Ransomware has become the sleeper agent of cybersecurity. A sleeper agent is a spy that worms their way into a country or organisation and behaves normally until they’re called upon to act out their mission months or years down the road. In the case of ransomware, everyone thinks the often disastrous and harmful effects happen immediately. If I’m your colleague and email you a document, chances are you’d open it. Once activated, the malware could overwhelm and compromise your system in seconds, if that’s the intent. But not always.
More often, the malicious ransomware code could incubate and stay hidden for months, only to be activated on a certain time, like a specific day, even timed to the phase of the moon. And over the course of months, the malware can slowly spread, encrypting things—not all at once but little by little—taking things that were once good and exploiting them to do bad things throughout the organisation or ecosystem. Like I said, sleeper agent.
So how are we supposed to build resilient systems and continue operating our businesses in light of the rising ransomware threat?
More detection is not the solution
Global enterprises and governments, both federal and local, have invested billions in trying to detect and thwart ransomware. Detection is an important part of a resilient infrastructure, but it could take six to nine months for us to see data breaches come to light. Obviously, more detection is not the solution. As an industry, we’ve failed at detection. We’ve tried to do it for decades. Every time we innovate, the bad guys find a way to circumvent it. In recent years, we leaned into machine learning and artificial intelligence (AI)-based malware detection tools. Innovations like AI are useful, but guess what, the bad guys are also using AI and deep fakes. The innovation arms race hasn’t eliminated or reduced threats like ransomware. Instead, ransomware attacks continue to escalate in scope and financial impact.
In response, our industry has embraced zero trust architectures and explicit-trust approaches, but most zero trust journeys have focused largely on identity and access. The recent evolution in hybrid workforces and digital transformation, and their concomitant usage of content and electronic information everywhere, are leading indicators of where zero trust must go next: data.
Shifting to 100 per cent prevention
It’s no understatement that data is the central nervous system of an organisation. Data is ubiquitous and practically standardised, from PDFs and email to web pages and databases. Companies must rethink their perimetre, because the perimetre is now wherever data is used. Put another way: if you focus on authentication and detection, you may be successful at knowing who a person is on the network and what they’re allowed to access. But you might not know what they’re accessing and why.
Analytics tools are incredibly useful for helping pinpoint moments of potential risk, but it’s still very much like looking for a needle in a haystack. If we follow zero trust, then let’s not trust any of the assets coming into the network in the first place. In a model of 100 per cent prevention, you decide that all content is bad and sanitise everything, regardless of source.
All or nothing, or simply nothing, is radical thinking, but existential threats like ransomware demand a fresh approach. Business and cybersecurity leaders must embrace zero trust content transformation technologies like content disarm and reconstruction (CDR) that have matured for the enterprise. CDR assumes all files coming into your network have malware. CDR intercepts a document at the network boundary, re-creates the content from scratch, and delivers it clean and safe to the intended recipient. It won’t matter if a cyber thief hijacked a supplier partner email account to manipulate me (fat chance) into clicking an infected attachment. The file will be clean before the email even lands in my inbox. Threat prevented.
In these times, we need unconventional approaches to defend our economies, our critical infrastructure, and our way of life. When cybersecurity can enable business-as-usual, then we will see more opportunities for the industry. The hyperscaling of IT resources required to match today’s hybrid workforce demands calls for an equal scaling of cybersecurity capabilities. Whereas they were willing previously to implement racks of point products, more and more customers are asking for integrated cloud deployment models. They will want to make cybersecurity as simple as a service, like flipping a switch to deploy threat removal, data security, firewall, web security and other capabilities wherever they need it and whenever they want.
As enterprise and government agency leaders continue maturing their digital transformation efforts, they’re recognising the business enabler that is cybersecurity. The zero trust journey will continue as organisations look to proactively prevent compromise and stop trying to detect or react to threats. This makes me optimistic about the next year and the years after that.
Petko Stoyanov is the CTO at Forcepoint