Adaptive Segmentationmicro-segmentation May 6, 2022

Q&A: Expert Guidance on Protecting Your Organization From Ransomware

Team Illumio, Reporting in from around the world

With ransomware and cyberattacks at an all-time high, the upcoming RSA Conference has taken on even greater importance.

Happening this June 6-9, the world's leading cybersecurity professionals will gather at the Moscone Center in San Francisco to share the latest thinking on how organizations can redouble their cyber resilience.

Illumio's principal technical marketing engineer Christer Swartz kicks off our countdown to RSAC with a Q&A on what he will address at the conference: ransomware — how it works and the most effective ways to stop it from spreading after a breach.

Illumio: These days, ransomware is often in the news. So what do people need to know about ransomware, especially those who so far have been lucky enough not to be victims of it?

Christer SwartzRansomware is often perceived as a complicated problem. So there are a lot of complicated solutions to address it. Intelligent firewalls, cloud compliance tools, etc. But despite its potentially devastating impact, ransomware propagates in a very simple, predictable way.

If it hops onto your laptop and it wants to go to my laptop, it's going to use an open port, but not just any random port. It has to be a port that’s always left open and there are only a small number of those. One is remote desktop protocol or RDP.

Your laptop can connect via RDP to my laptop, and the port will probably reply, "Okay." So that's a type of connection a bad actor can use to launch a ransomware attack. Another commonly used port for ransomware is server message block (SMB) for file sharing.

Illumio: Is it necessary to have an advanced understanding of ransomware in order to prevent it from harming your organization?

Christer Swartz: No. You can have ransomware developed by the Russian mafia or you can have it developed by a teenager in a suburban basement, but they're going to operate the same way and try to open the same ports.

That’s why the first step in protecting against ransomware is about being able to see your communication pathways.

You want to be able to see that these ports commonly used by ransomware are open. And from there you can ask the question, “Do we all need RDP access to each other?” That answer is almost always "no." You want to close those RDP ports unless they need to be open for some important business purpose.

Then it doesn’t matter how sophisticated or simple the ransomware is. Once ports are closed, ransomware is isolated. If it infects your laptop, that’s where it stays.

Illumio: It sounds like there's a simple solution to the ransomware problem.

Christer Swartz: Yes, in most all cases, it is a fairly straightforward task to lock down key pathways for ransomware by using Illumio's Zero Trust Segmentation platform. You have open doors. Simply close them with Illumio.

Illumio: How does the simple versus complex solution approach compare in terms of scalability for small and midsized businesses to the world's largest, most complex organization?

Christer Swartz: Simple solutions scale better, which means any sized company can just as easily use Illumio to fight ransomware.

The really super complex solutions work, but they don’t scale easily. The bigger the deployment, the harder and more time-consuming it is to make them work.

Our whole focus is on keeping it simple so any kind of company, regardless of security resources or budgets, can easily see their open, high-risk pathways and then close them quickly and safely.

Illumio: What are some of the challenges for an organization to see its security exposure and gain that visibility you talk about?

Christer Swartz: Traditionally, if you want to see all these open doors, you have to go to the network level or the cloud infrastructure level. The cloud and corporate networks have firewalls, intrusion detection systems, and compliance tools, but they're specific to a particular environment. Also, you have to do a lot of foundational work and know what environment you’re in.

We make it a lot easier. In just two or three clicks, Illumio can show you what all your workloads are doing, and it doesn’t matter where they are. This visibility is agnostic to what’s going on underneath. Our platform is infrastructure-agnostic. You can easily see what’s talking to what and, most importantly, whether certain applications or systems should be talking to each other at all.

Illumio: Why do you think people tend to overcomplicate ransomware security?

Christer Swartz: Everybody has a specialized set of knowledge. The critical security controls (CIS) admins know what's going on within Linux. The network people know exactly what's going on with the network, and so on. There are a lot of expertise silos, and if you're a C-level person trying to figure out what to do, you have multiple audiences telling you different things.

