Ransomware Survey Review with a CISO Lens

By Alain Sanchez and Joe Robertson | October 08, 2021

Ransomware has become a growing concern for organizations and risk preparedness is top of mind for CISOs. In the 2021 Ransomware Survey Report, Fortinet surveyed 455 business leaders and cybersecurity professionals worldwide to gauge their state of readiness to defend against the growing challenge of ransomware. The survey explores the concerns of organizations around the threat of ransomware attacks and how prepared they are to mitigate or defend against such attacks. Fortinet Field CISOs Alain Sanchez and Joe Robertson joined us to discuss standouts from the survey and what CISOs should prioritize when protecting against ransomware. 

Key Findings From the Ransomware Survey Review 

What is the most interesting takeaway for CISOs from this report?

Joe - While 62% of organizations named ransomware as their top concern, the survey uncovered a gap between the strategies and tools these organizations saw as necessary to protect against the threat of ransomware. When asked about their protection investment plans, many organizations included Secure Web Gateways (SWGs) and IoT security and named them as essential for securing themselves against ransomware. However, some foundational cyber tools are low on the list of priorities for organizations. Items such as sandboxing and segmentation were at the bottom of the list even though ransomware attacks generally include malware variants that sandboxes are equipped to detect. Segmentation is a great way to block the lateral movement attackers rely on once a remote endpoint device is compromised. Additionally, Secure Email Gateway was at the bottom of the list, though organizations indicated that employee phishing via e-mail is the most common vector for ransomware access. 

Can you explain the disconnect between the security concerns of organizations compared to the security solutions they have identified in the report as their top priorities? 

Joe - Many people, even security professionals, think ransomware is a different kind of attack when in reality, it is just another form of malware. Part of this varied interpretation is due to the dramatic nature of ransomware, and the prominent coverage it has received in the general media. It pops up on a screen somewhere and announces that your files have been encrypted. Many think of it as a point problem that can spread, but ransomware is just like any other kind of malware. An attack follows the full cyber kill chain, the steps an attacker takes to infiltrate a network. The ransomware is just the delivery of the final weapon. 

When protecting yourself against ransomware, you need to move past the weapon and try to protect yourself against every aspect of  the attack process. Being prepared on multiple points across the attack chain allows you to catch the attack before the ransomware is delivered. 

There is a statistic that says that 98% of all breaches come through social engineering, system intrusion, or basic web application attacks. These are things that we have tools to block, prevent, or mitigate against. Ransomware isn’t different from any other form of malware - it is just a very visible and shocking example of it. 

Alain - Ransomware is a mode of extortion, but the attack can be a lot more complex than that. It can masquerade and deploy in various places of the value chain and go under the radar. You may continue operations after you’ve “gotten rid of” the ransomware, thinking you’re off the hook, but that relief is in fact a smokescreen for what’s to come. More sophisticated attacks can deploy even after the initial attack has been resolved. This is what we refer to as the upstream, parallel stream, and downstream in the attack structure. The origin of ransomware is one part of the upstream and often involves an individual accepting the ransomware invitation in some form. Many do not understand the attack structure of ransomware and view it as its own unique entity when it’s really just malware. The education of employees, security professionals, executives, and so on regarding phishing and its advanced forms would be the ideal solution to combating this disconnect. 

Are SD-WAN, segmentation, zero trust essential to combat ransomware?  

Joe - Segmentation is not just something for the data center. It is a very strong tool to prevent ransomware attacks from spreading and is an important method which can go a long way towards mitigating an attack on a single end-user device and stopping it from spreading to other environments, devices, or the data center where it can really wreak havoc. Lateral movement is a big goal of cybercriminals and segmentation is key to preventing this technique and therefore helpful in stopping the spread of cyberattacks.

Alain - Zero trust is a framework that does real-time authentication and fits in a strong architectural cybersecurity strategy alongside segmentation and SD-WAN. It's also something that evolves over time. When you have more and more devices asking for network resources, zero trust provides a context-sensitive way of authorizing access to these resources. It also enables a new wave of innovation because you can leverage the low latency of the advanced access networks, to create an all new ecosystem of applications. You can make these decisions without necessarily needing to go back to the core of the infrastructure to seek data or take action. So in some ways, zero trust is empowering in cybersecurity because of the overarching management with the centers of decision being closer to the centers of operation for better response time and incentive applications. In addition, while ZTNA, which was noted in the survey, is an emerging technology, it should be considered a replacement for traditional VPN technology. 

How CISOs Can Take Action Against Ransomware

What should CISOs prioritize when protecting against ransomware?

Alain - Before anything else, it is important to create a road map of prioritization and learn what to do with your existing legacy infrastructure. The first step of this process is to have a healthy conversation with the stakeholders of your company. The production, marketing, and other C-level executives should be involved in the beginning process prioritization. By doing this you can get a sense of where to start and what to start protecting based on what matters most in the value chain. All value chains are not equal, as some may prioritize protecting the web applications, firewalls, database, or internet traffic. To navigate and remove excess, conversations with the most important stakeholders in your company are the best place to start. This also places security as part of the value production and enables you to prioritize, budget, staff, and transport in the right order. You don't want to start at the end of the pile that has no impact on your value chain and may not even be your priority. After this step, you need to build a scenario of transformation that includes network transformation as much as it does security transformation. All of these scenarios need to be signed off by the entire board, not just the security team. This technique allows you to limit the pushback that is often received in these transformations because people are not involved in the decision-making process or creation of the priority list. Actions are decided together and limit the line of risk to any related investments as the team decides to conduct together and the CISO and CIO are tasked to execute against the scenario. 

Joe - One of the biggest mistakes CISOs can make is to have a strong opinion about the way the team should go about securing the network without having explained and communicated enough before diving into the deployment of that transformation. When these transformations fail it is because of pushback or delay due to unexpected impacts they have on the entire ecosystem of business transformations. 

One great takeaway from this report, security leaders are concerned and working to address ransomware, sometimes awareness is half the challenge.