The last five days have been eventful in the cybersecurity space, with the ransomware WannaCry spreading like a ‘pandemic’ to infect 200,000 computers in over 150 countries. While reports first surfaced of Britain’s National Health Service organizations being infected, the attack spread across industries and geographies and hit large enterprises such as FedEx, Hitachi, and Telefonica. The ransomware exploited a Windows vulnerability to spread and encrypted data in infected systems. For each computer infected, the attackers asked for around $300 in bitcoin.
The ransomware affected Windows PCs by exploiting a critical SMB network protocol vulnerability. Earlier this year, Microsoft released a patch for this vulnerability, but that did not cover Windows XP, for which Microsoft discontinued support in 2014. Many XP as well as Windows 7 systems that were not updated, ended up vulnerable to a threat like WannaCry. While the primary vector was email, once the system was infected, WannaCry was able to spread via file sharing structures like shared drives without permission from users. The creators of WannaCry acquired this capability from EternalBlue, the cyber spying tool created by the National Security Agency, which was stolen and leaked.
Enterprises are concerned about their exposure to malware attacks for multiple reasons. While educating end users is critically important, changes in behavior tend to be gradual and not likely to improve security in the near-term. At the same time, cyber attackers are becoming increasingly sophisticated in creating malware that exploits all possible vulnerabilities to impact as many corporate systems as possible. And furthermore, by the time IT teams react to a vulnerability by pushing a patch or blocking a malicious service, it may be too late and company systems or data may already be compromised.
Predictive Governance by CASB
Cloud Access Security Brokers (CASBs) act as control points between the user and the cloud and provide IT teams with the visibility into cloud usage and allow them to enforce governance controls on services accessed by employees. They provide visibility and risk information by maintaining a comprehensive cloud registry of thousands of cloud services and detailed information on security attributes for each service. CASBs allow IT teams to enforce predictive governance controls by creating service groups where cloud services are grouped by security attributes. When new cloud services are added, they are automatically included into the service groups per the defined criteria and existing controls and remediation apply to these services. This allows IT to build controls against new risky cloud services and malicious websites. The following steps are used by enterprise customers to protect themselves from risky cloud services and malware such as WannaCry.
1) Gain visibility into risky cloud services and threats
A CASB solution provides customers with visibility into users that are infected by a particular threat or vulnerability. They can narrow this down by team/location/service and then use this information to quarantine the infected systems and contain further damage. The below screen shows that 2 users within a company have exchanged data with the WannaCry command and control URL.
2) Create a service group for high risk services
IT admins can create service groups to categorize cloud services and domains into groups for governance purposes. Service groups can be created on a number of parameters such as category of cloud services, risk type, risk score, service name, etc. When new cloud services are added to the registry, the CASB solution adds them to the service group, and applies the pre-defined remediation.
3) Sync governance policies to egress devices
All service groups and governance policies created with the CASB solution can be pushed to an egress device such as a proxy or a firewall, so they can be enforced. Most CASB solutions integrate with a range of security appliances so that companies can incorporate governance controls into their existing security workflows.
Security researchers are predicting that the worst of this ransomware attack is yet to come. Cyphort Labs and Check Point have already detected variants of WannaCry which are harder to kill. This implies that enterprises always have to be prepared for the next attack, which could be a new malware or a ransomware or compromised credentials leading to exfiltration of company data. Protection against malware and ransomware requires companies to enforce multiple processes and controls, such as keeping operating systems and anti-virus software patched with the latest updates. Enterprises using CASB solutions have implemented advanced measures to secure their corporate data from malware/ransomware attacks.
- Look for signals to malicious sites. The CASB solution analyzes egress traffic and helps in identifying traffic patterns that indicate communication to command and control (C&C) sites. It is possible that a website has not been identified by the firewall or proxy as malicious, but consistent traffic from company systems to these sites is a strong indication of a malware infection. Skyhigh has identified multiple potential infestations within large enterprises with this defense in depth approach.
- Scan data-at-rest in cloud services for malware. Using their CASB solution, companies can perform on-demand scans on data residing within cloud services such as Box and OneDrive for malware infections. These scans include scanning for DLP violations and malware, ensure that new vectors of risk associated with malware propagating via file sharing services are addressed immediately.
- Ensure your CASB provider is engaged with the security community. Leading CASBs are actively engaging with the security community at large to detect new malware or variants, including those that may bypass traditional email-based controls, such as infected files being dropped into cloud file sharing services. This ensures that the CASB solution is used to secure the company from a broad range of threat vectors related to cloud usage.