As many security departments are painfully learning, there is no longer a perimeter that can be secured. Perhaps no industry felt this quite as painfully as the healthcare industry during the first year of the pandemic. According to a US Department of Health and Human Services (HHS) report and research by IBM, the healthcare industry has seen a 50% increase in cyberattacks since the onset of the pandemic, with ransomware topping the list.
By the fall of 2020, increasing ransomware aggression prompted a rare cybersecurity advisory for healthcare organizations — jointly authored by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and HHS — that specifically warned about imminent ransomware attacks.
Of course, the healthcare industry is not alone. Now, one year later, you'd be hard-pressed to find a sector that has not been hit by ransomware. In fact, ransomware attacks are so out of control, they have become a global priority. In October 2021, the Biden administration convened a virtual summit, inviting representatives from more than 30 countries to collaborate on efforts to stem the barrage of ransomware attacks happening around the world.
For security leaders and their teams living through the onslaught, the atmosphere can feel heavy, even overwhelming. We need to do better. Yesterday. As the potential threat surface rapidly expands, people in our industry have a (sometimes uncomfortable) front-row seat. From this vantage point, we must understand exactly where deepening technological complexity — which so enriches life online — is also creating new vulnerabilities to ransomware and other attacks.
Fight Ransomware With Zero Trust Everywhere
The path that leads most directly out of the current ransomware crisis is for security leaders to set a clear aim: full inspection and protection of all traffic flows to and from every application and device. In other words, zero trust, and then some. By doing this, we can significantly limit opportunities for malicious actors while getting ahead of the further technological complexity that awaits us.
What does inspection and protection of all traffic flows look like? First, let's recognize that there are several techniques that attackers can use to gain an initial foothold in the target enterprise. These techniques include the following:
- Using stolen credentials
- Exploiting an exposed server
- Getting into the software supply chain
- Gaining physical access
Multiple methods and technologies are needed to block these initial attack techniques. For example, we've all probably been through anti-phishing training and are getting better at spotting lures. Also, many of us are now using an automated phishing defense that detects and quarantines suspicious emails. But people make mistakes, and lures can come via channels other than email; SMS, for example. So in addition to these defenses, we need solutions that block access to phishing and squatting sites once a user has clicked on a malicious link or tried to access a malicious website. DNS firewalls and secure Web gateways (SWGs) fit the bill here.
Denying access to attackers using stolen credentials happens largely through identity and access management (IAM) technologies, such as multifactor authentication (MFA) and its subset, 2FA. And ideally, neither factor is a password. Blocking the exploitation of exposed servers can be done through a combination of zero trust access technology and Web application firewalls. Quite simply, servers should never be directly exposed to any user who is not authorized to access that server. No user — no matter their role within the organization — gets access without two layers of authentication followed by authorization. Every server, every user, every access, everywhere.
But zero trust doesn't apply only to north-south traffic flows — that is, traffic flows between user devices and servers. We also need to apply zero trust to east-west traffic flows — that is, server-to-server traffic flows. After all, even with the best protections in place, as described above, nothing is perfect, and ransomware might still get in. So we must also block lateral movement, server to server. This is best done with agent-based microsegmentation, which logically divides the enterprise into segments that each have their own well-defined security controls. Those controls ensure each process communicates only with the other processes that are necessary to carry out its function.
Zero Trust North-South and East-West
Zero trust across all traffic flows is best achieved by the following:
- Blocking access to phishing and squatting sites with DNS firewall and SWG
- Ensuring that all authentication is done with MFA
- Protecting all servers with zero trust access so that servers are visible only to users who are authorized
- Controlling east-west communication through agent-based microsegmentation
This last point is a major one. Microsegmentation is especially effective for stopping the spread of ransomware because as the ransomware speeds its way through your organization to that high-value data, at least one hop will be east-west. And in the case of supply chain or physical attacks, east-west might be the only hop needed.
Taken together, it only takes a handful of systems and technologies to ensure that every traffic flow — whether north-south or east-west — is effectively controlled and protected. This goal is the path forward and delivers enormous value to an entire enterprise, including the top priority of greatly reducing ransomware's ability to get in, spread, and do its intended harm.
About the Author
Akamai Executive Vice President and Chief Technology Officer Dr. Robert Blumofe guides technology strategy and catalyzes innovation within the company. Previously, he led Akamai's Platform organization and Enterprise division, overseeing the development and operation of the distributed system underlying all Akamai products and services, and the creation of new solutions that secure and improve performance for major enterprises.