Rethinking Networking to Derail Ransomware

Despite the best efforts of many organizations, ransomware attacks are still on the rise; perhaps indicating that those “best efforts” are just not good enough. Take, for example, the recent ransomware attack on the Colonial Pipeline, prompting a shutdown of the 5,500-mile pipeline that carries 45% of the fuel used on the east coast of the U.S.

The ransomware attack was initiated by a cybercriminal group known as DarkSide, which could have used multiple attack vectors to infect Colonial’s network. Although the full details of the attack may never be known, it is clear that the ransomware attack had serious consequences, and that Colonial was directly targeted by DarkSide.

It is reported that Colonial paid a USD$4.4 million ransom in Bitcoin for a key to unlock its files. “I will admit that I wasn’t comfortable seeing money go out the door to people like this,” CEO Joseph Blount told The Wall Street Journal. The lesson here is that organizations must do a better job at protecting their networks from ransomware or suffer the consequences. Yet, that is something much easier said than done.

The market is filled with security products that promote the ability to address ransomware threats, and cybersecurity professionals struggle to determine what, if anything, actually will work for their organization. However, some experts are looking at the ransomware challenge from a different point of view, one that involves consolidating both the networking and security stacks into a single managed entity, referred to as secure access service edge, or SASE.

SASE is a technology that melds SD-WAN and cybersecurity together on a single plane, making it easier to deploy cybersecurity technologies across a network. SASE introduces zero-trust network access (ZTNA) and integrated network security into an environment in a way that could potentially derail a ransomware attack.

“One of the myths around cybersecurity and ransomware is that the attacker only has to be correct once, while defenders have to be right all the time,” said Etay Maor, senior director of security strategy at Cato Networks. “That is a myth; simply because a ransomware attack requires that an attacker be successful at many junctures to launch an attack.”

Maor’s words ring true; the typical ransomware attack starts with gaining access, then attackers perform lateral movement or reconnaissance, inject malicious code, execute that code and, finally, encrypt the targeted data. In other words, there may exist several opportunities to derail a ransomware attack, but only if any of those elements or activities are detected.

“With SASE,  the type of north-south traffic, exemplified by an infected system communicating with a remote command-and-control attacker, is exposed, giving cybersecurity professionals an opportunity to discover an attack,” explained Maor. “SASE gives full visibility into all network traffic, meaning that east-west traffic, such as communications within the edge of the network can also be monitored, providing additional insights.”

Although visibility into north-south and east-west traffic can be of major use when discovering a ransomware attack, most implementations of SASE add many more capabilities that are effective in fighting off a ransomware attack.

Maor added that “a true SASE platform uses a single pass engine, where every packet is looked at by multiple cybersecurity technologies which can share the information. Packets are looked at by the firewall, DLP, SIM and so on, which are no longer siloed into their own layers.”

Maor mentioned the fact that, today, many organizations use a layered approach to security, which means packets can travel through different security products, which are siloed from each other. In other words, there is no correlation between anomalies, resulting in malware being able to slip through those multiple silos.

Maor added that, “ SASE converges security, networking, connectivity and management into a single entity, making it far easier to view exactly what is occurring on a network and take appropriate action.” It is that level of intelligence—and the ability to correlate what may seem like unrelated events—that brings enhanced abilities to cybersecurity teams. For example, an endpoint may be communicating with an unknown URL at the same time as a networking event is going on. Being able to correlate those two anomalies gives cybersecurity teams an advantage when threat hunting.

Finally, there is the question of how zero-trust and SASE complement each other. According to Maor, “With zero-trust, there’s no inherited trust. Everything has to be verified; every user, device, interaction. Everything has to be verified. Zero-trust can be built into SASE, closing the gap where malware could have potentially snuck into a system.”

While the debate rages on about preventing ransomware, one thing seems certain—technologies such as SASE can help organizations detect and mitigate ransomware attacks before they impact operations.

Avatar photo

Frank Ohlhorst

Frank is an award-winning technology journalist and IT industry analyst, with extensive experience as a business consultant, editor, author, and blogger. Frank works with both technology startups and established technology ventures, helping them to build channel programs, launch products, validate product quality, create marketing materials, author case studies, eBooks and white papers.

frank-ohlhorst has 40 posts and counting.See all posts by frank-ohlhorst