Prevent Ransomware with SASE
Ransomware Series Part 2


Written by: George Grzyb, Nexum Principal Engineer
Connect with George on LinkedIn

In Part 1 of this series, Ransomware Disruption Overview, I discussed ransomware campaigns, breach considerations, and prevention options. Now let’s go a bit deeper into three technologies that can help prevent ransomware: Cloud access security broker (CASB), secure web gateway (SWG), and data loss prevention (DLP). These components have converged into a single solution for what has now been coined the secure access service edge (SASE) architecture.

Previously, a minefield of security solutions was supported by Gartner’s recognition of multiple Magic Quadrants. However, to adequately protect the network and users, the same manufacturers generally bundled a combination of products, now part of numerous Magic Quadrant discussions. SASE is the accepted security architecture framework encompassing cloud-based network and security solutions in a single conversation. The components of this framework strive to protect business resources wherever they may be located. As business applications and networks have been extended into both cloud and personal computing environments, these solutions must be robust enough to grow across multiple avenues of business data access. SASE manufacturers are differentiated based upon the maturity of their components and the current needs of the business.

Every business faces the same challenges in terms of SASE. They need to enable remote workers and support cloud-based solutions. Both are far removed from the legacy data center where network constraints and security controls traditionally reside. At the same time, they need to protect their sensitive data while maintaining control and visibility. There is certainly a balancing act required here. One way to start is by reviewing the SASE components and asking a few typical questions to foster discussion and distillation of a defense plan.

 

Cloud Access Security Broker

If your enterprise is well into its cloud journey, there is no doubt that visibility has become a concern. The disturbing fact is that many of your employees have already been using the cloud for a long time with applications such as Box, Dropbox, Google Workspace, Slack, and others.

When building your SASE strategy, some questions you may ask regarding CASB use cases are:

Do you have a list of sanctioned cloud applications mapped to business required services? Do you know what unsanctioned cloud applications your users are currently utilizing?

Each business should use its dedicated instance of any software as a service (SaaS) solution. Otherwise, Shadow IT becomes a genuine concern as your users will find ways to facilitate their needs. For example, they could use their personal Dropbox to share a sensitive file with a business partner. A CASB instance integrated with a business-sanctioned Dropbox tenant would provide the visibility and controls to prevent such an occurrence. Additionally, access to non-sanctioned SaaS solutions should be blocked for most users, bypassing business controls. The CASB agent would steer user traffic for inspection and either block or provide a coaching page when non-sanctioned applications are accessed. However, certain users should be supported in bypassing restrictions based on business needs, such as Human Resources, IT, or Managing Directors.

Some solutions also provide visibility into cloud applications currently being used so that you can quickly identify operational business requirements. Such CASB solutions provide the risk and security assessment information required to determine potential adoption by the business. If many business users are leveraging file-sharing services, then perhaps your email solution does not allow for sharing of files above a specific size. If this were a fundamental business requirement, there should be a sanctioned solution for file exchange with third parties. Instead of setting up FTP/SFTP servers internally, you can adopt a business tenant within a cloud solution and train your business users on appropriate usage. We will touch upon DLP later, as this is another concern with cloud storage.

Are your developers leveraging infrastructure as a service (IaaS) or platform as a service (PaaS) solutions from such vendors as Amazon Web Services (AWS), Google Cloud Platform (GCP), or Microsoft Azure?

While some businesses focus on a single platform, others take a multi-cloud approach supporting at least two different providers for resiliency and selective traffic steering to the lowest-cost compute resources. It would help if you also had visibility tools in place to ensure adherence to any sanctioned provider. If your business has multiple development teams, they should all align to use the approved platform. If your business is focused on AWS and has the proper security controls to restrict read/write access and file uploads, it would not be very prudent to allow your users to place files in an unsanctioned instance of GCP. There have been several instances where businesses have been compromised due to a user uploading sensitive files to unsecured storage on the Internet for all to download. This is where a CASB solution can both restrict access to unsanctioned IaaS and PaaS solutions and provide the required security controls for your sanctioned solution via API tenant connectivity.

