The most important question related to the recent WannaCry attacks isn’t who the attackers were, or how big the attack was. The question is, “How did this happen in the first place?”
The vulnerability exploited by this attack had been patched by Microsoft (News - Alert) months before. That patch was part of a widely publicized update that was issued in response to the massive set of NSA cyberespionage tools leaked by the secretive group known as Shadow Brokers. Everyone knew about it. Yet, apparently, few did anything about it.
Failure to patch vulnerable devices isn’t really news. The cybersecurity community has been warning organizations and users to patch their systems for decades. If there is anything unique about this recent attack, it’s how many different locations and industries were affected. In this new hyper-connected world, failure to properly immunize your systems can be a catalyst for a global epidemic.
Part of the problem is that either basic security methods, the blocking and tackling of any cybersecurity practice, have slacked off or a lot more holes have been allowed into networks. It’s probably a bit of both. Auditing has (obviously) allowed too many exceptions. There are several reasons why this has happened. They include the rapid and sometimes careless adoption of new technologies, the number of organizations adopting a digital business model, the growing cybersecurity skills gap and the number of devices online that simply cannot be patched. Many IoT devices, as well as aging technologies that are no longer supported by their manufacturers or simply have old operating systems, cannot be protected through normal methods.
Regardless of the underlying cause, however, it is clearly time to do something different.
New security options include automation of response mechanisms boosted by machine learning. This enables a smaller staff to apply security in repeatable ways at very fast speeds and, as much as possible, remove human error from the security equation.
Machine learning has significant cybersecurity potential. The easiest analogy is that it is like Batman’s suit, but for human intelligence. Machine learning with automated response allows administrators to have super-human abilities. The administrator can now see across the entire network, correlate incidental intelligence elements and detect and stop advanced and sophisticated threats.
It is not, however, a replacement for humans, nor is it the answer for good administration and auditing.
While machine learning helps identify and stop such things as targeted attacks and APTs, it’s not as effective against worms. Worms are a different type of attack. Instead of the insidious leaks that undermine the foundations of your network (such as an APT (News - Alert)), worms create a flood of threats that are hard to keep out, especially if you have a leaking dam.
Automation can be used to patch and audit many of your deployed devices, but it provides little protection for vulnerable devices that cannot be patched or that don’t have any patches available.
Not many are aware of another option: virtual patching. This isn’t a new idea. Organizations have been doing it for years for things like robotics and ATM systems. The idea is to engineer your network in such a way as to protect those devices that can’t be patched or that are difficult to patch. An effective virtual patching strategy requires more than deploying security technology into your infrastructure, however. Security planning needs to start with an analysis of your architecture, with an eye toward engineering out the bad consequences if an attack or breach occurs that could affect vulnerable systems.
Virtual patching involves identifying essential devices, systems, applications and operating systems that can’t be patched or upgraded, determining what sorts of threats they are most vulnerable to and engineering as much of that risk as possible out of the network they are connected to by design. This would include moving embedded operating systems off of a regular computer network; segmenting the network from outside users, applications and even other devices to protect vulnerable devices; and designing such things as intrusion prevention, anti-DDoS and secure back-up and recovery systems directly into the infrastructure. In addition, a process needs to be implemented to replace, take offline or isolate those systems that can’t be patched.
This virtual patching approach requires automation.
The next step is to intentionally deploy security tools that can be woven into the extended network infrastructure. Solutions need to be tied together so they can see and share threat intelligence – even across different ecosystems. An open security framework uses open APIs and single-pane-of-glass management to centralize and correlate threat intelligence, automate and orchestrate security policies, and identify and respond to threats. Such an approach takes the guesswork out of securing your dynamically evolving infrastructure; secures critical devices, applications, and technologies; and adapts to the changing threat landscape.
This strategy works even when the unexpected—or in the case of WannaCry, even the expected—happens. Prevent the IT face-palm with the two-pronged approach of automated virtual patching and integrated network infrastructure.
About the Author: Born in The Secret City (Oakridge, TN), James Cabe spent the early years of his career in Cambridge, MA working for BBN Planet (Autonomous System 1 on the internet). In 2000, he set course for New York and private network consulting for data security for legal firms, commodities trading networks and large global retail. After 2003, oil and gas operations in deep water and international locations made up the better part of the next decade. In 2010, James began working for Fortinet (News - Alert) as a subject matter expert and evangelist for mega-corporation security architecture, encryption and next-generation security. James currently is a speaker at security conferences such as Black Hat, a security architect for global-scale networks and an evangelist for security and threat intelligence.