By Phil Quade, CISO, Fortinet
Over the past week, the WannaCry malicious ransomware and its variants have affected hundreds of organizations across the world. This cyberattack spread primarily by exploiting a vulnerability for which its manufacturer had issued a critical security update over two months ago.
While there are certainly reasons why it may take an organization some time to patch vulnerable systems, including the risk of updating live systems, two months should be plenty of time for any organization to take appropriate steps to secure their environment.
So, with the recent malware fresh in our memories, this is a good time for CISOs and cybersecurity teams to review their strategies and operational posture.
Here is a list of five critical security strategies that every organization should have in place.
What to do now
Ask yourself the fundamental question: “What would I do differently if I knew I was going to be compromised?”
With that frame of mind, the first two things you should do are:
Establish an incident response team
- Far too often, internal confusion about how to respond to an active threat delays an adequate response.
- That’s why it is essential that an incident response team is designated, with clearly defined roles and responsibilities assigned to team members.
- Lines of communication also need to be established, along with a chain of command and a decision making tree.
- To be effective, this team needs to be intimately familiar with business and communications processes and priorities, which systems can be safely shut down, and how to determine if a live threat will affect critical components of your organization’s infrastructure.
- A variety of threat scenarios need to be considered, and where possible, drills need to be run to identify gaps in procedures and tools that are needed to ensure that a response is immediate and effective.
- The incident response team also needs to have a means of communicating that does not rely on the availability or integrity of the organization’s IT.
- Finally, you need to address a common problem experienced even by organizations that have an incident response team in place: this team needs to have the authority to make decisions and changes.
- Bottlenecking the decision making process can delay response times and compound the affect of an active threat.
Limit bad consequences by using consequence-based engineering
- An effective security strategy requires more than deploying security technology into your infrastructure.
- Security planning needs to start with an analysis of your architecture with an eye toward engineering-out the bad consequences that can happen should an attack or a breach occur.
- For example, a counter-ransomware strategy would include ensuring that your key information assets are backed up and stored offline.
- Other examples may include things like hardening data or control planes, disabling unnecessary ports or features, proactively segmenting the network, or building redundant processes.
- Then, intentionally deploying security tools that can be woven into the extended network infrastructure, that can see and share threat intelligence across network environments, and correlate and automate a coordinated response to detected threats.
More generally, consequence-based engineering involves understanding your key assets, determining what sorts of threats your organization is most vulnerable to – such as remote access denial, corrupted applications or data, or rendering key IT or operational assets unavailable– and engineering as much of that risk out by design, to eliminate or minimize the potential of such consequences if a threat is realized.
The next three steps are more operational-oriented. Alone, each is insufficient. Together, they represent “defense in depth.”
Prevent compromise by practicing good hygiene
- Identify and prioritize critical applications, systems, devices and services, understanding what resources they have access to, and applying appropriate monitoring and maintenance.
- Then, establish and maintain a formal patching and updating protocol.
- Ideally, this would be automated and measured.
In addition, a process needs to be implemented to identify and either replace or take offline those systems that can’t be patched.
For the past fifteen years, our FortiGuard threat research and response team has been monitoring, documenting, and responding to threats on a global scale, and in our experience, the vast majority of compromises could have been prevented if organizations had simply taken the time to update or replace vulnerable systems.
In addition, regularly make a good copy of your key assets, scan that backup for malware, and then physically store them offline in case ransomware or a similar disabling cyberattack does indeed hit you.
Protect your network by creating and using signatures
- While new attacks are a real risk, most breaches are actually caused by attacks that have been around for weeks, months or sometimes even years.
- Signature-based detection tools allow you to quickly look for, identify and block an attempted infiltration’s execution.
Detect and respond to yet-to-be-seen threats by using behavior-based analysis
- Not all threats have a recognizable signature.
- Behavior-based security tools can look for covert command and control systems, identify inappropriate or unexpected traffic or device behavior, recognize sophisticated and modular threats, disable things like zero-day variants via detonation chambers/sandboxing, and correlate data to identify and respond to advanced threats.
(Learn More. A day and the life of a security administer using the Fortinet Security Fabric. Courtesy of Fortinet and YouTube)
What’s next?
Just on the horizon is the need to use modeling and automation to predict risks, shorten the time between detection and response, and implement and integrate new approaches suited to your organization’s unique profile.
For example, “auto-resiliency” against a combined worm / ransomware attack like the one we just witnessed could include such things as automated measures to detect the threat in cyber-relevant time, automatically isolating key assets, the automatic creation of new, pristine network capacity or infrastructure either locally or in the cloud, and the automatic redeployment of critical tools and assets from secure storage to get your organization back online as fast as possible.
The challenge is that many traditional security device and platforms were never designed to protect today’s distributed and elastic networks.
They tend to be isolated, unable to share or threat intelligence with other devices, and can’t see across different network ecosystems.
Organizations may have dozens of separate security tools and management consoles in place, which requires the tedious poring through log files and trying to hand-correlate data to detect threats.
Which is why so many threats manage to breach our defenses, and worse, persist inside our networks for weeks or months.
Consequence-based engineering concepts need to be applied to your security technology as well.
Deployed security systems need to be built around advanced threat intelligence sharing and an open architecture so you tie your security and networking components into a single, automated, and proactive defense and response system.
And integrated and adaptive security framework enables you to seamlessly adopt and integrate new technologies and services as they are developed because your network can quickly apply the latest security strategies and solutions.
A properly engineered security framework needs to be elastic and adaptable, and provide visibility and control across your distributed, and often even temporary network ecosystem.
It provides you with the ability to seamlessly add advanced techniques, technologies and infrastructures as they emerge, without having to forklift out deployed security tools or throwing out your existing enterprise.
The disruption that ransomware can cause is not insignificant – WannaCry has, indeed, been a painful experience for many organizations. Though no solution is foolproof, the strategic steps outlined above can go a long way towards minimizing future tears.
About the author:
Phil Quade serves as Fortinet’s Chief Information Security Officer and brings more than three decades of cybersecurity and networking experience working across foreign, government and commercial industry sectors at the National Security Agency (NSA) and U.S. Senate.
Phil has responsibility for Fortinet’s information security, leads strategy and expansion of Fortinet’s Federal and Critical Infrastructure business, and serves as a strategic consultant to Fortinet’s C-Level enterprise customers.
Prior to Fortinet, Phil was the NSA Director’s Special Assistant for Cyber and Chief of the NSA Cyber Task Force, with responsibility for the White House relationship in Cyber.
Previously, Phil also served as the Chief Operating Officer of the Information Assurance Directorate at the NSA, managing day-to-day operations, strategy, and relationships in cybersecurity.