If you examine the impact of ransomware over the past few years, it’s not a pretty picture.
One large network taken down in 45 seconds.
An entire global enterprise knocked offline in 7 minutes.
174 (or more) municipalities hit in a single year.
Days or weeks undetected while the adversary moves laterally and conducts recon.
The question you have to ask is, ‘Why is ransomware so successful to begin with?’
We have long known that the weakest link is often an employee that falls prey to phishing emails with malicious attachments or malicious URLs. We know ransomware begins with an initial infection on a single system, be it a user at home or an employee within the workplace.
Initially, single computers were targeted.
But in 2016, ransomware took advantage of unrestricted connectivity to give the world an unexpected surprise leveraging lateral movement for self-propagation.
Attackers can easily lock out entire enterprise networks and hold them hostage. The risk/reward ratio for a bad actor is high. The more systems the attacker locks up, the larger the ransom payment.
Now we see why ransomware has become so devastating. With that in mind, it’s no surprise that the figures shared at the top of this post make headlines daily.
The world snapped to attention when WannaCry leveraged EternalBlue, which was developed by the United States National Security Agency (NSA). Eternal Blue used a Server Message Block (SMB) vulnerability to propagate.
NotPetya also used EternalBlue and credential harvesting to spread. In his book, "Cyber Warfare – Truth, Tactics, and Strategies: Strategic concepts and truths to help you and your organization survive on the battleground of cyber warfare,” Chase Cunningham illustrates the pattern of hackers leveraging nation-state tools. WannaCry and NotPetya follow that pattern of bad actors using nation-state hacks to terrorize organizations.
Once hackers understood that unfettered lateral movement could make them money, new hacks emerged. TrickBot called on lateral movement to spread and drop Ryuk. Maze ransomware used RDP to propagate.
These attacks all use unchecked lateral movement to turn a single infected machine into a headline-driving attack impacting hundreds or thousands of enterprise endpoints.
As an industry, we have continued to invest in endpoint security tools that are more effective than ever at stopping threats from successfully executing on endpoints.Next-generation antivirus (NGAV) or endpoint detection and response (EDR) indeed stop the vast majority of known and unknown threats.
Despite these investments in endpoint security, we still face considerable risk from ransomware and malware spreading– let’s remember, well-funded nation state actors are very motivated to find the next EternalBlue. In a recent survey we conducted, 59 percent of respondents from organizations with more than 5,000 employees feel that their endpoint security will miss between 1 and 10 percent of malware.
Endpoint security is very good at stopping threats, but nothing is perfect. Enterprises need additional protection to prevent widespread malware infections – after all, it only takes one to take out an enterprise.
Introducing Illumio Edge
Today, we are launching Illumio Edge, the first product to make every endpoint a Zero Trust endpoint to stop ransomware propagation. Illumio Edge assumes that every host has already been breached and only permits lateral connections for valid peer-to-peer traffic.
It puts an end to attackers being able to move laterally within an environment.
The spread of malware and ransomware stops at the first machine, even before detection, or identification in the case of zero-day threats.
It perfectly complements endpoint security and EDR tools as they detect and respond to threats.
We have designed Illumio Edge with a streamlined workflow to simplify endpoint security controls, and provide a fast first step to Zero Trust, without the typical headaches of default-deny.
Time to value is immediate, since allowlisting the right business-critical peer-to-peer policies is done in minutes. With Illumio’s workflows and policy testing, Illumio Edge won’t trigger IT tickets due to breaking applications.Gone is cumbersome Windows Group Policy and manual host firewall rule writing.
Employees remain secure, protected and productive wherever they are with protection that follows them on and off the network. Just as importantly, Illumio Edge is lightweight, so it never harms system performance. In fact, employees won’t even know it is running.
Finally, we priced Illumio Edge at a very low price. When Andrew Rubin, Illumio’s CEO, announced the product, he said it would cost about the same as a cup of coffee a month. My wife assumed that it would be a venti, quad, sugar-free vanilla almond milk latte, with whipped cream and sprinkles on it.
It is nowhere close to that. We are talking plain coffee from a cup.
New customers can enable Illumio Edge via a lightweight Illumio agent. CrowdStrike customers will be able to activate Edge via their CrowdStrike Falcon agent without deploying anything. Illumio will program the CrowdStrike SaaS, which will in turn program their Falcon agent. This was made possible thanks to our partnership with CrowdStrike.CrowdStrike customers can find out more about the Illumio Edge for CrowdStrike module in the CrowdStrike Store.
It is time to take the next step to protect your organization from the risk of massive malware and ransomware attacks. Illumio has made it that simple—and for the cost of a cup of coffee, per user per month.
- Learn more about Illumio Edge
- Watch our overview video
- Download our report, on "Endpoint Security Effectiveness"
- Read our datasheet
- Watch a product demo
Stay tuned for a second blog discussing a bit more how Illumio Edge works.