The Three Pillars Of A Resilient Ransomware Strategy

Anurag Kahol, CTO at Bitglass, explains how organisations can embed ransomware resilience into the heart of their cyber strategies

On any given week, ransomware attacks generate familiar headlines, with victims experiencing various degrees of downtime, data loss, and reputational damage as they try to recover. Even before the arrival of COVID-19, the ransomware epidemic was a growing problem, but the shift to remote working has only exacerbated the risks as cybercriminals stepped up their efforts to target new gaps in organisations’ security postures.

Despite growing awareness of the dangers of ransomware and the shocking stories that see some organisations teetering on the brink of failure, far too many victims–both actual and potential–share a similar characteristic: they lack the needed resilience and find it extremely difficult to prevent attacks and restore systems to normality when they occur.

Yet, if we accept the premise that it’s not a question of if, but when organisations will be targeted with these threats, then ransomware resilience should sit at the heart of every cybersecurity strategy. But what does this resilience look like and what are the priorities which can help stave off an attack when it almost inevitably arrives?

Building a strategy around three strong pillars–secure web gateway, multi-mode CASB, and zero trust network access–can allow organisations to embed ransomware resilience in the heart of their cybersecurity strategies.

Secure Web Gateways

Cybercriminals often target cloud environments as a primary route to execute ransomware attacks, therefore building a defence against malicious web destinations (such as malware, phishing, and command-and-control sites) is absolutely critical. Secure web gateways (SWGs) help organisations establish a real-time defence against these destinations by preventing users from accessing them altogether.

Additionally, as even trustworthy web destinations can be used as vehicles for malware delivery, when users are also protected from the risk of downloading ransomware via infected file attachments, organisations are able to reduce their vulnerability significantly.

Specifically, IT and security teams should employ an on-device SWG that decrypts and inspects traffic locally on each endpoint. This approach helps avoid potential problems such as backhaul latency, privacy violations, and cost and scalability challenges often associated with SWG appliances.

Ideally, deployed SWGs should also serve as one part of an overarching secure access service edge (SASE) platform, together with technologies such as cloud access security brokers (CASBs) and zero trust network access (ZTNA), to help ensure reliable, wide-ranging protection against malware and other challenges to security.

Multi-Mode CASB

Cloud access security brokers (CASBs) are used by many organisations to secure the cloud and, as such, play a key role in the defence of enterprise software-as-a-service (SaaS) applications and infrastructure-as-a-service (IaaS) platforms. By integrating CASBs with cloud services’ application programming interfaces (APIs), IT teams can maximise the visibility and control over their data at rest therein and, in doing so, scan for infected files and sensitive data patterns.

In addition, with the use of forward proxy agents on managed devices, CASBs can scan uploads and downloads of files for threats and sensitive data in real-time and remediate them as needed. This same functionality can also be delivered without software on endpoints through an agentless reverse proxy, which is ideal for BYOD scenarios.

However, to defend completely against ransomware across all of these cloud use cases, organisations need to employ a multi-mode CASB, which provides protection across each of these three deployment modes simultaneously.

Zero Trust Network Access

Historically, organisations relying upon VPN to enable remote access to on-premises resources have granted excessive permissions and trust to their employees, enabling breaches and data leakage. This traditional approach to security lacked granularity and was overly focused on securing access to the network as a whole; once a user made it into the network, there was little in terms of protection.

This meant that insider threats as well as external threats that gained access to the network could easily move laterally across internal resources and expand the impact of the damage that they were seeking to cause. In terms of ransomware, it was fairly simple to upload infected files across resources.

Zero trust network access, on the other hand, is a solution for securing remote access to internal/on-premises resources, in which users are given zero trust. Excessive permissions are avoided and access to corporate resources (whether those are on-premises resources, files, or data patterns) is limited to an as-needed basis for only the properly authorized users.

Cloud-based zero trust network access (ZTNA) solutions preserve the user experience, provide needed scalability, and grant access to specific applications (rather than the entire network) while applying real-time threat protection policies designed to stop ransomware in real time at upload and at download.

Together, these technologies represent three key pillars of a ransomware resilience strategy, defending organisations against malware across the web, the cloud, and on-premises resources, respectively. To obtain all three in a unified offering, IT teams often opt to use a secure access service edge (SASE) platform that ensures consistent security in general as well as ransomware resilience, in particular, across all enterprise IT resources.

In this way, from a single dashboard, security teams can configure policies that secure SaaS apps and IaaS platforms, web destinations and shadow IT, and on-prem apps.

Building a resilient defense against ransomware is becoming a ‘must-have’ for any organisation that takes the risks seriously and wants to protect its IT ecosystem from the downtime, disruption, and cost that frequently come with ransomware infections. When such an attack arrives, resilient businesses are able to prevent them and return to normal without undue delay so that they can move forward with confidence that this major area of cybersecurity risk is being managed effectively.