Is your business subject to GDPR, HIPAA, PCI-DSS, or other regulations? Are you protecting this information within the cloud?

Governments have imposed various regulations to protect data, privacy, medical records, and payment card information. Traditionally lax security controls have resulted in well-publicized compromises of sensitive information. While compliance can be quite costly, CASB solutions are game-changers. Accessing your IaaS or SaaS configuration via API interoperability, these solutions can examine your configuration and provide metrics on compliance. Additionally, misconfigured security controls are flagged with suggestions to improve data security and integrity. For example, as we have seen in the news, exposing files via AWS S3 buckets is trivial. Without security controls or monitoring, threat actors can easily access damaging information (database dumps, personal information, access to production passwords, source code for applications or games). CASB solutions provide reporting on unprotected AWS S3 buckets, in addition to using DLP to classify sensitive data and compliance automatically.

CASB helps prevent ransomware in a few ways. By controlling access to cloud services, a business restricts the free movement of files that can be exploited for malware spread. A publicly shared folder is ripe for bad actors dropping malicious files and simply waiting for unsuspected user access. Regular hygiene of cloud infrastructure via API hooks prevents the type of misconfigurations that can be targeted by bad actors to gain a foothold into your environment. If a bad actor can find a manner to ‘live off the land’ and leverage your own infrastructure to spread malware, move sensitive files, or simply wreak havoc with ransomware, they sure will. A CASB will allow a business to control access to only business-sanctioned applications and specific instances of a SaaS tool, as well as regularly scan configurations for potential ticking time bombs.

 

Secure Web Gateway

Proxies have been around for quite a while, and are generally configured to provide Web/URL filtering and perhaps antivirus scanning of files. This solution has been typically deployed on-premises to control user access to the Internet. As the next-generation firewall (NGFW) feature sets evolved, this functionality has been reincorporated as SWG or a proxy without caching for outbound Internet access filtering. When deployed on the existing application delivery controller and NGFW components, control usually focuses on IP address and user session enforcement. With the increased focus on user access by a mobile workforce, CASB solutions adopted tightly integrated SWG features. This cloud-native solution now provides a single methodology to control client access to all Internet-based traffic, including SaaS applications and websites.

When building your SASE strategy, some questions you may ask regarding SWG use cases are:

How does your business control remote user access to the Internet?

Business users on their home networks will generally have unrestricted Internet access unless forcing all traffic across a VPN solution. However, with the adoption of cloud applications, it no longer makes sense to route all traffic through the private business network for inspection. Instead, it’s common to move this inspection to the user’s endpoint in conjunction with a cloud-based SWG component. This solution allows for granular user access through category filtering and directory membership while performing malware and advanced threat inspection. Unlike traditional solutions, which only provide client steering on-premises, the exact implementation using a client with a tiny footprint and taking minimal CPU resources can be utilized for CASB and filtering/inspecting regular web-based traffic. Instead of using a business data center for this function, a cloud-based tenant is being used for filtering and inspection.

Are you still relying on traditional antivirus protection on the user endpoint?

Traditional antivirus is based on definitions, which need to be regularly updated. There is also a limit to the number of definitions an antivirus engine can load into memory, causing much older definitions to be removed for performance purposes. Instead of just inspecting what is in memory or on disk, the same client used for SWG capabilities can be leveraged to decode and check evolving user traffic. Mobile applications, sync clients, TLS-encrypted websites, and unmanaged cloud services can all be inspected. These are new avenues for spreading malware, traditional viruses, new advanced threats, command and control traffic, data exfiltration, or ransomware. These more unique SWG solutions are driven by artificial intelligence and protect against zero-day and targeted attacks. Antivirus definitions no longer limit us!

What if users are attempting to access blocked content?

Generally, a business has specific sites they block with traditional on-premises proxies. However, such protections are not deployed at a user’s home. We no longer want to hairpin Internet connectivity through the data center. Another control must be instituted to block a business user from accessing restricted content when away from the business network and security controls. An SWG solution installed on the business laptop can provide users with a coaching page to indicate why content access is blocked and even offer a process for submitting a justification request to internal IT for temporary or permanent access. One example would be a stock trader researching a new Internet gambling site or a casino’s sister site. The business user can access this content using a policy tied to a username or directory functional group.

