If the recent Colonial Pipeline ransomware attack proves anything, it’s that ransomware is the scourge of the modern computing environment. It is the 21st-century version of piracy on the open seas. Often state-sponsored, or at least with a blind-eye turned, opportunists look to create situations favorable to exploit the misfortune of others for profit. That said, unlike the seas of old, the Internet can connect these pirates to every business, entity and government in the world. But some of these organizations have a layer of protection that goes beyond detection and prevention technologies to stop ransomware from spreading into a disaster if it is ever introduced to your IT environment.
First, we need to consider that the point of greatest value is not the typical entry point. The cloud and data center hold the most valuable assets to any organization. Critical systems that support customers, business, inventory, health care outcomes, financial information, etc., are the prize that digital pirates seek. Keeping ransomware out of these environments is a priority.
Digital ransomware pirates typically aim to compromise end users as their entrance to an organization. They then navigate quickly to high-value assets, encrypting everything in their path. While vulnerabilities in the perimeter always exist, it remains the hardest way in. End users are much easier to target since they can be enticed with spear-phishing attempts, and even physical acts of deception. Most organizations don’t fail from the outside in, but from the inside out. Data center servers don’t click on suspicious links, but people do. So, we see that organizations face highest risk at a different location and in a different compute environment from the ultimate economic target. Laptops and data centers have different profiles and needs, and require different strategies.
Illumio built its Core and Edge products to contain ransomware and stop it from spreading. When user education fails and people are deceived, Illumio’s Zero Trust Segmentation is the best way to limit spread, enhance detection, and protect critical assets.
All ransomware works by establishing a presence on one machine and then traversing open ports from one machine to another. Block those ports and the ransomware can’t spread. This doesn’t require detection, analysis, or “being right.” If there’s no transport, the malicious payload can’t be delivered. Illumio does this for users and data center assets.
In the world of laptops and mission computers operated by users, Illumio Edge applies Zero Trust Segmentation to limit the spread of any infection, with containment by default on the first compromised machine. Illumio Edge closes down all management and peer-to-peer traffic ports (the ones used to propagate ransomware) so that they are not open between user machines. Illumio Edge works across VPNs as well – a remote user should not have a wide-open network connection to the cloud and data center, and we make sure that Zero Trust policies limit that connection to only the exact services minimally required. Illumio works across your existing VPN, it works across company WAN links, it works for VDI, and laptops. Remember, every roadblock to the spread of malicious code buys time. That time gives your SIEM, EDR, and security analytics products a chance to work. When ransomware spreads in 30-60 seconds, lengthening that time into minutes, hours, days, or forever is the difference between detection and elimination versus becoming the next headline breach. Even EDR is a reactive control that relies on time-to-detection before it responds – and seconds may be all it takes when you’re dealing with zero-day threats or modified strains not already recognized.
Within the data center, or even in a public cloud, we can no longer afford to believe that basic firewall zoning accomplishes any meaningful isolation against ransomware. The internal boundaries put up to keep human accidents from happening between Dev and Prod are of little use against aggressively harmful code. The simplest Illumio Zero Trust Segmentation policy of application ringfencing removes 90% of the possible paths for malware to spread. Choose to tighten controls down to the tier or port and process level and the ability to move across the data center is essentially eliminated. Malware depends on vulnerable ports being open between machines. Illumio Core closes those ports, hardening every application, server, VM, and application service against spurious external connection. Better yet, every single server becomes a policy-aware sensor. Any communication that violates the policy immediately triggers alarms and events to expose even the attempt. Illumio Core moves the security perimeter from the edge of the data center to the compute instance itself. Illumio Core works on servers, VMs, containers, cloud instances and even mainframes!
Detection and prevention technologies have failed. Seeing a pirate coming across the open ocean didn’t mean that you’d be safe in the past, and having scanners that find previously known attacks is no better in the present. Organizations need to eliminate ransomware risk, not manage it. Illumio Core and Illumio Edge work together to eliminate the paths that malicious software uses to spread its greedy tentacles across and organization. Illumio Edge closes all the unnecessary and unused ports from the user side, reducing the risk at the point of infection. It works wherever the user is – inside a company office, across a VPN or even plugged into a switch port in the data center. Illumio Core protects digital assets by moving the perimeter so that lateral movement becomes almost impossible without detection.
Throughout history, better defensive strategies cause offensive strategies to fail and pass into the dustbin. In the days of wooden ships and cannons, steel hulls changed the game fundamentally. In our modern age, Zero Trust Segmentation is the steel plating that our user laptops and data center compute instances need. Getting a better telescope or even long-range radar may be useful. But at the point of conflict, hardened, seamless steel is the protection that keeps intruders and their weapons at bay. Illumio’s products eliminate the paths that ransomware uses to spread, containing breaches, and providing time for detection and remediation to occur.
To learn more: