Since the onset of the pandemic, we’ve been dealing with risk – and not only when it comes to our health. Corporate security is under attack, as ransomware continues to infiltrate networks at an alarming rate, wreaking havoc on data, applications, and IT infrastructures everywhere.
The hybrid work environment has introduced myriad vulnerabilities into the workplace, as employees sign on from home with unprotected devices – and hackers are having a field day. There were 304 million ransomware attacks worldwide in 2020 alone – a 62% increase from 2019 – and the impact can be devastating to a business. According to the IBM/Ponemon Report, the average cost of a ransomware breach is $4.62 million, not to mention the reputational damage that ensues.
While traditional prevention controls such as patching, firewalls, intrusion detection systems (IDSs), and others aim at preventing an attack, ransomware inevitably slips through the cracks. Here's are four reasons why:
- Inadequate detection: Traditional antivirus and malware detection solutions are difficult to manage and often poorly configured. Even when they detect a virus, they can’t necessarily stop it or recover damaged files. What’s more, almost a third of malware is unknown. By design, antivirus systems can only detect known patterns, and it takes time to analyze new patterns and incorporate them into the definition files.
- Evolving techniques: Ransomware can enter an organization through phishing emails that encourage employees to download malicious files or apps or visit infected websites. According to the HP-Bromium Threat Insights Report, about 88% of the malware researchers observed was delivered to users’ email inboxes after bypassing gateway filters. Mobile attacks are also on the rise and designed to spread from one device to another – an especially threatening proposition given the rise in unprotected mobile devices connecting to corporate networks today. What’s more, Malware writers use packing and obfuscation techniques to conceal original code and bypass security controls.
- The cloud and RaaS: With access to a global cloud infrastructure, fraudsters benefit from scale and standardization, which make it easier to launch an attack from anywhere. The cloud has also given rise to the Ransomware-as-a-Service (RaaS) trend, where larger, more established criminal organizations such as Netwalker/Mailto, REvil, DarkSide, and others sell ready-made ransomware programs to eager buyers who can then rapidly and cost-effectively launch attacks.
- Bigger, faster payoffs: An increasing reliance on digital infrastructure means that businesses are more willing to pay ransom for their data and digital resources. Plus, the advent of cryptocurrency makes it easier to collect a payment undetected.
With the frequency of ransomware attacks today – and their ability to circumvent traditional prevention solutions – enterprises should assume a breach is already underway and implement strategies and technologies that do not ensure rapid detection but help minimize the severity and lateral spread of a successful attack.
Why ZTA works
Identity-based zero-trust access (ZTA) systems leverage a cybersecurity mesh implemented at Layer 3 with distributed identity-based policy, providing numerous advantages. For starters, each user, machine, and application has its own perimeter security; access permissions are controlled based on identity, role, and policy, with individuals having "just-enough" and "just-in-time" access. This control extends across users, machines, applications, and data – on-premises, in the cloud, or in remote locations – securing all file and data transfer across connected devices and network resources.
Unlike VPNs which enable remote and unprotected user devices to connect to the network, with ZTA, remote users never make it inside the network. RDP, VNC, Modbus, and other unsecured protocols – which can be vulnerable to attack – are not exposed outside an organization but instead proxied over TLS sessions. The system lies on top of existing OT and IT architectures and doesn’t require any network or system changes to work.
Since all network entities have their own perimeter security, the attacker has no network visibility. Because the attack is contained, it's much easier to detect and identify anomalous behavior, particularly when AI-driven fraud prevention tactics are employed. And since zero-trust systems rely on macro, micro, and nano segmentation, when a device or network resource is penetrated, the attack doesn't spread.
According to the IBM/Ponemon Report, it takes an average of 287 days to identify and contain a data breach. With ZTA in place, organizations end up paying about $1.76 million less for a breach, which explains why the number of organizations implementing zero-trust cybersecurity systems has more than tripled, increasing from 16% to 60% in just three years.
If they can’t make it spread, it’s not worth their time
If a burglar enters your home and finds all the rooms are locked with dead bolts, he can only steal what’s in the entryway – and he’ll probably leave and try another house. Similarly, reducing the impact of a ransomware attack by minimizing the blast radius can make the crime less enticing for criminals looking to cash in.
While there’s no silver bullet to stopping a ransomware attack from occurring, implementing a zero-trust network architecture enables enterprise SOCs to box in an attack, limiting the extent to which a fraudster can commandeer data and resources – and the impact of refusing to pay the ransom. Realizing the futility of their efforts, the criminals will likely give up and go knock on someone else’s door.
Sundher Narayan is the CTO and Co-Founder of Elisity.