Adaptive Segmentationmicro-segmentation December 7, 2021

Assessing Vulnerabilities to Stop Ransomware

Nathanael Iversen, Chief Evangelist

In a previous post, we took a look at risk-based visibility as the first step in containing ransomware and other malware.

This post will address how to map those vulnerabilities against connectivity patterns — that is, how applications and processes communicate to each other and through networks.

It’s the last step needed before actively blocking and preventing the spread of ransomware.

Augmenting visibility with rich data about communications

Inside a typical production environment, pretty much everything can talk to everything else — applications and machines within subnets, VLANs, zones, you name it. That lets business systems do their work as they share data and communicate with the outside world. But it also creates a problem. If malware infects any part of such an environment, it can spread very quickly.

To stop the spread of malware through production environments, you need to block the ports it exploits to move from one application or machine to another. But you also need to know what ports to keep open so your systems can keep doing what they need to do.

That’s why stopping the spread of ransomware and other malware depends on real-time visibility into communications between assets. After all, you can’t close needlessly open ports if you can’t identify them.

Moreover, you need to determine what ports carry the greatest potential risk. Only then, with this intelligence in hand, can you implement proactive and reactive controls that don’t grind your business to a halt. That way, you can limit your exposure to a breach to just the point of entry in your network without negatively impacting operations.

Such risk-based visibility also lets you prioritize patching before an incident occurs.

Prioritization is essential because IT departments in charge of large networks can’t keep every system patched all the time. Some patches necessarily get addressed before others. Obviously, you want to prioritize fixing the systems that carry the most potential risk. The question is, which ones are those?

Answering that question depends in large part on network connectivity.

Consider that vulnerabilities on a server operating in complete isolation represent far less of a threat than those on a machine in the middle of a data center accessible to thousands of others. Also consider that some open ports present a greater danger to network assets than others.

What’s needed is a way to quantify the risk posed by a given set of ports in the context of particular systems and how those systems connect to each other and the broader internet.

Identifying the riskiest ports

The fact is, some ports carry more risk than others. Riskier ports include highly connected ports used by Microsoft Active Directory and other core services. More risk also comes with systems polling and reporting on IT infrastructure.

Peer-to-peer ports represent a significant risk, including those used by such services as remote desktop management and file-sharing applications. Even many social media applications work this way. They’re designed specifically for the kind of any-to-any traffic pattern that keeps security practitioners up at night. Security professionals worry about them because malware often targets these ports because they’re ubiquitous, usually open, and "talk" in arbitrary ways.

Finally, older communications protocols such as FTP and Telnet tend to stay on by default, even if no one uses them per organizational policy, and represent well-known vulnerabilities. That makes them especially attractive targets.

But knowing that some ports carry greater risk than others is one thing. It’s something else to find and quantify them across sprawling enterprise networks. You’ll also need to know how all of these assets connect.

That’s where visualization provided by Illumio comes in.

Quantifying connectivity risk

Illumio overlays data from vulnerability scanners such as Rapid7 and Qualys on top of Illumio's maps of your applications and how they connect – forming vulnerability maps.

It works by taking in connection data from sources such as routers running NetFlow and JFlow, switches, cloud systems, operating system connection tables and more. It then combines this information with data from vulnerability scanners.

Next, it brings in user and machine identity information from such sources as Active Directory, configuration management databases, security information management systems, and IP address management systems.

The resulting maps give you real-time, risk-adjusted views of all your systems. They take in operating systems, user laptops, cloud applications and their containers, mainframes, load balancers, network devices, firewalls, you name it. The result is end-to-end visibility that gives you a clear-eyed understanding of risk.

For example, does a database server maintain open connections to 300 machines on a subnet when it only needs to connect to 10? Illumio’s maps will highlight it as a concern so you can take action.

In addition to how assets exchange data within networks and data centers, Illumio lets you know how much and how often they communicate to the outside world. This knowledge can help you decide what controls to put on what machines and what patches to prioritize.

How vulnerability exposure scores improve operational efficiency

Making it even easier to assess risk, Illumio combines vulnerability, connection, and segmentation policy information to summarize it all as a vulnerability exposure score. This single number gives you a quick understanding of relative risk exposure in the context of running applications.

vulnerability map exposure score

Many Illumio customers find that this metric alone gives them what they need to segment systems as a way to compensate for their inability to keep all their patches up-to-date all the time. Segmentation means reducing the most vulnerable ports to the smallest possible radius — that is, communicating with as few other assets as possible.

Illumio’s vulnerability scores let you quickly hone in on those problem areas to first isolate them through segmentation to the extent possible without interrupting operations and then patch according to schedules you can realistically maintain. In other words, vulnerability scores and segmentation enable effective prioritization for vulnerability remediation.

Illumio gives you a comprehensive, risk-based view of your entire environment. It lets you see active flows, overlays risk analysis based on open ports used by malware, and quantifies that risk. After making changes to your environment, you can rinse and repeat to see how risk scores change over time, giving IT and security teams a powerful tool for reporting on risk and triaging vulnerabilities.

Generating policies to block risky ports

Illumio can also actively mitigate risk by blocking ports between workloads before you get to patching them or in cases where you can’t access affected systems. Think of it as patching data flows until you’re able to patch workloads.

Moreover, Illumio can suggest policies for blocking ports as part of a built-in workflow called Policy Generator.

You can save a suggested policy and then have Illumio provision it across your applications. With this tool, you can protect your environment with just a few clicks in just a few seconds rather than white-knuckling it for the days or weeks required to deploy patches.

A powerful tool for assessing vulnerabilities

Altogether, Illumio gives IT and security professionals rich, risk-based visibility into all of their application communications and lets them block communications on a risk-adjusted basis to stop the spread of ransomware.

Along with implementing preventative controls, Illumio can enhance your incident response ability with active segmentation policies to stop ransomware in its tracks.

To learn more:

Adaptive Segmentationmicro-segmentation
Share this post: