Beyond the usual suspects – monitoring for attacks, patching vulnerabilities and regular backup checks – what else can we do to protect ourselves against ransomware? So many technologies have been heralded as the silver bullet to stop these threats in their tracks, but have hardly proved their mettle.
Artificial intelligence and machine learning has been discussed for years in the infosecurity world, and there are some applications of the technology that are helpful. But the technology is still, in my opinion, embryonic and when employed for threat detection beyond a limited scope, it can create a false sense of security and may lead to complacency.
It is hard to cut through the technology hype and marketing spin to uncover the technologies and methodologies that might deliver on their promises. Here are some of the ransomware protection tactics that I am keeping my eye on.
From the old to the new
The old way of thinking about cyber security was imagining it like a castle. You’ve got the vast perimeter – the castle walls – and inside was the keep, where employees and data would live.
But now organisations are operating in various locations. They’ve got their cloud estate in one or more providers, source code residing in another location, and vast amounts of work devices that are now no longer behind the castle walls, but at employees’ homes – the list could go on for ever.
These are all areas that could potentially be breached and used to gain intelligence on the business. The attack surface is growing, and the castle wall can no longer circle around all these places to protect them.
Attack surface management will play a big part in tackling this issue. It allows security and IT teams to almost visualise the external parts of the business and identify targets and assesses risks based on the opportunities they present to a malicious attacker. In the face of a constantly growing attack surface, this can enable businesses to establish a proactive security approach and adopt principles such as assume breach and cyber resilience.
Next is security mesh architectures. This takes a defence-in-depth strategy to the next level. Rather than every tool running in a silo, a cyber security mesh enables tools to interoperate and talk to each other, exchanging security information and telemetry. For instance, if something malicious happens in an identity store or new threat intelligence is made available, the different technologies deployed can change their posture depending on the relevant information.
It is an interesting challenge to figure out how we can get everything to work with each other, as well as changing dynamically. While I feel that we are a couple years away from this coming to maturity, the idea of policy, intelligence, identity, interoperability and all those parts of cyber security coming together in one concept to collaborate could be game-changing. We have seen the start of this with technologies such as SOAR, Open Policy Agent and Kyverno, but this is only the start.
But what about now?
These technologies are somewhat in a distant future. But something that security and IT teams can, and should, look into now is privileged access management. I am a big believer that everyone needs to have some form of controlled identity on the corporate network. However, not everyone has to be an administrator and if everyone is, then it’s much, much easier for ransomware to proliferate.
You need to ensure that you have separation between high-privilege and low-privilege environments and users. While this might seem like the basics, once you get this in place, you can start thinking about implementing something more complex, such as attack surface management or mesh architectures, further down the line.
Paul Lewis is chief information security officer at Nominet