‘You Need a Layered Security Approach to Counter Ransomware’

There are anti-spam solutions that look at the attachment and the documents, and see if they’re malicious

John Shier, Senior Security Expert at Sophos

The risks and security threats are different in a digital world. As organizations become more distributed, the risks of data leakage increase. With new threats like ransomware catching organisations by surprise, the risk increase multifold.

BW CIO met John Shier, Senior Security Expert at Sophos to discuss the strategies and protection techniques that organisations must embrace to protect themselves from new threats in the digital age.

Shier is a highly sought-after presenter at security events, and is recognized for his extensive knowledge of the world of security threats. He is also well-known for the clarity of his advice, even on the most complex of security topics. Excerpts:

BW: This year, we have been hearing a lot about ransomware attacks. Many organisations were unprepared for these attacks and were caught by surprise. What’s the approach to stopping ransomware?

John Shier: Let me give you a very brief description of the stages that lead to a ransomware attack. Very often, what happens is somebody gets an email that includes an attachment or a link to the malicious website; clicking on either one of those essentially downloads additional code, which will then effectively turn into ransomware and encrypt the machine.

In order to protect yourself against ransomware, you really need a layered security approach, because, as I just described, there are a bunch of different stages and layers involved in the attack itself. The first layer being, maybe the spam or phishing email that gets sent to you.

There are anti-spam solutions that look at the attachment and the documents, and see if they’re malicious. So, you could actually prevent the infection from even getting into your environment in the first place. Beyond that, you have your traditional, as well as next generation SIS-grade technology that come into play.

If it is an old variant of  ransomware it needs to be detectable by traditional SI model solutions, and then we can just block it and get rid of it right away. But if it’s something brand new code or a new a new technique, we can use our SIS-grade tools, or a machine learning tool to detect and block it.

BW: What, if all this fails and the ransomware does get onto your system and starts to encrypt your files?  

John Shier: Then you need to consider next-generation products that have yet another layer of protection --  an anti-ransomware layer of protection, that can be used to detect a ransomware code running on the system. It can stop the process from encrypting files.

Especially, when we start monitoring the processes in the first place, we actually start taking copies of the files that it’s touching, and we put them in a secure area of the disk that only we can control and access. And, if we determine that the process is touching all these files, we stop the process, and we also copy all these files back to their original locations, so that we don’t lose any data.

That’s the technological way of dealing with ransomware. So, there’s a bunch of different layers we can employ to break the different chains or stages in the chain of attack.

The other thing is just simply user education. Ensuring that your users are thinking twice before they open emails that come from the outside and that have an attachment -- or clicking on links in email.

BW: As organisations go towards digital, what are the new risks and the security threats they face, and how should they prepare for these new risks?

John Shier: There are certain expected security practices that need to be adhered to when you put systems online. This includes making sure that software is fully patched and up-to-date. Making sure you have proactive security software. Making sure that there’s back-up for systems, both for redundancy’s sake, but also in the unlikely event that you get ransomware on your system.

It also needs to recognised that, as you move into a more digital and connected infrastructure, it just provides more avenues for somebody who wants to do damage to your business. No longer do they need to break into your privacy to steal papers, they can reach out from anywhere around the globe into your network, potentially, if you haven’t done the security basics right.

That to me is the one thing that should be top of mind, understanding that it’s not necessarily a targeted attack that’s going to cause trouble, because there’s plenty of people out there who are opportunistically trying to, break into or steal as much data as possible, in order to turn that into money for themselves.

It doesn’t matter how big or small you are. Your data is still worth money to a cyber-criminal.

BW: Organisations are increasingly getting more distributed. Their resources are now not all in one place. People and infrastructure are distributed. This poses a huge security challenge. How do security solutions adapt for this new, distributed infrastructure and distributed way of working?

John Shier: A few things come to mind. Obviously, the number one is encryption. As systems become distributed, data gets spread around more, you want to ensure that there is no chance of any sensitive data being left in the clear anywhere in your environment.

What we like to call “Encryption Everywhere” is a must, so that, even if somebody, for example, leaves their laptop on the bus or drops a USB stick with a customer list in the parking lot, all that is encrypted.

The other thing is providing people with secure access technologies. So, things like VPN. We can provide that with our XG Firewall VPN, that allows them to connect to the university, via the corporate network, securely, so that you can still do your work, but not have to, carry around any additional sensitive information. You have to connect into that as well.

And, this is backed by policy.

Tags assigned to this article:
anti-spam solutions malicious ransomware sophos John Shier


Around The World