16.02.10 - Battling Ransomware

This Insights article explains what's needed for Ransomware, and how SSProtect addresses these needs.

Introduction

Ransomware has become one of the greatest threats computing has seen. Over the past several years, attacks have, by penetrating host computers and encrypting content, extracted hundreds of millions of dollars in ransom payments from content owners.

Today things are worse. Not only have the technologies leaped past traditional detection systems, but attackers are now threatening to disclose materials publicly. It’s hard enough to keep reliable backup and restore systems in place, but now sensitive content has to remain confidential as well.

What's Needed

Today's typical recommendations are to keep your anti-malware software up to date, keep pace with patches, and avoid questionable email attachments and links. It seems that’s been the story for over a decade, and there has to be a better answer.

Fortunately, there is. The remainder of this article explains what's necessary, and provides insight into new protections that you can apply to address this problem.

Requirements for Host Data Protection

In order to combat the rising threat and make sure you are not a victim, protections must be:

• Secure:  Data protections must be highly effective. Though obvious, many disregard or overlook key threat vectors. For success, protections must inhibit attackers with stolen credentials and succeed despite the presence of unwanted, malicious applications on the host.
• Available:  Data must remain highly available. Sabotage must not completely destroy information. As such, backups must be current, and restoration needs to be simple, efficient, and reliable.
  Visible: Every protective system provides audit records that show access attempts and results over time. Proper reports should include who, what, when, where, and how information is accessed. This is critical for Incident Response and exposure risk analysis.
• Accessible:  Sensitive content must flow freely to and from authorized users, but remain protected. Also, end-users should not bear the burden of access control rights assignments for collaboration peers.
• Independent:  Protections cannot be restricted to or limited by source applications or specific systems, else teams lose their ability to choose the best tool for the job. A proper solution will be completely application independent.
• Simple:  The perfect solution would look and feel the same as the one that isn’t protected. The closer to native application use a protective system can get, the better. There are some recent innovations in this arena which show promise.

SSProtect: An Alternative

Until recently, there haven’t been many choices that address these needs. Though you may find one or two options for any single requirement, many fall short even in specifics categories. Building integrated solutions with multiple products can be time-consuming, expensive, and doesn’t always work well. This is all about to change with the upcoming announcement for SSProtect General Availability. SSProtect is the culmination of work aimed at providing highly effective application data protection with minimal impact to administrators and end-users.

When we formed DefiniSec 18 months ago, our challenge was to develop a solution corporations could use to stop the bleeding from nation-state sponsored espionage, providing basic protection for highly sensitive materials while the company devised plans to build internal expertise necessary for increasing its security posture. This requires many of the same things necessary to combat Ransomware. Results are based on the KODiAC Architecture, our unique, patent-pending approach to securing data that leverages cloud service isolation to offer strong protections, user flexibility, and constant visibility that is required to protect against, manage during, and respond to adverse threat dynamics.

In-Place Encryption w/ 2-Factor Authentication

When you access protected content, SSProtect intercepts the request and executes a series of steps to authenticate your credentials before authorizing the transaction. This is done through careful coordination of a 2nd-factor authentication token (like a USB key that you touch), cloud services that insulate encryption and decryption operations from harmful applications that may have found their way to a host computer, and the application itself. Once authorized, decrypted content is tightly managed but yet offered to your application in native format. External resources are blocked, so information is available for use just as before, yet exposure limited from unwanted programs looking to steal data. The end-result is a highly effective set of protections that don’t make you change the way you work.

Two-Party Consent Trust Model

SSProtect encrypts materials with a procedure that isolates keys on both the host and also in the cloud. This split model retains isolation until you authorize plaintext access. This means attackers have to breach your host environment and also cloud services, else remain limited to attempts at breaking protective measures employed as individual item are accessed. This reduces threat exposure considerably, and the extra layers of protection greatly inhibit even the most capable attackers since cloud services are specially designed and remain under constant watch.

Inline Backup and Restore

SSProtect data access results in execution of additional tasks behind the scenes. When desired, the software acquires a secure, encrypted copy of the information you are using and stores an independent version in the cloud for later access. As an application service provider, we have no way of accessing this information, but it is available to you at any time. SSProtect offers copies of stored content many ways – by individual file version, as a collection of most recent materials protected for a given user, or the Organization as a whole for secure offline access by Administrators. This provides great flexibility in managing Disaster Recovery, at many different levels.

Secure Audit Records

Because the cloud operates as a control point for data access, audit records are not only stored separate from the data, but also independently generated. This makes it much more difficult, if not nearly impossible, for an attacker to cover his/her tracks – and this level of reliability and accuracy provides insight that is crucial when responding to security incidents, which can saves tens if not hundreds of thousands of dollars and several weeks in investigation costs.

Seamless Secure Sharing

KODiAC also empowers data sharing within an Organization and with external SSProtect users. All users provisioned in a single Organization have automatic sharing rights with one another. This removes the need for choosing who gets access when you protect content. If you wish to add third-party access, Administrators can grant virtual Organization membership to external users, extending sharing while retaining real-time control over visibility and access. And because SSProtect maintains application independence, it can serve as a way for IT to retain control over the scope of data sharing yet permit teams to deploy their own individual data management and tracking solutions. This empowers efficient and flexible team interactions.

Honeypots for Advanced Warning

Early detection can yield significant cost savings, and SSProtect allows you to turn each managed host into a sensor with Honeypot file capabilities. This sets traps for attackers and malicious applications so that unwanted access triggers alarms that can warn Administration of problems before they become widespread. This acts as a final inhibitor when all else fails.

Summary

SSProtect provides a way to protect, manage, and prepare IT security teams for today and tomorrow’s threats without imposing a significant learning curve on end-users or requiring constant maintenance. Content is secure yet easy to use, accessible but aggressively protected, and highly available through the use of ongoing data archiving and retrieval capabilities. This is a new approach to managing application content, and the strength that comes in combining these capabilities into a single solution can be realized in minutes rather than days or hours. For an evaluation, send an email to support@definisec.com and share with us your greatest challenges. It may be that we have the perfect solution you’ve been looking for.