In early December, the Department of Homeland Security (DHS), the National Cybersecurity and Communications Integration Center (NCCIC), and the Federal Bureau of Investigation (FBI) issued an alert regarding SamSam ransomware. Threat actors exploit Windows servers to gain persistent access to a victim’s network, utilizing SamSam to infect all reachable hosts.
The DHS and FBI made several great recommendations to help strengthen your security posture against attacks and reduce your attack surface. This kind of internal security is critical in minimizing the impact a breach such as SamSam can bestow on an organization. Networks that have strong boundary protection but limited internal controls give attackers free rein to traverse the network once they have gained access. Enterprises need an efficient way to grant, limit or block network access depending on the identity and suitability of the user and device.
We break this down into three significant areas to address:
- Network segmentation
- Access control and policy management
Let’s dive into each of these areas:
Network segmentation: this, which limits the scope of breaches such as SamSam, is arguably the one of the best defenses against preventing a successful attack from spreading quickly. Segmentation segregates and protects key company data and limits attackers' lateral movements across the corporate network. Taking it further, micro-segmentation is a security technique that enables fine-grained security policies to be assigned to data center applications, down to the workload level.
Access control and policy management: being able to centrally manage and unify your network access polices across a highly distributed enterprise to provide consistent, highly secure access to end users, whether they connect to your network over a wired, wireless, or VPN connection, is paramount. Whether a contractor, student, corporate guest, staff or BYOD device connects to your network, policy enforcement should ensure the right people gain access to the correct networks with authorized devices. The ability to perform posture assessments automatically can ensure compliance before a device is permitted to connect.
Visibility: along with detection, visibility is a minimal starting point for network security. In order to receive telemetry from all network traffic on which to perform analysis, blind spots need to be eliminated. This can be achieved by architecting a security delivery platform that delivers network traffic visibility across the enterprise. In turn, traffic analysis helps detect any signs of nefarious activity, any unauthorized devices or users connecting or attempting to connect to valuable assets, allowing appropriate action to be taken to isolate or contain the threats before they cause major disruption.