Tag: Cybersecurity

Implenting-Zero-Trust-Eliteparadigm

Implementing Zero Trust

Posted on

The recent Kaseya ransomware attack is yet another reminder of the voracity of the war cybercriminals are waging on the business world. In 2020, scan-and-exploit became the top initial attack vector for surveyed organizations, surpassing phishing, according to the 2021 IBM X-Force Threat Intelligence Index. The report noted manufacturing as the second-most attacked industry in 2020 for respondents. This is an increase from eighth place the year prior, and second only to financial services. 

What’s behind these attacks?

Companies have invested a great deal in building castle-and-moat protections against external threats, focusing on protecting the DMZ or perimeter zone. In a world of known threats and less sophisticated techniques, this protection model worked reasonably well. But times have changed. 

Cybercriminals can be well resourced and tenacious and even backed by nation-states. They can leverage evermore sophisticated tools, such as Ransomware-as-a-Service. These tools can be incentivized by cryptocurrencies with their strong liquidity and poor traceability. As a result, they are well positioned in the arms race against traditional perimeter defenses. Clearly, it is time to consider a zero trust approach to help protect your most valuable resource—your data.

Join us on August 25, to hear how organizations can create a zero trust security in their file transfer environment

The rise of zero trust 

The problem with the castle-and-moat model is the primary focus on external defenses. Once inside, cybercriminals can generally move freely around without much impediment and wreak havoc. This has led to a broadening of the security perspective to encompass internal security, with what is termed the zero trust model. 

The Biden administration in the United States, recently issued an Executive Order calling for advancement towards a zero trust model within the federal government and among federal contractors. Subsequently, in response to multiple high-profile ransomware attacks, the White House also issued a memo to business executives urging them to protect against the threat of the ransomware. Such a model is an “evolving set” of concepts that move beyond “defenses from static, network-based perimeters” according to the National Institute of Standard and Technology (NIST) 

What happens when a cybercriminal or organization has breached a perimeter and has access to your secure environment? Typically, they will start a stealth scan to build a map of your network. They enumerate the server they are on for all its credentials and then try those credentials on your other servers to travel laterally. Most breaches move from computer to computer over standard protocols such as SSH, FTP, SFTP, HTTP, and HTTPS. This means you need to have a strategy for restricting the spread or movement within your organization.  

Zero Trust Protects File Transfers 

At IBM, our Sterling Secure File Transfer (SFT) solution is designed to align with a zero trust approach and harden servers to help reduce the possibility for ransomware or malware to travel laterally. The aim is to protect the inside of the castle – or inside the DMZ. Ultimately safeguarding internal intellectual property and assets. A zero trust approach requires securing and regulating movement between internal computers and servers and we begin by removing untrusted protocols.  

Our SFT solution is designed to include IBM Sterling Connect:Direct which uses a security-hardened protocol. When malware reaches out internally, it will not know how to ‘talk’ to the protocol. It can also check the IP address from the server that has requested access. If that IP address is not on the internal list of trusted servers, which can be consistently updated, the receiving server automatically drops the session.  

Connect:Direct can have additional checkpoints to further help prevent the spread of malware to another server. The malware also needs the correct credentials, which can be increased for additional protection of high-value servers. Also, only files with a specified name may be transferred.  

Each server that uses Connect:Direct becomes a checkpoint – and choke point – for malware. This zero trust approach in Connect:Direct hardens infrastructure. It includes capabilities for zero trust practices for communications that can help mitigate risks of traditional protocols using FTP, SFTP and SSH. SFT can also encrypt data at rest. In transit, it provides multifactor authentication helping implement a zero trust strategy for your file transfers. 

Do you have a traditional castle-and-moat security model? I urge you to consider implementing or expanding your zero trust strategy. It will help protect what is most valuable inside of your organization. You can start small and add more protections over time. The key is to begin now because the war will continue to escalate.  

Watch IBM Secure File Transfer (SFT) in action in this demo

Why Zero Trust

Why Zero Trust?

Posted on

As a security architect within IBM Security Services, I often get asked the question, “What exactly is a Zero Trust architecture?” Well, there is no single or unique answer to that question for two reasons.

First, Zero Trust is not an architectural model but rather a set of guiding principles that should be applied to existing and new designs. With that said, these principles present a number of architectural patterns or use cases that can serve as a starting point for implementation.

Second, the implementation of Zero Trust principles results in very different technical solutions and approaches for different uses cases. For example, applying the same Zero Trust principles for an employee remote access use case would be addressed in a very different way than handling micro-services connectivity in a service mesh running on containers.

So, where does one even start and how would Zero Trust change the way security solutions are designed? To answer these questions, I propose starting at the right architectural entry point: enterprise security architecture (ESA). In this article, I’ll briefly describe how the principles of Zero Trust could be introduced at your organization through the different architectural governance levels and against ESA.

Looking at Zero Trust Architecture Through an ESA Lens

To establish an IT security governance model, most organizations define an ESA as part of a wider enterprise architecture program. In an ESA, all aspects of IT security are defined through the different stages of design. You’ll typically find the following stages: the contextual or business layer, the conceptual layer, the logical layer and the physical layer. Below I provide a summarized overview of the concepts.

Zero Trust Architecture Elite Paradigm LLC

Source: IBM Security

In addition, an ESA should address the governance of how the solutions and artifacts are maintained at the different layers like what is shown above. Security operations will need to manage the day-to-day operational risks while architecture review cycles ensure that the solution’s building blocks are identified and up to date. I’ll come back to this last topic later.

Also, the security controls of an ESA should be designed, implemented and managed at the enterprise level. A security control is typically a solution that combines your people, processes and technology. From a high-level perspective, both the actions required to mitigate identified IT risks and the actions required to ensure regulatory compliance are translated into a set of security policies that are then enforced and implemented through an extended collection of security controls. An ESA helps to define the approach of how to achieve that goal in line with business requirements.

