Security is something that most IT folks have a love/ hate relationship with. OK, mostly hate… because data security is not easy and it’s not something you can just do and forget about, instead you must continuously adapt your network security to keep up with evolving threats and mitigate risk.
2017 is another year of escalating security threats from Malware and in particular, Ransomware.
Malware is basically any software that can be executed and that was crafted to be malicious. The types of malware can be a Virus, Trojan, Spyware, Worm, Adware, Botnets, Ransomware. These things propagate typically through email attachments and internet downloads, but some can be executed just by someone visiting a malicious website. As soon as you go there, if you are not well protected, you are now a victim.
Ransomware is a subnet of Malware, and the purpose of it is to hold hostage one of a corporation’s most valuable assets, it’s data. The ransomware encrypts a targets hard-drive and demands payment to unencrypt it. This payment is typically through a bitcoin exchange, so getting Law Enforcement Authority involved will be usually of no help.
In May, WannaCry, one of these Ransomware, was famously launched and attacked targets around the world causing major outages and resulting in data loss, there were reportedly more than 200,000 infected hosts spread over 150 countries before it could be stopped. And it only stopped spreading because a whitehat researcher found a kill switch in the code and implemented an easy global fix with a domain registration.
A few months after, Neytya, a similar attack was launched without the kill switch. Luckily, most of the previously vulnerable hosts had been patched in response to WannaCry… if Neyta had launched first, the impact would have been exponentially higher.
Full Data Loss, if it is on a critical system, can be catastrophic for a corporation. It could cause the shutdown of operations, loss of revenue, lawsuits and even closure.
Fortunately, there are tools that can help with mitigating the threat.
One of the main vectors of attack is Malware from and to endpoints. We’ve helped some of our customers with deploying endpoint protection, specifically Cisco AMP for Endpoints. Most people are familiar with antivirus and probably have some form of endpoint protection already. These are mostly anti-virus, and sometimes adware programs. They work by analyzing the signature of executable files against a current list of signature/virus definition and if it matches, then the file gets quarantined.
Cisco AMP goes a bit further than traditional anti-virus, by doing the following
- Prevent, detect and respond: AMP prevents breaches by blocking malware and through its visibility can detect and respond.
- Provides Deep visibility with context and control: AMP tracks file activity across all endpoints so it can stop threats fast and remediate as necessary.
- Threat intelligence and sandboxing: AMP leverages the Cisco TALOS Group to analyze and identify threats then deliver that intelligence back to AMP.
- Ability to block malware in real time: AMP leverages global analytics, fuzzy fingerprinting and built-in anti-virus.
- Continuous monitoring and recording: Once a file lands on an endpoint AMP conducts dynamic analysis of the file behavior.
With the proliferation of IoT, a lot of devices are purpose built and can’t install or run anti malware software. For those types of devices, there is Cisco Umbrella with Secure Internet Gateway (SIG). SIG lives in the cloud, and with combination of DNS can ensure all destinations are analyzed. DNS is the first line of defense and known vulnerable domains will not even resolve to the real IP address of the risky site. SIG will secure IP traffic that is resolved to ensure files and executables are safe.
Traditionally there is the edge firewall, which has been in place for decades providing IP and port filtering. But now with additional capabilities the traditional firewall has been transformed to the “Next Generation” Firewall. This means it continues to provide IP and port filtering, and also performs services such as IPS, anti-malware protection, URL filtering, and application recognition. In the past it used to take 3 or 4 appliances to perform these functions.
Today’s workforce is digitizing rapidly with more and more companies’ supporting trends like mobility and “bring your own device”. A good way to deal with that is with an authorization and access control solution such as Cisco Identity System Engine (ISE). In addition to identifying users that are coming onto your network, it can also validate the posture on devices attempting to gain network access. ISE can deny access or provide limited access such as a quarantined network zone that has access to remediation software resources.
Looking to the immediate future, automation is going to be big as IT budgets are shifting to software and analytics. One of the best tools enabling IT departments to maintain a high level of quality and customer satisfaction is automation. A common mistake we see in some of our customer’s network is that network security is inconsistently applied across sites, or sometimes even devices within the same site. Here is where Security Orchestration and Policy management will help, a single pane of glass that you can apply to multiple devices with consistent application of your policy, this will ensure a consistent policy is applied within your environment.
Another upcoming trend is the increasing use of end-to-end data encryption. While this is great for people doing things like going to their bank’s website, this also creates opportunities for threats to evade inspection and malicious activities can go unabated. The traditional approach to address this is to decrypt the traffic first, analyze/protect, then re-encrypt it before sending it on its way. As you can guess, this is a resource intensive task and causes delays that could be noticeable to the end user. Not to mention that you’ll need a pretty beefy firewall for larger Internet connections.
A new technique called Encrypted Threat Analysis or ETA uses machine learning to look for patterns in the TLS handshake metadata, HTTPS headers and DNS contextual flows. Without having to decrypt/re-encrypt, ETA can detect threats without tripping false positive alerts and avoid the performance penalties of actual decryption.
IT security continues to be an evolving challenge that requires care and attention for now and the foreseeable future. At LookingPoint we do our best to stay ahead of the evolving technology landscape, to ensure we are providing the best services and solutions to our customers.
Written By: John Li, LookingPoint Principal Network Architect - CCNP