Locking out ransomware: A new way to look at security strategy
Ransomware attacks are accelerating at a record pace, becoming dramatically more frequent and more sophisticated. In fact, nearly 60% of companies experienced ransomware events in the last year, forcing desperate businesses to cough up a staggering $1 billion in ransom payments. That’s up from the $220 million that was paid to bad actors in 2019.
Change Healthcare is just one recent example. The company was hit with one of the largest ransomware attacks within healthcare, effectively taking the company offline and forcing an unsuccessful payout attempt of $22 million before being struck with a second ransomware attack just weeks later.
While the healthcare industry is particularly vulnerable, other industries aren’t immune. Technology, manufacturing, supply chain, retail, local, state and federal government agencies and more are all highly susceptible.
But why are organizations still so underprepared after successful and catastrophic ransomware attacks like Colonial Pipeline, MGM, Kronos, Maersk and others? The answer is that data isn’t being protected in the right way.
The world is embracing the current data revolution, with the amount and types of data continuing to soar and the desire to apply AI to all that data fueling a multitude of new use cases. However, organizations are still protecting data using only a network protection strategy that doesn’t address how companies collect, move and use data today.
It’s time for companies to shift to a true data protection strategy.
The evolution of network security technology
To date, security technology has focused on protecting the network perimeter to prevent intruders from entering the network and limit their movement around the network should they gain access.
The first network firewalls, created when organizations began connecting internal networks to the internet, used packet filtering to inspect network packets and allow or block them based on predefined rules. Stateful inspection firewalls quickly emerged to make decisions based on the state of active connections and the context of the traffic, acting as intermediaries between internal and external networks, inspecting and filtering traffic.
Intrusion detection systems (IDS) and intrusion prevention systems (IPS) were introduced to complement firewalls by providing real-time monitoring, detection and response to suspicious or malicious network activities. IDS and IPS capabilities were soon integrated with firewalls as a single solution.
Today, cloud security services (some of which are built using proxy-centric architectures) rely on more powerful processing in the cloud to deliver smarter security solutions for cloud-based infrastructures.
While these powerful solutions remain essential, they still focus on protecting networks and applications. When they fail at stopping a threat, attackers gain access to data, creating the opportunity for ransomware attacks.
What data protection means
Think about how people are protected from bomb attacks. The logical first strategy is to prevent the attack in the first place. That’s network security. However, people can’t prevent all attacks, so they create bunkers, barriers and Kevlar suits to prevent as much damage as possible should a bomb go off. That’s data protection: strategies that protect data files and databases even if someone gains access to the network.
Creating a data bunker, whether to stop ransomware or just to prevent the wrong person from seeing the wrong information, requires a real-time understanding of the content and context of data. That means that there needs to be the ability to detect whether any data set at any time contains sensitive information (e.g., a PDF file that contains PII), and whether unusual data access is occurring (e.g., activity atypical of authorized users).
This understanding would enable a more effective approach to stopping ransomware. For example, a system could be designed to recognize which data stores contain sensitive and mission-critical data based on the content of the data and a set of configurable rules. The system could also recognize that someone is reading gigabytes of this sensitive data instead of accessing it in small chunks. Based on these insights, the system could automatically prevent any attempt to overwrite the sensitive data with encrypted data, thus thwarting a ransomware attack.
To be sure, this approach would not prevent other nefarious uses of the accessed data. Still, as one part of a comprehensive data protection strategy, it would stop a ransomware attack in its tracks and limit the options of the attackers ransoming the entire data store.
Key requirements of a data protection strategy to stop ransomware
The elements of a data protection strategy are familiar, but some have a new spin.
- Zero trust as the default. Zero trust for data protection follows the same rule as zero trust for networks: let only authorized and authenticated users access the data based on real-time access via an identity management system. However, to truly protect data, zero trust must be based on the actual content of the data at the time of the attempted access. A system must be able to determine in real time if the information is mission-critical or sensitive based on a company’s industry or products or the regulatory requirements governing it. This real-time insight is now possible thanks to new AI capabilities.
- Session awareness. Data session-awareness means that every request through the platform can be examined for its content and context. This would enable a system to automatically change from session to session which data sets can be accessed and which data elements can be viewed based on the most up-to-date zero trust requirements and the user’s evolving needs or situation. For example, perhaps the user’s role has changed, or the user is making the request from a different geographic region, etc. Session awareness also enables the system to detect behavior that could indicate a ransomware attack. New AI capabilities will also play a role here.
- Zero copies of data. To satisfy the needs of users throughout an organization, most companies are still making a copy of the data at a point in time, moving the copy to another system, and changing the data to meet the needs of the use case. This practice must stop. Proliferating copies in multiple locations significantly increases the risk to data and makes it hard to ensure only the right people have access to the right data. Accessing and using data only from its source systems would also reduce complexity, ensure the timeliness of the data, and reduce the time and costs associated with creating, storing and maintaining the copies. It would also enable companies to stop putting data in the public cloud where it eventually ends up out of their control and more vulnerable to ransomware attacks. Instead, they can keep data on-premises or in a virtual public cloud (VPC).
- All data types. To ensure it meets the needs of the business, a data protection strategy must account for all types of databases and file shares containing any type of data that may potentially include sensitive information: tables, text, audio, video, email, social media, etc. It must speak the native language of the data sources and understand every human language that may populate the data.
- Real-time, dynamic transformations. Data protection must be real time. There can be no gap between an attack threat and its detection or between its detection and the response. As a result, the system must be powerful enough to perform the data analysis, create the needed combinations and transformations, and respond to attacks at a performance level sufficient to meet both the zero trust requirements and the demands of business users.
It’s time for true data protection
The combination of increased computing performance and AI-powered neural networks that can be tuned to specific data now enable a real-time understanding of the content and context of data. This makes developing a true data protection strategy technically possible today.
Still, there are questions that must be answered. If a vendor has created such a “content and context aware” system, are customers at risk from the vendor? How are the insights from the data delivered to end users around the world at speed and scale without using the public cloud? Does the data protection strategy as outlined above account for the “human problem?” Are there ways that humans could intentionally or unintentionally compromise the protection?
As the industry shifts its thinking from network protection to data protection, these questions will be quickly answered, and security professionals will usher in a new age of cybersecurity.