Do your remote users have a slow experience accessing cloud-based applications?

A fringe benefit of many CASB and SWG solutions has been speeding up user access to SaaS applications. The nature of the solutions (cloud-native tenants, API integration, reverse proxy) usually means deployment at the same co-location sites hosting SaaS applications that the solution is designed to protect. These points of presence (POP) allow for optimizing data traffic to sanctioned cloud solutions wherever your user is located. Instead of traditional access, the user endpoint is steered to a CASB/SWG solution tenant hosted at a POP and then routed within the same co-location site to the destined third party application.

SWG prevents business users from accessing malicious or questionable content hosted on Internet websites, both on-premises and working remotely. When this access is not controlled or monitored, a business user will eventually stumble upon a website hosting a zero-day exploit or some disguised malware executable. At this point, ransomware easily gains access to either your business asset or network. It is best to block user access to content and websites with no business justification.

 

Data Loss Prevention

DLP now pertains to all Internet-based communications, including access to traditional websites and the different sanctioned and unsanctioned cloud-based IaaS, PaaS, and SaaS solutions. Data loss can occur quickly with the prevalence of cloud-based communications and storage options. Many mature CASB and SWG solutions include DLP in their SASE architecture.

When building your SASE strategy, some questions you may ask regarding DLP use cases are:

What controls do you currently have in place to prevent a DLP incident?

There are a few options available for preventing data loss. These options include behavioral analytics, deep packet inspection, machine-learning, optical character recognition, watermarking, and many more. Current solutions allow for adherence to compliance regulations, restricted sharing of business and personal sensitive documents, and identification of nefarious user activity. The solutions available today are much more complex and comprehensive than traditional regular expression searches for patterns or the checking of document metadata.

Is your business subject to any compliance or regulatory restrictions?

One of the direct benefits of DLP solutions is restricting data shared outside of the business. Performing this inspection on-premises only is no longer relevant as the business user can now be working from a coffee shop or their home office. Additionally, data constantly changes, and there is a use case for leveraging cloud-based microservices, which are routinely updated for all users. The same is true for compliance and regulatory restrictions. DLP solutions can analyze data shared beyond the confines of office networks or the business user’s phone or laptop and prevent erroneous or malicious data exfiltration.

How many endpoint clients do you have deployed on user laptops and workstations?

The answer here is probably a few. One benefit of consolidating multiple solutions into the SASE architecture is that a single client can provide CASB, SWG, and DLP capabilities, controlling what users access, what users share, and who has access to the shared data.

DLP prevents the leakage of information. Some information can be utilized directly to generate revenue for a bad actor, or it can facilitate research. If a bad actor acquires enough sensitive information about your business, they can create targeted threat campaigns against certain individuals or attempt to exploit weaknesses in your application or network security. There is no need to make the life of a bad actor any easier!

 

Next Steps With Nexum

In summary, there are many interdependencies today between CASB, SWG, and DLP. There is a reason this umbrella of solutions has been rebranded as SASE and why any relevant security architecture should deploy all three solutions. The data center no longer constrains business and needs to adopt and protect evolving cloud access for all users regardless of wherever they work, be it office desk, home couch, or coffee shop.

The Nexum Solutions team has a wide breadth of experience with different product solutions and their business environment automation and integration. Perhaps you already own and use certain components of the SASE framework? If you are not using the full potential of these products, require assistance with their configuration and deployment, or are perhaps unsatisfied with the current toolsets, Nexum can help! Alternatively, if you are just starting on your journey, Nexum can assist with architecting and planning. We look forward to discussing your SASE architecture and general cloud adoption strategy.

Jump to –

 

Check Out More Resources

Nexum Resources

Enterprise Logging Best Practices

Each quarter, the managed security team at Nexum shares insights from our first*defense SNOCC. In this post, we decided to share some general logging best practices that are likely to benefit every organization.

Read More »