David Mahdi, CSO at Sectigo, discusses the need to rethink access to data, in the wake of the recent ransomware attack on KP Snacks
In cyber security, there is an outdated belief that the ransomware problem is about malware. As ransomware continues its meteoric rise, enterprises keep funnelling resources into email security and antivirus tools. While these are good best practices, and investments must continue, we’re simply riding the merry-go-round. The unfortunate, latest attack against KP Snacks shows how the ‘cookie crumbles’ with this flawed approach. Security leaders and their organisations need to re-frame the problem. Bad actors want access to your data, so they can steal and encrypt it. As such, ransomware, is fundamentally a data security and access problem.
When we look to the rapid adoption of cloud services, in a world where firewalls are no longer barricades to our data, identity, access, and data security is paramount. As fluid data flows across borderless, globalised networks, identity is the new perimeter. As a result, security needs to be focused on establishing and maintaining trust in all the identities, including humans, machines (such as software, autonomous software bots, and devices), and the data they’re accessing.
How AI-powered fraud and aggressive ransomware could dominate 2022
Data is the new oil
Fundamentally, bad actors want access to valuable data. However, this tenet seems to have been forgotten in the heat of ransomware’s recent spike. Organisations are commonly targeting the wrong thing by trying to tackle the malware aspect of the problem.
For instance, as phishing is a common vector, many companies invest in email security. This is a best practice that will thwart many attacks, yet ransomware still makes its way in. It’s not the fault of the vendors offering email security, but simply that it is an extremely difficult task to keep up with the high variance, velocity, and volume of phishing emails. When it comes to anti-malware, what happens when there are new malware variants that leverage different vulnerabilities and penetration techniques? While anti-malware tools and techniques have evolved, they still aren’t, and likely never will be fool proof. Time and again, these advanced attacks aim to render traditional defences useless. Essentially, with the current state of affairs, security leaders, and businesses are chasing shadows. It’s not entirely the fault of security leaders who likely have invested in the people, process and technology to help thwart ransomware and other attacks. The focus has primarily been on legacy methods that have had some enhancements over the years, but they clearly haven’t been enough to keep up. So what should we focus on?
At its core, ransomware leverages a user’s (or machine’s) rights within an organisation to access, encrypt and steal sensitive data. Essentially, bad actors hijack the entitlements of the compromised user or machine. Specifically, the access and entitlements given to a user or machine defines the attack surface the bad actor could leverage. If it is a privileged user, such as an administrator, it likely has access to sensitive applications and data. To mitigate ransomware, you just can’t lock down access and data. You need a clear method of verifying all entitlements and access requests. Therefore, a zero trust, identity-first approach is critical.
Maintaining trust in your digital identities
The concept of identity as the new perimeter is evolving rapidly from the old world of moats and castles (i.e. traditional network security as the first line of defence). The mass migration and use of cloud services has put a big spotlight on the fact that traditional perimeter security isn’t effective in a cloud world. In fact, Gartner recently categorised identity-first security as one of the Top Security and Risk Management Trends for 2021.
Identity-first security places increased emphasis on establishing and maintaining trust in users, machines and entities rather than relying on perimeter or network security. The network is no-longer a position of power for security leaders.
As the world continues to digitally transform, digital identities are proliferating, ballooning with the advent of the digital-first era. A combination of identity-first security combined with proven secure public key infrastructure (PKI) certificates is the best method to enable immutable proof that ‘this person (or entity) is who they say they are.’
Upholding digital ethics with identity and access management
PKI, a technology based on a mathematical discovery made by British Intelligence services over 60 years ago, has quickly become the globally recognised method of verifying all kinds of identities for a range of different use cases. PKI is a catch-all term for everything used to establish and manage public key encryption, one of the most common forms of internet encryption and security. Baked into web browsers, it secures traffic across the public internet, and organisations can also deploy it to secure internal communications, secure access to connected devices, and bring identity-first security to an increasing number of use cases, such as DevOps and RPA. The cryptographic keys at the heart of PKI encryption communicate and authenticate the identity of humans and devices far more reliably than passwords or other legacy forms of verification.
Building an identity-first setup
Imagine identity-first security like building a house. It starts from a concrete foundation, and everything else grows from there. The first layer is verifying, establishing, and securing all business-critical digital identities. These digital identities span humans, machines, software, bots, devices, and cloud services. Once this is achieved, enterprises can start forming a solid structure for identity-first security, which all other security layers are based on.
Establish access security – but focus on right size, rather than all-you-can-eat
Establishing right-sized access to systems and resources is crucial. That is, establishing what these entities (humans and machines), have access to (i.e. access to applications, data, and other resources that are required for their role or group). While there are many identity management tools on the market that help define and establish access, they tend to only focus on application access, and as a result do not deal with access to data housed by applications.
More importantly, while there may be pockets of applications that support fine-grained access control (i.e. controlling access to backend data), many do not. Therefore, access control and security is inconsistent and difficult to orchestrate.
Further complicating matters is the usage of hybrid-multi-cloud applications and data repositories. Security leaders now have to understand and manage access to these cloud resources, as well. Typically, this requires them to acquire more solutions to solve a common problem; that of identity and access.
Furthermore, security leaders fear any access limits, and believe least-privilege will get in the way of productivity. Or conversely, they may end up giving employees and entities too much access to applications and data. From an attacker point of view, they like this, since most organisations tend to lean on the side of giving as much as possible, to not get in the way. In case of a breach, this can lead to disastrous consequences. The focus must be on right-sized access. Reviewing this access should be done periodically to account for identity lifecycles, such as joiners, movers, and leavers.
Business Customer Identity – the next stage in identity management
Classification and criticality
The final layer is focused on data security: understanding the content and sensitivity of the data. One approach is by leveraging data classification or “labelling” the data. Data, when properly classified, can help align the goal of “right-sized” access. This is a critical component of data security as it allows security leaders to understand the sensitivity and helps determine the level of access given to different employees and entities.
No more chasing shadows
Ultimately, ransomware aims to compromise the core layer of identity. Compromising identities allows bad actors to leverage access entitlements, which in turn gives them full access to data. If bad actors compromise an identity with a lot of access, they can deal maximum amounts of damage, taking control of as much valuable data as possible.
Right-sized access can help reduce the attack surface. But, “right-sized access” can still suffer from ransomware and other data-centric attacks. For example, an administrator who has right-sized access still has access to sensitive information, as it is likely needed for their role. As such, leveraging approaches that monitor the behaviour of identities such as their data access behaviour can help an organisation catch ransomware and other data-centric attacks. This is in stark contrast to legacy approaches, primarily relying on anti-malware that targets the malware strain. Note that regardless of whether the attack uses malware, leveraging an identity-first and data-centric security approach can mitigate many more threats.
By combining identity-first principles with data access security, ransomware attacks can be stopped in their tracks, and in some cases prevented entirely. Ransomware attacks are mitigated, the goal being that security leaders and organisations aren’t left endlessly chasing shadows or putting out fires.