Moving beyond zero trust – a practical approach to proliferating ransomware

Gregg Petersen, Regional Director – MEA at Cohesity elaborates on how Zero Trust is now no longer sufficient, but rather organisations need to unite data security with data governance.

When in full-speed pursuit of economic recovery, the last thing any government, business or individual wants is to hit a roadblock. But sadly, not everyone in our digital economy is pulling in the same direction. Cybercriminals sense the region’s vulnerability, and ransomware is the perfect payload for them to exact a financial toll on already struggling organizations.

Many payouts by UAE firms are now reportedly more than US$1 million. This has led, at least in part, to the UAE government calling for a united global response to what its cybersecurity chief termed a “cyber pandemic”. Meanwhile, reports out of Saudi Arabia suggest a cumulative figure of as much as US$20 billion for ransomware payments in the Kingdom in 2020.

Ransomware is evolving. Attacks on private individuals are on the rise, and delivery techniques are also getting craftier. Cybercriminals now often launch attacks on data backups at the same time as the principal target is hit, to ensure that even victims who prepare for the worst have no route to recovery except to pay up. And moving beyond encryption, some ransomware campaigns have opted to exfiltrate data and either publish it or sell it to the highest bidder.

Action stations
Perimeter defence alone has been an insufficient posture for some time now. And in the face of the deluge of ransomware we are seeing around the world, regional CISOs must re-evaluate their strategies. The large-scale data exfiltration attacks that are becoming more common use different tactics to those of traditional ransomware. Attackers have become smart enough to be selective in the data they copy. A few gigabytes of intellectual property or cryptographic keys can be a lot more damaging than terabytes of personal data if made public or shared with a rival.

When trying to cobble together solutions, visualization dashboards and management tools that don’t unify disparate cybersecurity systems are not ideal. The volume of attacks and the sophistication of their methods, combined with the ballooning complexity of modern multi-cloud, hybrid-working IT environments, leads to blind spots. And blind spots lead to attacks. And attacks lead to damage – not only to operational intensity, but to market reputation.

The term “zero trust” has been making the rounds in the industry for some time now and has become a de facto standard for guarding against ransomware infiltration. When all network traffic is treated with suspicion and consistently subjected to calls for verification, the theory is that no process will roam unchallenged. But in 2022, we must venture beyond zero trust and unite data security with data governance.

Get smart
To do so, we need to leverage the power of machine learning to identify sensitive data across all production and recovery assets and harden environments by applying access policies that match roles and responsibilities with the data in question. The right platform will automate and simplify this data classification, aligning policies with standards such as GDPR and any local regulatory frameworks.

Modern threats require security teams to be able to detect suspect behaviour – such as mass data access – in real time. Timely detection will lead to timely response and trigger predetermined workflows that remediate the infiltration by coordinating with security orchestration, automation, and response (SOAR) platforms.

Asset discovery is a time-honoured first step in applying cybersecurity best practices. When fragmented, data can be difficult to inventory and classify. Fragmented data can also mean the presence of ‘dark data’, which occurs when organisations don’t know what data they have, the types of data they have, where data is located, whether it’s secure and compliant, if it’s backed up and recoverable. This in turn introduces risk and can turn data from valuable asset into liability. Dark data is a critical concern for organisations’ data management and compliance objectives because if you don’t know your data footprint, you can’t govern or manage your data, let alone secure it.

Real-time discovery of a process trying to access sensitive data is only possible if the data has been previously tagged as sensitive. This means data must be homogenized and centralized. AI tools are by far the best way to ensure that nothing is missed. Threat actors have become adept at discovering high-value data using such methods, so it is time for security teams to put them to work for protective purposes. By doing this, organisations move towards achieving greater cyber resilience whereby they are able to deliver their intended outcomes despite adverse cyber events, if this becomes the objective then the focus can shift to conducting business securely and this changes how a security posture address problems for the better.

Governance at last
Once data is appropriately inventoried and classified, organizations can apply policies to it, such as which roles have access to it and how it can be recovered in the event of a loss. Once data is centralized and homogenized, policies can also govern situations in which data is stored in the wrong place, such as when a user keeps information on their desktop that may reveal the location of sensitive data. Under a 2022 approach to zero trust, such data would be blocked from access or isolated for further assessment.

What AI and ML are good at is learning a policy-determined definition of “normal” or “optimal” and recognizing, in a split second, any deviation from these benchmarks. These systems can also act in predetermined ways to real-time events, meaning that discovery of an aberrance and resolution of a remediating workflow can happen instantaneously without any real-time input from a human agent. To make this work, cybersecurity platforms must work together.

There is clear evidence that cybercriminals have upped their game. This evidence can be found in the headlines. To match their evolution, we must counter bad actors’ data exfiltration techniques with tight mitigation measures that support cyber resilience, and in turn business continuity, protect data everywhere it can be found, and fight AI with AI. The region’s economy has withstood cyber incidents in the past. But each incident has a cost, and those costs are now public. To not have a strategy in place is to risk losses that may prove fatal in a recovering market. Why would you take that risk?