Mitigating Malware Attacks with a NSX enabled Zero Trust Network
Open up any newspaper or watch any news broadcast and you are bound to be inundated with titles like “Hospital Held for Ransom” or some other expose citing the failure of some organization to withstand their critical corporate data being encrypted by cyber criminals. Ransomware is becoming a highly lucrative criminal enterprise and estimates suggest that individuals in the US alone paid out over $325 million in ransoms in 2015. The total of ransoms paid out in 2016 is expected to be significantly higher as ransomware outbreaks are described as reaching epidemic proportions and multiple news outlets are reporting on 2016 being the year of ransomware. In fact, some estimates put the 2016 ransoms paid at a figure of $1 billion.
The 2015 Verizon data breach report, for example, demonstrates that 23 percent of users will open phishing emails and 11 percent will click on attachments. The report points out that this means in a phishing campaign of just 10 emails there is a more than 90 percent chance that at least one person in your organization will fall victim to it. This becomes particularly alarming when one considers that the report specifies that between 70-90 percent of the malware seen by an organization is unique to that organizationand as such traditional signature based defenses may not be effective in detecting and stopping malware.
Network segmentation has always been a highly effective way of mitigating the spread of a threat through an environment
OWASP Anti-Ransomware Guide
These factors as well as many others leave many organizations wondering how they can ensure a reasonable level of security against malware and determine the areas of security in which they may be lacking controls or may not have robust enough controls. To help provide organizations guidance on the controls that can be implemented to protect against malware (with an emphasis on ransomware), the OWASP Anti-Ransomware Guide project was established and presently consists of 45 security controls in 9 categories:
Perimeter Defenses – controls such as Web and SPAM filtering to prevent malware from ever entering the organization.
Network Defenses – defenses that prevent malware from propagating within networks such as network segmentation or aid in the detection of malicious traffic within networks such as network based intrusion detection systems.
Endpoint Protections – controls designed for preventing malicious content from gaining a foothold on endpoints as well as controls designed to detect infected endpoints.
NAS Server Protections – in addition to the endpoint controls this section also specifies controls designed to mitigate the number of files that can be affected by a malware attack as well as some methods that can aid in a speedy restore of infected or encrypted files.
SIEM and Log Management – tools that can help in the detection of an outbreak or help in performing a later root cause analysis of how the outbreak happened.
Backup – controls to ensure that when disaster does strike your organization’s environment can be recovered in a timely fashion.
Awareness Training – ensures that users have the requisite skills to recognize phishing attempts and other cyber threats and are aware of the appropriate way to respond and report the issue.
IoT Security – controls designed to protect IoT devices from malware and help to recover such devices from a successful compromise by malware.
Incident Response – controls to ensure that in the event malware slips through other defenses the organization can appropriately detect, respond, recover and restore operations.
Application to Virtual Environments
Virtual Environments provide several key advantages from an anti-malware perspective which include the ability to roll back to previous time point using snapshots, the ability to automatically return virtual desktops to a predefined state after logoff (refresh operation in Horizon View), and the ability to sandbox applications using the application virtualization technologies like ThinApp. Yet, despite the many significant security advantages a virtualized environment can provide, it is important to note that virtualization implementation can also introduce weaknesses into a traditional network security approach. While the ability of virtualization to allow multiple logical systems on a single physical host greatly saves on both capital and operational expenses, it can have the unintended consequence of making some traditional network security controls less robust. Network segmentation has always been a highly effective way of mitigating the spread of a threat through an environment by restricting which network segments or devices are allowed to communicate with other segments and devices. Such controls were typically implemented through VLANs, ACLs and other security features of an environment’s physical network infrastructure such as physical switches or internal firewalls. In a virtualized environment, however, network communication between two virtual machines on the same host occurs across the back plane of the server itself and does not go through the organization’s physical network infrastructure. This means that many traditional hardware based controls may fail to properly protect communications to and from virtualized resources.
Within recent years, however, this security challenge posed by virtual environments has become addressable with the growing concept of software defined networking and in particular micro-segmentation. In fact, such deployments may now achieve higher levels of security than traditional physical infrastructures in many cases, since Micro-segmentation allows for the implementation of a zero-trust network model. In a zero-trust model, the network communications for every virtual machine in an environment can be restricted in a very fine grained manner whereby every traffic flow inside your environment is restricted by a firewall to ensure that only legitimate preapproved traffic flows are allowed. The zero trust model basically enforces the creation of a perimeter around every network enabled device within the organization, which is exactly what a properly configured setup of NSX Distributed Firewall technology does for the virtual machines present within an organization’s IT environment. With the addition of NSX, the implementation of a network that approaches the zero trust ideal actually becomes much easier and allows for the creation of zero trust environments at costs that are likely far less than if each network enabled device had to be physically firewalled off to achieve the same goal.
Zero-trust environments and the high level of network segmentation they require are an ideal way to help mitigate the spread of malware and other security threats because communications between systems on the same network will likely not even be possible unless there was already a legitimate use case defined in the firewall polices that control the communications between systems. While, the occasional malware infection is likely always going to be a reality, despite AV software, application blacklisting, web filtering, and the many other controls that can be implemented, a heavily segmented network will ensure that such infections remain isolated to just their network segment and do not have the capability of spreading to other systems in other network segments since communication will not be permitted. With a zero trust network model and NSX, these network segments can in some cases be as small as a single virtual machine.
No security measure can ever make your environment 100 percent secure, but the implementation of a zero trust network model is a valuable addition to any defense in depth security strategy.