Author: Kevin L. Jackson, CISSP®,CCSP®
CEO, GC GlobalNet / Consultant / Educator / 2X USA Today and WSJ Best-Selling Author / Inventor
{If you missed episode 4 of the The Multi-Cloud Expedition on “Resilience Against Ransomware Attacks”, please visit that blog page for details and links to the recordings.}
The primordial fear of every flight student is the down. During flight training, a down is a failing rating of your functional performance on a flight, whether in a simulator or real aircraft. A flight instructor awards the down if your performance doesn’t meet the appropriate level as designated in the flight training syllabus. In my experience, however, a student often earns the down by either:
- Failing to maintain situational awareness; or
- Failing to apply appropriate headwork.
Situational awareness (SA) is knowing where you are and what is happening around you. SA helps individuals and organizations be more alert and informed, leading to better decisions. This performance-related task includes awareness about personnel location, assigned duties, the environment, and potential risks. Headwork is a mental activity or thought process that should appropriately match the current flight situation when piloting an aircraft. An easy example would be an inflight emergency like an engine failure. The pilot must not only recognize that an engine has stopped working but must also be aware of the following:
- The aircraft’s current location;
- The optimal choice for landing the aircraft;
- The weather between the aircraft’s current location and possible landing spots;
- How much fuel is available to get to a selected location;
- Effects of the engine failure on other aircraft systems;
- Necessary communications to others inside the aircraft;
- Essential communication with others outside of the aircraft;
- Et cetera.
All that comes under situational awareness, but every item can impact the mental activity or thought processes needed to land the aircraft quickly and safely. Appropriate emergency checklists guide those thought processes. Each list is a series of steps or actions the student pilot must memorize and execute flawlessly. Checklists maximize the pilot’s chances of recovering from any unwanted situation. In essence, it’s the governance that a pilot must follow.
Operating a multi-cloud environment is very similar. To avoid a “Down,” you must establish and maintain situational awareness, use appropriate headwork, and follow the proper checklist for recovering from any unwanted situation.
Key Point #1: Gain Situational Awareness by Turning on the lights
The first step toward establishing situational awareness across your multi-cloud environment is like turning on the lights when you walk into a dark room. Network security requires visibility across your infrastructure. In network security, this means seeing all the ingress, egress, and east-west traffic across your environment. Visibility is vital, accomplished through the hypervisor’s virtual network interface card (VNIC). The VNIC can be used to see all the detail across your multi-cloud, including every packet, flow, user, and application. Once you gain visibility, you can maintain situational awareness across the network.
Key Point #2: Use Proper Headwork by Limiting the blast radius
The next step is to ensure all the network flows are proper and necessary. In this step, the network security team uses headwork to understand and interpret traffic flows across the environment. The magnitude of this task can be overwhelming, so modern ransomware defenses use machine learning to ensure an accurate, efficient, and timely process. Often referred to as limiting the blast radius, proper headwork during this step gives the security team data on what should communicate with what and when. These network traffic rules lead to accurate network micro-segmentation, preventing lateral movement of a threat actor across the organization.
Since threat actors survive in your environment by living within normal network noise, visibility and segmentation aren’t enough. It would be best to have VNIC-enabled observability to inspect every packet across the server cluster. This capability protects against sophisticated attacks that use network noise to cross between micro-segmented networks. Inspection is critical because every anomaly isn’t security relevant.
Key Point #3: Implement Operational Hygiene and Automate Your Emergency Checklist
Early during flight training, every student learns the importance of memorizing emergency checklists. This memorization represents preventative measures to recover from an emergency when it occurs. Student pilots practice using these checklists in flight simulators.
Preventative measures for protecting a multi-cloud environment include operational hygiene and understanding the new attack signatures of modern ransomware. Operational hygiene represents table stakes. Necessary, but not sufficient to protect against an attack. This initial step protects against file-based attacks and includes having acceptable snapshots of your cloud environment and immutable backups. Modern attacks, however, are not file based. These “fileless” attacks target power shell scripts, computer memory, window registry, and Java libraries. To protect against these threats, your security team needs to run the workload within an isolated recovery environment to see how it behaves. The recovery solution should also include behavioral analysis tools that use artificial intelligence and machine learning. Automated execution of this multi-cloud ransomware emergency checklist is necessary.
Call To Action
Protecting your organization against ransomware requires establishing and maintaining situational awareness across your multi-cloud environment. Coupling this awareness with good headwork, operational hygiene, and flawless execution of emergency recovery procedures if needed is how to avoid the “Ransomware Down.” Learn how VMware NSX Advance Threat Prevention can help your organization gain situational awareness across the multi-cloud. This solution provides the following:
- The ability to detect known and new, evolving threats;
- Visibility into both north-south and east-west traffic, including a comprehensive overview of abnormal behavior across the network; and
- The capability to properly visualize multiple related alerts, across many different assets and network segments hops, into a single intrusion enabling quick analysis of threat scope and prioritization
You should also consider VMware Ransomware Recovery, which includes purpose-built, fully managed ransomware recovery-as-a-service using real-time behavioral analysis in a cloud-based Isolated Recovery Environment (IRE). Should this threat be realized, VMware solutions can help you safely continue on your Multi-Cloud Expedition.
