In the past month we’ve seen a tremendous increase in companies coming to us having been ransomware victims. This is in addition to the impact of Solar Winds incident and conversations about Nation State activity. These aren’t new problems we’re seeing. It’s the same general vulnerability we’ve been talking about for years, just increased in velocity. In every Ransomware case we see the company had security teams, antivirus, tooling, and funding. They didn’t however take the actions necessary to significantly mitigate Ransomware via actions taken toward Zero Trust. In some cases I’ve had conversations with customers who say, “we can’t do that here”, “we don’t have the budget”, “we have these blockers”. What I can say is that once a company has been a ransomware victim, all those excuses feel hollow. I’ve frequently talked with members of the Concurrency team after a ransomware conversation and said, “if only”. I’m frankly sick of having the “if only” conversation and much more interested in having the proactive conversation to make a difference. I’d rather help now, than help later. Consider these true costs of ransomware.
Your insurance is not going to save you. Your business is not going to “just get by” during a ransomware incident. Don’t be THAT leader who is in this position.
The most likely bad things
As I noted above, the two most likely bad things to happen to you are ransomware and targeted attack. Ransomware is what we’re seeing in companies at a frequent basis. It’s easy to execute and impactful to get money back from you. Don’t forget that the organizations running Ransomware scams are essentially businesses, albeit illegitimate, somewhat like the mob. They have a very organized, very effective scheme to extract money from you and cause enough pain that you’ll pay it. In the cases that the attack moves into the “targeted” territory, it’s likely you won’t even know they are there. They might sit dormant for months gathering information. AFTER they have got what they want, they might even then ransomware you. These are the problems that are causing 99% of the pain.
If these are the two most likely bad things, why are we continuing to ignore them? Why are we not making substantial change to transform how we deliver on IT?
Why our current actions aren’t enough
I’ve spoken about this before, but it bears repeating. The current actions are like assuming that as long as I lock the doors I’ll never get robbed. We’ve built an assumption that we are not hacked, vs. having an assumption that we are. The network design we’ve used for the last 20 years has assumed a contiguous network, a problem we’ve made even worse by extending the network via VPN. We assume that because it’s “on the network” it is safe vs. everything else is “not safe”. Once a device in your network is compromised, it’s all over because it is ridiculously easy to move around corporate networks and even harder to reliably remove an attacked once they are in.
Moving to Zero Trust
The significant shift we are proposing is a move to Zero Trust. The core idea behind Zero Trust is that we always assume we are breached. We assume that the attacker has already compromised one of our identities and devices and we need to protect the environment despite this. Most environments are NOT positioned to mitigate this situation, simply because the architecture of the environment makes it too difficult to control. Zero Trust principals include (1) “Verify Explicitly”, meaning always authenticate, (2) “Least Privilege”, meaning only what people need, when they need it, and (3) “Assume Breach”, meaning always expect you are compromised.
These are easy to talk about in theory. What can I do about it now?
Zero Trust North Star Actions for 2021
Let’s simplify what you should do. If you take these actions, you are at substantially reduced risk for compromise from ransomware. You aren’t immune, but it’s just simply harder. These are achievable, actionable, and meaningful impacts to security. (1) Conditional Access, (2) Modern Desktop, (3) Micro-Network Segmentation. I’m going to talk about each, and their importance.
I’ll admit that these are bold, but they are necessary. The organizations that have taken this action have mitigated compromise to the devices, identities, and datacenters in the modern environment. Those that haven’t continue to bear the impact of compromise more frequently. Note that this isn’t the END of the security story, it’s the beginning and will need to keep evolving. It does however put us in a better position to defend our environments.
The controls provided by conditional access really hit on the Verify Explicitly and Least Privilege ideas of Zero Trust. The ideas in conditional access are about understanding your identity layer is the primary control that modern applications and environments use to govern who has access and who does not. Think about conditional access this way… every application or service a user accesses should require (1) identity validation, (2) device compliance, (3) device health. These qualities are accentuated by qualifiers like risk status, awareness, location, or application type.
With each of these qualities we are governing what services should be accessed or not based on these input qualities. This is especially important with modern services, such as SaaS applications, WVD, App Proxy, or Modern Desktop. After a company has deployed conditional access, they realize just how open the organization was before.
Let’s talk about Modern Desktop
The Modern Desktop story is about changing the architectural model. The goal is to take the end user computing device off the network. This single action has a tremendous impact, as it significantly mitigates the ability for ransomware to spread. With the device on the network ransomware can easily move from device to device. With the device off the network, we mitigate that ease of movement and require more complicated ways to get where the hacker wants to go. In a Modern Desktop story we place the device on a guest network, assume it is basically attached to the internet, and don’t let it communicate with other devices. Access to legacy applications is provided via WVD and App Proxy. Distribution is treated as a commodity, with users getting the device shipped directly to them and unboxing the device, ready to work.
This is where I’m asking you to be BOLD. Don’t put another device on your network. Make 2021 the year where you build a modern model for all new devices. I’ve had several customer scenarios where they said, “we can’t do it here” and we found it was very achievable. Here is how we are clearing blockers:
The last mile… Application Segmentation
The final part of the story is implementing micro-network segmentation. In most datacenters once you are on one server you might as well be on all of them. The servers are essentially built to talk to each other and movement is simple because server login is often shared across the datacenter. We know that application 1 has no business talking with application 2, but we haven’t built the barriers in the environment because doing so is difficult and would likely cause end user impact as we do it. This is however one of the most important ways to mitigate lateral movement, especially if we assume breach. The most compelling reason to move to the cloud is to move to a micro-network segmented datacenter environment. The image below represents the movement to the vertical micro-network segmentation.
The resource groups represented show each application in its own unique application subnet, with a Network Security Group (NSG) protecting what moves in and out of the environment. I’ve seen many more complicated services being deployed on-premise, but neither is as effective, or as elegant as understanding your applications, what they talk to, and enforcing that knowledge with clear rules at the NSG layer. The challenge is knowing what to configure. The benefit of moving to the cloud is that not only are you addressing the exciting of the datacenter and the modernization of the datacenter approach, but you are also mitigating the security risks we’ve been discussing.
Of course, simply moving to the cloud is not going to create the segmentation we’ve been talking about. I’ve unfortunately seen many organizations that have deployed legacy approaches to datacenter services in a modern cloud environment, rather than taking the opportunity to improve their situation. An organization needs to consider if they have built an operationalized modern cloud environment to onboard their applications. This means it includes governance, security, policy, control, cost management, and infrastructure-as-code. Don’t run away from the legacy problem only to run head long into another just because the time wasn’t taken to position the appropriate operational strategy.
You can do it… but it takes bold action.
Don’t let 2021 be the year you didn’t take action on Zero Trust. It will take bold action, but it will not be action you regret. The movement to Zero Trust is not only more secure, it is a better user experience, a better operational model, and typically costs less in the long run (not even counting the cost of ransomware itself). Now is the time to take action. I’m challenging you to make 2021 the year you do it.