The entire industry is confusing, and ransomware is scary. That’s why we try to keep our approach simple and focused. We're talking about the workload. We don’t care where it is. We’re not trying to replace anything. We’re just saying you need to know who’s talking to who. And that’s not a network play or a firewall play.

Illumio: Talk to us about the “assume a breach” mentality. How is that paramount to building better defenses for modern security threats like ransomware?

Christer Swartz: You're never going to have 100 percent protection. That’s the whole premise of the cyber insurance industry, right? Somebody's going to get infected. That is inevitable. Sure, do everything you can to reduce breaches, but as has been clearly proven over the past couple of years, it is naive to think you won't get breached in some way.

But how do you stop the spread of an attack once a breach happens? That's where Illumio shines. Our CEO Andrew Rubin says, "With Illumio, the first host that's hijacked is the last host that's hijacked."

Illumio: So, we’ve talked about the importance of visibility. What’s the next step in stopping a ransomware attack?

Christer Swartz: Blocking open ports. Linux and Windows listen to a small number of these ports. And you want to be able to control that at scale, if necessary, from 10 or 20 machines up to 10 or 20 thousand machines. Plus, mainframes and containers.

With Illumio, you can write a policy that says, “Nobody in Amazon should be speaking RDP to anybody in Azure." So with one click using Illumio, you just blocked 10,000 workloads — closed 10,000 doors. That’s a ransomware containment switch.

If you have to do that at the network switch level in the data center and a different way on Amazon or Azure or containers, it becomes complicated. We allow our customers to quickly segment and block through central controls, at any scale.

Illumio: There's a third step to ransomware defense: long-term protection. How should organizations approach that?

Christer Swartz: So to protect, you must be able to enforce. This is where we start using the term Zero Trust security. You want to be able to enforce Zero Trust at scale and to protect workloads as they're born.

You want to have a Zero Trust policy that works in real time. As workloads are created, microsegmentation protection is born with them. You don't want to turn it on today, and then tomorrow have a hundred new workloads you didn't know about going live without any access controls.

And you want to protect everything: legacy systems, mainframes, OT devices, IoT devices. You can protect assets that can accept an agent and those that can’t. For systems you can't put an agent on, you can protect the perimeter around those systems. Regardless of what the operating system is, regardless of whether it's physical, virtual or containers, Illumio can protect it with Zero Trust Segmentation.

Illumio: You’ve talked about ransomware protection at scale. That’s the enterprise level. But how does Illumio make ransomware protection easy for midsize and smaller companies that are especially overwhelmed by today's new security demands?

Christer Swartz: We focus on visibility. Do you really know who's talking to who? Getting workload-to-workload visibility is hard for them. We can solve problems that their intrusion detection systems and firewalls don’t.

And from there, they can begin to control what’s going on. Our labeling approach is a big part of that. It allows our customers to write policy like an English sentence. They can implement a solution that doesn’t require a lot of networking or firewall talk. We deliberately make this very easy, so you don't need a lot of support or technical expertise.

Illumio: You'll be speaking about ransomware at the RSA Conference in June. What key insights do you want people to walk away with?

Christer Swartz: From a high level, I would say a lot of people don’t understand how ransomware operates or how to control it. But we do.

We want people to realize Illumio can be a key partner in helping you make major improvements in how you build the cyber resilience of your organization. And you can depend on our platform because we provide a simple way to give you full visibility into what's going on in your network. And that, by itself, solves a huge problem.

Then Illumio allows you to block everything without touching the cloud or the network. You just tell the workload, "You are or are not allowed to do this." That’s blocking. We can block things without having to deal with change control or talking to services or asset silos.

Finally, we can protect everywhere. So, we're not just cloud, we're not just data center. We protect all your data, wherever it lives. We let you see what's going on. We let you block it without having to use any other tools. And we protect everything, whether or not you can use an agent.

Visit Us at RSA Conference 2022

Looking to build better defenses against ransomware and other cyber threats?

Visit our booth (Moscone North, N-5555) and speak with our experts about how Zero Trust Segmentation can stop breaches from spreading across your hybrid infrastructure.

Adaptive Segmentationmicro-segmentation
Share this post: