The networks that enable today’s hyper-distributed enterprises face persistent and emerging security challenges. One of those challenges is ransomware. While it’s not a new problem, “attacks are getting more and more sophisticated,” said Neil Anderson, vice president of cloud, infrastructure and AI with technology services provider World Wide Technology. “On any given week, some of our customers are being attacked or have been breached – it’s very frustrating that this issue hasn’t gone away.”
The key to fighting a ransomware attack is to be well prepared – “like the sports analogy, you need to build muscle to fight back effectively,” Anderson said. “You have to know how to recover before you recover. So, if you didn’t practice a response to a ransomware attack, you are not going to be prepared for one.”
Threat actors engaged in data theft in about 70% of ransomware cases as of late 2022, according to a Palo Alto Unit 42 report. By comparison, the firm saw data theft in only about 40% of cases in a mid-2021 analysis. Extortion tactics include threats to leak stolen data on dark web sites, as well as harassment of individuals in an organization, often in the C-suite, via threats and unwanted communications.
The idea of attackers using AI and deepfakes to trick facial recognition programs and infiltrate systems has also raised enterprise concerns. Multiple published reports, including one from CNN, told of a finance worker at a multinational company who was duped into transferring $25 million to fraudsters who used deepfake technology to pose as the company’s chief financial officer in a video conference call.
“So now, one of our hot topics is how to detect such fraud – our API security team is all over it right now,” Anderson said.
Customers have to begin with the idea that attackers are already in their networks, said Jeetu Patel, executive vice president and general manager of Cisco security and collaboration, at the recent Cisco Live customer event.
“When attackers are in the system – and many are already infiltrated – the name of the game is preventing and containing lateral movement,” Patel said.
“What do we need to do in order to contain lateral movement? We need to take security, melting [it] into the fabric of the network, so that we have distributed enforcement points. Every single place that could be exposed, we need to put a little bit of a mini security stack in there to stop the spread,” Patel said.
But that’s not a simple task for security practitioners.
“The first challenge is that segmentation is really hard. Because if you’re thinking about protecting lateral movement, you have to contain the lateral movement by segmenting the attacker from making too many hops,” Patel said. “It was pretty easy to do segmentation when you had a three-tiered architecture, and every tier of the architecture ran on a dedicated piece of hardware. But now when you have a completely distributed environment, with thousands of microservices running on hundreds of Kubernetes clusters of containers, and VMs, it gets to be extremely difficult to go out and do any kind of segmentation rules in any kind of efficient manner.”
Another issue is enterprises’ response time after a vulnerability is announced or an exploit happens.
There’s a window of time when an enterprise is exposed, before it deploys a patch for a vulnerability that has been announced, Patel said. “Now, it’s one thing to go out and patch infrastructure that you have within your organization. But what about things that you need to patch outside of that data center that might not even be designed to be patched?”
“We have to make sure that there are different ways that we can solve these problems much more quickly than the way that we’ve been trying to do this for the past 20 years,” Patel said.
The idea that security will be baked into core networking components, such as switches, routers or servers, is the goal of Cisco’s recently announced AI-based Hypershield architecture. Hypershield promises to let organizations autonomously segment their networks when threats are a problem, gain rapid exploit protection without having to patch or revamp firewalls, and automatically upgrade software without interrupting computing resources.