Written by Jason Garbis on May 16, 2017
How to Prevent Wildfires: WannaCry, Cyberattacks and the Software-Defined Perimeter
As has been widely reported, the WannaCry ransomware worm has exploded across the Internet in the past few days.
Infecting more than 200,000 systems in 150 countries, this attack has caused a great deal of economic harm, ruined weekends for harried IT and InfoSec staff and quite literally put lives at risk with the virtual shutting-down of Britain’s National Health Service.
WannaCry and its variants spread primarily through a vulnerability in unpatched Windows systems with exposed file-sharing ports. Most infected systems appear to be on internal corporate networks, which tend to be wide open targets for malware. Some vulnerable systems are directly exposed to the Internet, which can serve as an easy entry point to a corporate network. Because of this, in many ways this ransomware has spread like a pandemic of a highly contagious disease – with infections not only spreading within a local community–the corporate network–, but also actively expanding to neighboring systems by scanning for and actively infecting vulnerable exposed hosts across the internet.
While we’re never going to be able to prevent malware from obtaining a foothold in our organizations, we absolutely can limit its “blast radius”. WannaCry is a horrific example of why network access needs to be treated as a privilege – the damage we’re seeing is the direct result of leaving network access controls too open and too unmanaged.
Organizations need to act now, and to aggressively put in place active policies around “who can access what, and under which conditions,” and have this enforced through automated policies at the network level. Automation is key – enterprise environments are simply too complex, heterogeneous, and dynamic for this to be attempted manually.
Specifically, security teams need to look at new, dynamic approaches such as the software-defined perimeter. This security architecture not only treats network access a granted on a zero-trust or “need-to-know” basis, it automatically adjusts user access based on policies and context. For example, it can quarantine or block user workstations that don’t have the latest OS patch installed, don’t the correct anti-virus signatures running, or on which the malware is detected. It also can support fine-grained network segmentation to contain the blast radius of an attack, restricting the ability of the worm to move laterally. Said differently, each user will only have access – via a segment of one – to explicitly assigned network resources. This will prevent infected remote or third-party systems from infecting a network, unlike a traditional VPN.
A software-defined perimeter can even be configured to adapt in response to the overall security ecosystem – for example, having a policy that automatically quarantines all unpatched workstations if the system is in “Red Alert” mode, like today. (In yellow or green states, the policy might only warn the user that a patch is encouraged, for example). This is a good example of a security policy that balances risk with user productivity – and avoids interfering with users unless the situation warrants it.
Unfortunately, as we all know, this won’t be the last such aggressive cyber-attack. Now is the time for organizations to not only ensure they have the basics in place, but to use this crisis as a catalyst for changing the way they’re approaching network security. Learn more about how the Software-Defined Perimeter security architecture works and how it can help your organization be better prepared for the next such attack.
Jason Garbis is Vice President, Products for Appgate. He is leading the development of the SDP specification version 2 for the Cloud Security Alliance’s Software-defined Perimeter working group.