smaller companies want to avail themselves of these services because they can’t afford to have that expertise on staff, yet they’re still going to get attacked. We are seeing threat-sharing databases get more popular. Cloud vendors can still have a proprietary take on security, but don’t need to create their own databases. These two parties will have symbiotic relationships. Over time cloud security services will be more attractive to larger companies. They are moving more of their data into the cloud so it makes sense to put security there too.

David Monahan: The Perimeter is an Amoeba

ka_0011-2David Monahan is Research Director at Enterprise Management Associates (EMA). He has organized and managed both physical and information security programs, including security and network operations (SOCs and NOCs) for organizations ranging from Fortune 100 companies to local government and small public and private companies. Prior to joining EMA, David spent almost 10 years at AT&T Solutions focusing on the network security discipline. Follow David on Twitter: @SecurityMonahan.

OPAQ: Do most mid to large organizations know how many devices they have on their network—and what issues and remedies does this present for security?

DM: From our research, there is a wide gap in visibility. We estimate that organizations are lacking visibility of at least 10% to as much as 25% of their systems. There are many causes: untracked development systems, BYOD devices, rogue systems being set up under “shadow IT,” random IoT devices and other physical and virtual machines going up all the time.

To gain control of this environment, we are always looking at new niche technologies available to help identify systems and devices. Organizations are evaluating solutions from providers like NAC, established vendors like ForeScout, Cisco, HPE, as well as newcomers like Pwnie Express, and Zingbox.

The good news is there are a lot of things you can do about this problem, but companies need to go about it programmatically rather than in a knee-jerk fashion. That way you don’t end up with a bunch of disparate technologies that don’t work together. We are in a challenging time because there is no hard and fast perimeter anymore. The new elastic perimeter is like an amoeba that changes based on what is happening in that moment.

OPAQ: What are other pressing needs in network security today and are there good solutions?

DM: Knowing your assets, whether in your own data center or in the cloud, is key. Identifying what and where they are, who has access to them and when they are being accessed is really table stakes. Active breach detection is extremely important because the bad guys are still getting in. Endpoint defense is crucial area because that is where a lot of attacks are focused. A good example of that is ransomware. But ransomware can’t encrypt files that it doesn’t have access to so companies need to do a better job of controlling access to their networks and systems as well as detecting these insider threats faster. Security analytics is another area that is really useful, delivering large value to customers. These forms of analytics are used to detect an entity (user, applications, system) that begins acting differently than it has in the past or differently from other similarly classified entities are acting both historically or presently. These changes in behavior can come from insiders that have turned against the company or from external threat actors that have gained access. In this case I like to make a distinction from insider threats and threats on the inside. The former is when an employee is misusing their access to do bad things. The latter is when someone from the outside has acquired credentials and does bad things but we think we can still trust them because they are masquerading as the trusted insider. A lot of attacks today come from people leveraging credentials that they shouldn’t have.

OPAQ: What do mid-market executives say is a top barrier for delivering strong enterprise security today?

DM: The two main issues are skills and tools shortages. Budgets have not really been the main issue for the last few years. In every survey that I have done the results show that on average security budgets are increasing by 12 to 16% yearly. Aside from shortages, there are also issues with what I refer to as political, tools and data silos restricting organization’s ability to gain full visibility and context for events. Tools silos arise from having different groups in the business buying tools and they are not really working together. Data silos are created from gaps in data for some reason, which might be from misconfigured or poorly configured tools not gathering or retaining the data properly. Some examples would be only retaining server logs for 10 days, so I cannot research a newly discovered breach which actually began before that. Or perhaps my logging levels are set too low so the data I need wasn’t captured or set too high, in which case I can’t find the crucial data through all of the data “noise”. Political silos are created by individuals who own data, tool, or human resources and do not openly share those resources to maintain control for some reason or another. There are so many issues that are troubling enterprises today. Often companies don’t fully understand the scope of what they are doing and its impact on security.

OPAQ: What is the biggest security technology game-changer today—or in development now?

DM: There are a number of tools which can make a big difference. The next generation endpoint security vendors are fighting the battle of defending endpoints where antivirus technologies are not doing a good job. Another one is active breach detection systems which gather data off networks. These two technologies are ideally situated to augment each other. A really interesting new space is called deception technology. There are only a handful of companies focusing on this right now. The technology places trigger artifacts on endpoints and on the network, that would not be encountered in the normal course of business so when they are touched, security is alerted for response. (Other capabilities vary by vendor.)Then there is the space of security analytics. This is categorized into predictive analytics, anomaly detection and user entity behavior analytics (UEBA). These tools have evolved out of the need to provide real-time analytics for identifying incidents and events. Another growing area is micro-segmentation which is the policy-based control of cloud resources. It is designed to control how virtual, cloud and hybrid IT systems interconnect to create secure workloads and workflows. As containers and cloud adoption advances, traditional firewalling does not work so micro-segmentation across all of these deployment strategies will be an imperative.

Kerravala: Network Visibility Key to Security

ka_0011-2Zeus Kerravala is Founder and Principal Analyst with ZK Research. Kerravala provides research and advice to end user IT and network managers, vendors of IT hardware, software and services and the financial community looking to invest in the companies that he covers. Follow Zeus on Twitter: @zkerravala.

OPAQHow will IT security budgets change over the next 12 months, and how will IT directors prioritize spending?

ZK: Security is a top driver for IT spend, and it’s the number-one driver for network spend. I think that we will see 8-10 percent growth this year over last year, which is three times the overall IT spend growth. This trend has been going on for the last five years or so, partly because with social media, any kind of perceived breach gets magnified so fast. It can cause public embarrassment, or as with Target, the company had to bribe customers to come back with incentives. Some companies have had to change their business models, while others like Sony had lots of employees leave the company after the breach. If you talk to a CEO or CFO, they usually don’t care about what servers and cloud platforms are in use, but they do care that there is a security strategy because it’s something that shareholders and customers are asking about.

I see a shift in security spending. Today about 90% of spend is still focused on the perimeter but only 27% breaches occur there. We’ll see more focus on protecting users, apps, internal networks. It takes a lot of work to get through a state-of-the-art firewall. It’s much easier to launch malware by a user clicking on a link.

OPAQWhich cyber security threats seem to be foiling enterprises today and the vendors who serve them?

ZK: The greatest challenge today is malware through encrypted traffic, because traditional security tools can’t see it. If I can embed malware in corporate email it bypasses security systems. Ransomware is another big problem, caused by users clicking on links that they shouldn’t. We are also seeing more corporate fraud where someone will mimic a CEO’s message. They do this by studying language from emails and LinkedIn profiles. This happened to a tech vendor in Silicon Valley where an email went from someone posing as the CEO to the finance division and the company cut a check for over $45 million to a fake supplier. The whole nature of threats has changed: they are very sophisticated and targeted.

OPAQ: Do you think security priorities would be different if there was no compliance pressure?

ZK: I don’t think it would be less important, but sometimes compliance can create a false sense of security. Let’s say that a company has a policy in which employees must change their passwords every quarter, but how many people can have 13 passwords that they memorize? I spoke with one employee at a company with a policy like this and he just made passwords with the seasons of the year which he changed periodically. Companies should do the work to understand whether requirements are making the company more secure or not. For instance, one well-scripted password might be better than having people change their passwords every month.

OPAQ: What are some basic principles of security that perhaps companies overlook when making their plans and strategies?

ZK: The first one is that more isn’t better. My research shows that companies have around 32 different security vendors. If you have a bunch of tools and they all are on their own island, that’s complex and overwhelming. If you make a change in one system, you don’t know what other changes you need to make elsewhere. Then you can’t be effective.

You’re only as secure as your weakest link. You could be spending a lot of money protecting the perimeter, but if you have an insecure wireless LAN, what good is that? I advise companies to think about security more architecturally. Take a step back and realize what systems you have in place instead of piling on more technology.

Organizations need to think about having strong network visibility. This is about anomaly detection, which is a means to identify breaches that might be hard to find otherwise. A company with a connected soda machine that is suddenly trying to access the accounting server is probably not a good thing. The network sees all traffic and devices, and can pick up patterns veering from normal which could indicate a breach.

Patch, Segment, or Suffer: What Lessons Can We Learn From the WannaCry/WanaCrypt0r Outbreak?

Organizations are completely safe from WanaCrypt0r if they are following operational best practices that were matured a decade ago, when worm outbreaks like this were more frequent. So, why did WanaCrypt0r cause so much chaos, including disabling hospital networks and automobile production facilities? Read more