How to Protect Against Ransomware: 4 Core Principles
Protecting against ransomware is more challenging than ever.
Over the last few years, your infrastructure has evolved, your traditional security perimeter has dissolved, and your people work in a hybrid environment.
At the same time, ransomware has evolved to take advantage of these changes and learned to rapidly compromise a large volume of assets in a small window of time.
No wonder, then, ransomware has become today’s biggest threat:
- 4,000+ ransomware attacks happen every day
- The average ransom size increased 40x in just two years
- The largest ransom ever — $40 million — was paid in 2021
- The largest total damage from one attack was $300 million
Clearly, traditional security is failing to protect against ransomware. Organizations need a new approach. And this blog post outlines that approach.
We'll detail four core principles that will help you protect your organization against ransomware.
- Make sure you can see your internal communication flows
- Focus on blocking ransomware’s favorite pathways first
- Protect your high-value assets no matter what
- Use the right security tools
Let’s look at each in greater depth.
Principle 1: Make sure you can see your internal communication flows
Most ransomware hides and goes undetected for months, and is only detected after it's locked down systems, threatened a data dump, and demanded a ransom.
Before that moment, most ransomware attacks spend as much time as possible compromising as many systems as possible. To do so, attacks often compromise systems the organization does not know they have, traveling pathways between systems the organization does not know are open, and leaving a trail of data that is hard to detect, correlate, and “add up” to realize an attack’s going down.
In short: Many ransomware attacks are successful because organizations can’t even see they are happening or what they are doing until it’s too late.
To protect against ransomware, organizations must develop visibility into the communication flows between the systems within their network. Doing so will increase the chance of detecting attacks when they first breach the environment, or early enough to stop them before they spread far enough to cause real harm.
Specifically, organizations must be able to:
- See how their systems communicate with each other (in real-time).
- Identify which pathways between systems are open and which can be closed.
- Centralize multiple sources of risk data to identify complex, subtle attacks.
Principle 2: Focus on blocking ransomware’s favorite pathways first
Most ransomware attacks target the same common pathways and vulnerabilities, with over 80 percent of attacks succeeding by using a small set of simple, well-known exploits.
Specifically, most ransomware attacks target a small set of high-risk pathways like Remote Desktop Protocol (RDP) and Server Message Block (SMB). These services are used on many systems within the network, they are often left open when they don’t need to be, and they give attackers an easy route into and across the network.
To exploit these pathways, attackers are usually opportunistic. They often scan the internet for exploitable systems with open ports that communicate outside their network. When an attacker finds one, they will breach it and use other common open ports within the network to spread from system to system, compromising them all.
In short: Many ransomware attacks are successful because organizations leave many commonly exploited pathways open in their network, usually without realizing it.
To protect against ransomware, organizations must first focus on blocking these commonly exploited pathways. Doing so will limit a bad actor’s ability to both breach their network and spread between systems after a successful breach.
Specifically, organizations must be able to:
- Identify which high-risk pathways must stay open and which can be closed.
- Close as many high-risk pathways as possible and monitor the rest.
- Lock down the environment to stop attacks in-progress.
Principle 3: Protect your high-value assets no matter what
Most ransomware starts small — it first infects lower-value assets that are less protected and then gradually works its way across the network to high-value assets.
Typically, ransomware attacks must complete many stages to move from an organization’s low-value assets to their high-value assets. They must move slowly through the network and avoid detection. They must connect to the internet to pull down tools to advance their attack (and upload sensitive data to build leverage). And they must be patient and wait until they find vulnerable high-value assets before they strike, encrypt systems, and demand a ransom payment.
In short: Many ransomware attacks are only successful once they have compromised high-value assets. Depending on the internal security of their target, this can take a ransomware actor years, months, weeks, days, hours, or even just minutes.
To protect against ransomware, organizations must limit an attacker’s ability to rapidly spread from one system to the next within their network. By doing so, organizations will slow down attackers, increase the chances of detecting the attack before it is successful, and prevent their high-value assets from being compromised — and prevent the attacker from developing enough leverage to make a credible demand.
Typically, organizations can protect their high-value assets by segmenting their environment, by surrounding these assets with rings and fences to isolate them, and by overall separating the environment so attackers have no clear path to move from unprotected low-value assets to well-defended high-value assets.
Principle 4: Use the right security tools
Traditionally, most organizations have tried to protect against ransomware using manual firewalls and similar network segmentation tools. But these tools were created decades ago for a different network architecture and security paradigm. As a result, they typically fail to protect organizations against ransomware, and they cannot be used to bring these new principles to life.
Specifically, traditional security tools like firewalls and network devices:
- Fail to visualize communication flows: They don’t collect usable data on internal east-west communications or north-south communications. They only collect limited telemetry that fails to identify risk, and which is often scattered and siloed between a stack of single-purpose point solutions.
- Fail to block ransomware’s favorite pathways: They do not create a centralized view of which common pathways and exploits are open in the organization’s network, they struggle to keep these pathways closed in modern environments, and they are too slow to respond to in-progress attacks.
- Fail to protect high-value assets: They typically manage configurations and segmentation policy through manual workflows that cannot scale to modern environments with millions of connection points between systems. The segmentation they do enforce is dropped the second the network changes.
In short: Organizations cannot use traditional security tools to protect against ransomware. They need new tools designed to protect modern environments from modern ransomware threats.
Meet Illumio: A Modern Approach to Protect Against Ransomware
Illumio gives you streamlined, scalable policy management, making it easy to build a new security architecture to protect against ransomware — no matter the size and scale of your environment.
Illumio makes it easy to bring these principles to life.
Gain comprehensive visibility into communication flows
Within the first hour of installation, Illumio creates a real-time map of all the communications between all systems in your environment. Illumio helps you see which of these communications are necessary and which you can shut down, and creates a single source of truth for many teams and tools like SIEMs.
Quickly block the pathways ransomware likes to exploit
Illumio shows you the common ransomware pathways open in your environment and makes it easy to close these pathways by automating every key step in security policy management. Finally, Illumio lets you create a “containment switch” to lock down your network and systems in seconds during an incident.
Perform scalable Zero Trust Segmentation to protect high-value assets
Illumio gives you a comprehensive segmentation solution that enforces policy in large-scale modern environments and makes it easy to limit lateral spread and isolate high-value assets. Illumio enforces these policies dynamically and maintains them at all times, even as your network evolves.
In short: Illumio solves many of the problems with traditional security tools and architectures, and lets you deploy a new approach to protect against ransomware.
Protect Against Ransomware Today: Bring Illumio to Your Defense
Illumio is used by many of the world’s largest and most innovative organizations to protect against ransomware. With Illumio, they gain visibility of their communication flows and a clear understanding of their riskiest pathways, with full segmentation control down to the application level.
Illumio currently protects assets for:
- More than 10% of the Fortune 100
- 6 of the 10 largest global banks
- 5 of the leading insurance companies
- 3 of the 5 largest enterprise SaaS companies
Our customers also use Illumio to build fundamentally stronger security postures that defend against a wide range of attacks.
It’s time to bring Illumio to your defense. Take the right next step.
- Go deeper: How to Stop Ransomware Attacks eBook
- Try it yourself: The Illumio Experience hands-on labs
- Schedule a chat: Free consultation and demo