By now, you will have all heard about the rampant spread of ransomware through countless press pieces, blog articles, and far too often, the outrageous claims of some security vendors.
But let’s stop and think for a minute or two. How did these attacks happen? Are companies focusing on valid threats, fixing the right problems, or developing correct processes? Have so-called disruptive technologies disrupted our thinking? Let’s not go tactical. Instead, we need to consider, “what is our best strategy?”
Ever since the NGFW (Next Generation Firewall) circus came to town, it’s become cool to spend time at the sideshow tents while missing the main event. For example, looking at how a firewall can manipulate details about a user’s application habits has been quite trendy. I’ve seen a number of vendors over the years try to win customers by demonstrating the gory details of how an enterprise firewall can block a certain game in Facebook, while at the same time allowing other games to pass through. As a result, firewall capabilities began to be measured and judged based on the number of application signatures their firewall contains, the conclusion being that more application signatures makes for a better enterprise firewall.
While this and similar trends have been dominating the enterprise firewall conversation, the recent epidemics of Wannacry and Petya should make both enterprise firewall vendors, and their customers, think twice. The question they should be asking is, are they really focusing on the problem that needs to be solved? Or are they still standing at one of the sideshow tents knocking down milk bottles and collecting teddy bears?
Because, after looking at this problem carefully, I am led to one conclusion: both NGFW vendors and their customers are focusing on the wrong problem. The key business risk - and as a security research team we have seen and proven this over and over again – continues to be email-based ransomware and malware.
Let’s take a look at a typical ransomware attack and how an enterprise gets hit.
We start with our old friend and constant companion, email. People are used to spam messages today. Even the dumbest ones are still circulating - the million-dollar lottery win, or the person descended from that foreign monarch who can’t wait to share his wealth with you. The cleverer attempts masquerade as a message from your bank letting you know of some non-existent problem with your account, the government trying to collect or return tax money, or information about an important package waiting for you. And of course, there are the scarier attempts, like an urgent message from your boss demanding, at short notice, some information, or better yet, some payment for the latest super secret project he’s working on for the company.
We call these last targeted attempts spear phishing (this is an industry that has no problem in coming up with new terms.) Spear phishing email contains all the right names, and all the correct details to make them seem convincing. IT professionals like to think they can easily spot the mistakes in these emails - such as spelling errors, clumsy grammar, or last year’s logo - and laugh the attempt away. But an enterprise isn’t made up exclusively of IT professionals. In fact, even a professional IT company requires additional help to making their business viable. And for the rest of the companies out there, if you employ hundreds, thousands, or tens of thousands of employees there is always that one person, be they a contractor, an intern, an overworked friend at the desk next to yours, an executive that you’d never expect to fall for this type of thing - or sometimes, even you – who will click that infected link or attachment.
Once that link is clicked, it cannot be unclicked. And then the nightmare begins.
The malware it launches immediately begins searching for the valuable and the vulnerable. It also delves into the murky depths of your file system looking for peer computers on the same network that it can infect. Soon, the encryption of data and drives starts, and then the blackmail begins. To get your data back, your company finance department will have to go and purchase bitcoins (after first looking up what a bitcoin is and how to buy them) to see if that will release the data being held hostage. But that’s rarely the end. Other twists and turns will arise that will tie your company in knots for days, weeks, or months to come. Then the newspaper headline appears, and everyone knows what happens next because we read about it every day.
This process, or one very much like it, has been happening every single day for years, and in spite of billions of dollars being spent on NGFW devices. Why?
Well, one reason might be because insiders are responsible for 60% of all attacks. Of these, three-quarters are intentionally malicious, while the rest are inadvertent. But the point is, all of them happen on the wrong side of the firewall. Which is why effective defense systems need a fabric-based approach that contains the following elements:
Security requires much more than a firewall that can turn off Facebook games. It needs to provide a holistic, integrated approach to security that spans your entire network. Don’t get me wrong. A NGFW appliance plays an important role in your security strategy. But it’s not enough. Which is why we provide much more than NGFW appliances and platforms. And because we provide full service, enterprise class security, we know a circus when we see one.