WannaCry appeared to be the catastrophic global cybersecurity breach we've long been expecting, but despite the damage caused, the full possible magnitude of the threat was never realized.
True, the ransomware worm infected 200,000 computers in over 150 countries — causing issues for organizations as diverse as FedEx, the UK's National Health Service, and Russia's interior ministry — but it could have been so much worse without the almost accidental triggering of the kill switch.
The most disturbing aspect of WannaCry was the speed with which it spread, and the failure that allowed this to happen was human and organizational in addition to technological. Despite Europol director Rob Wainwright's advice for enterprises to "patch before Monday," the rapid proliferation of the ransomware illustrates why patching — and any solution that focuses on defending network perimeters — isn't enough to combat the threat from cybercriminals.
Why are patching and perimeter defenses no longer enough, and how should enterprises refocus their approach to prevent future attacks from spreading so quickly?
Patching: Mission Impossible
In the wake of WannaCry, many wondered why so many organizations failed to update systems with the MS17–010 patch, which was released by Microsoft two months before the attack to resolve vulnerabilities exploited by the attackers. While maintaining patch cycles is a well-acknowledged element of basic network hygiene, any CISO responsible for vast and highly complex environments knows keeping up to date with a seemingly endless stream of patches is easier said than done.
Attempts have long been made to streamline patching, with CISOs instituting auto-patching standard operating practices on their workstations, and Microsoft introduced "Patch Tuesday" to provide regularity. In reality, however, updates are frequently released outside of the standard cycle. With enterprise environments encompassing an ever-growing ecosystem of vendors, installing updates in a timely manner is problematic, especially when patches are delayed, as with Microsoft's February updates.
Patches can cause glitches, for instance. MS16-072, released last year, created problems with user group policies and had the unfortunate impact of hiding application shortcuts and network printers. The "Recall Thursday" phenomenon, where Microsoft fell into a pattern of withdrawing patches as soon as they were released, encourages CISOs to wait until issues are ironed out before making updates, or only install patches they view as essential. With the rise of all-or-nothing updates, CISOs often choose not to patch in order to minimize business disruption.
No matter how rigorous enterprises are about software updates, machines can always slip through the net, perhaps because they sit low in the stack or aren't seen as business critical. In many organizations, outdated but functional systems operate behind the scenes. A recent study indicates 6% of companies have more than half of their computers running on out-of-date operating systems, while 24% have over half running out-of-date browsers. It was precisely these types of systems the WannaCry ransomware was designed to target.
Edgeless Networks: Mission Creep
In addition to software updates, CISOs have another, even more challenging ticket to deal with. As IT departments spread their remit from desks and traditional office equipment to bring-your-own-device, mobile, and Internet of Things technologies, CISOs have been subject to an element of mission creep.
We now operate in a world of edgeless networks, where as many employees work outside of the firewall — on laptops, tablets, and smartphones — as within it. Even though over 60% use two or more mobile devices for work, less than 30% of these have security functionality installed, providing countless points where cybercriminals can ride traffic into the network.
Focus Shift from Prevention to Detection
The rise in edgeless networks has made fully protecting network perimeters virtually impossible, and segmenting networks can only limit the spread of attacks rather than stopping them altogether. Enterprises must take a multilayered, defense-in-depth approach to cybersecurity. This includes shifting the focus away from prevention-based models, such as the Kill Chain, that were designed to keep attackers out of a network but are limited in the post-compromise phase of a breach.
With 90% of US business hacked in the last year, and 97% of UK businesses suffering data breaches in the last five years, the question is no longer whether enterprises are vulnerable, but where they may have fallen victim already. Rather than focusing all of their attention on trying to keep attackers out of ever-more-vulnerable networks, enterprises should combine preventative measures with threat detection tactics. One can recognize the individual components that make up a cyber attack by understanding the adversary and identifying indicators of compromise.
WannaCry shows it's not just machines that need updating, but, rather, the entire approach to enterprise security requires a rethink. In a world where increasing complexity and edgeless networks invalidate perimeter-based protection and make updating individual devices unrealistic, enterprises must shift their focus toward a detection-first approach, combining threat detection with prevention in a multilayered strategy.