Combining Security Architecture With a Zero Trust Governance Model

If we start applying the Zero Trust principles to security architecture, it is clear that the contextual level does not change. The regulations, risks and business drivers are not changing, but the way an organization would address these requirements might change. Therefore, implementing Zero Trust principles will start at the conceptual layer of your architecture. IBM Security’s four-tenet Zero Trust governance model could be leveraged to structure the approach (see figure below).

IBM Security Zero Trust Governance Model

Source: IBM Security

1. Define Context

Defining context is key for Zero Trust across all security domains. Here, the foundation for your Zero Trust implementation road map has to be defined. New security policies will have to be defined and existing policies might require adaptation. The use cases within the organization should be identified as soon as possible, including what kind of integrations should be established between the controls at the different layers. Integrations will be one of the major changes coming with Zero Trust implementations in the next couple of years.

The vanishing perimeter paradigm will have to result in more integration between the security controls installed at the different layers of defense. The result is consolidated insights that can be used to make the access decisions for your data dynamically (under the principle of “Always Verify”) and access is no longer solely based on static access-control lists (ACLs).

From the ESA point of view, this “Define Context” tenet is where the security policies are set. Moreover, security services are needed to support the organization’s requirements. The capabilities needed to provide the services should be compiled and the high-level solution patterns built on these capabilities will need to address the Zero Trust use cases. The new and adapted capabilities have to be defined at the technical level and then deployed. The ESA should also define how to move from architectural version N to version N+1 through a transformation road map. In the picture below, I map the IBM Zero Trust governance model to the ESA example.

Zero Trust implementation Elite Paradigm LLC

Source: IBM Security

2. Verify and Enforce

The “Verify and Enforce” tenet in the IBM governance model is where most security vendors position their Zero Trust solutions. In an ESA context, this is where the logical architectures define the required security building blocks (SBB).

Next, the logical architecture is worked out into technical designs based on the selected technologies. For example, the implementation of micro-segmentation for infrastructure in the data center will require a detailed technical design at the network layer. The role of ESA is to ensure the overall principles are followed during design and that the design goals like integration are achieved.

3. Resolve Incidents

Next comes everything related to security operations. This third tenet is called “Resolve Incidents” in IBM Security’s Zero Trust governance model. It is here where security operations are defined. This is also where security teams learn how to cope with security incidents impacting trusted connections and speed up both the detection and response for these incidents.

From my perspective, the operational architecture within ESA is the most important concept here. You could have the best security technologies available, but if they’re not properly managed by the security operations team, it won’t meet expectations and can result in failed outcomes. We all know that security maturity can’t be achieved in every layer at the same moment. To overcome this challenge, adequate security monitoring solutions and automated response measures are the best tools to overcome possible gaps in maturity.

4. Analyze and Improve

The tenet of “Analyze & Improve” is a key element of the Zero Trust governance model and it should also be a standard component of every ESA. In a rapidly evolving technology landscape, where there are accelerated product releases thanks to Agile approaches combined with automated CI/CD delivery models, an ESA should focus on the continuous improvement loop.

Implementing Zero Trust principles won’t be achieved overnight. The changes should be tested on a single use case that’s relevant to your business and the effectiveness of that implementation should be consistently measured with improvements applied in an Agile way. Once your initial use case is deemed ready, the same approach can be scaled out to other enterprisewide use cases, meaning that all activities related to “Analyze & Improve” will have to occur at an accelerated pace.

Interested in learning how you can begin your Zero Trust adoption? Learn about the steps you can take with an integrated, multi-disciplinary governance model that advances progress toward maturity.

Access Management | Enterprise Security | Governance | IBM Security | Identity | Identity and Access Management (IAM) | Incident Response (IR) | Security Controls | Security Framework | Security Operations and Response | Security Strategy | Threat Detection | Threat Management
Cybersecurity Threat And Its Impact

Understanding the Cybersecurity Threat & its Impact

Posted on

Data security is on everyone’s mind these days, and for good reason. The number of successful data breaches is growing thanks to the increased attack surfaces created by more complex IT environments, widespread adoption of cloud services and the increasingly sophisticated nature of cybercriminals.

One part of this story that has remained consistent over the years is that most security breaches are preventable. Although every organization’s security challenges and goals are different, there are certain mistakes that many companies make as they begin to tackle data security. What’s worse, these mistakes are often accepted as the norm, hiding in plain sight under the guise of common practice.

Read the white paper: Five Common Data Security Pitfalls to Avoid

Five Common Data Security Pitfalls

Below are five common data security failures that, if left unchecked, could lead to unforced errors and contribute to the next major data breach.

1. Failure to Move Beyond Compliance

It is often said that compliance does not equal security, and most security professionals would agree with that statement. However, organizations often focus their limited security resources on achieving compliance and, once they receive their certifications, become complacent. As a result, many of the largest data breaches in recent years have happened in organizations that may have been fully compliant on paper.

2. Failure to Recognize the Need for Centralized Data Security

Compliance can help raise awareness of the need for data security, but without broader mandates that cover data privacy and security, organizations often forget to move past compliance and a focus on consistent, enterprise-wide data security. A typical organization today has a hybrid multicloud environment, which is constantly changing and growing. New types of data stores can appear weekly, if not daily, and greatly disperse sensitive data.

3. Failure to Assign Responsibility for the Data

Even when aware of the need for data security, many companies have no one specifically responsible for protecting sensitive data. This situation often becomes apparent during a data security or audit incident when the organization is under pressure to find out who is actually responsible.

4. Failure to Address Known Vulnerabilities

High-profile breaches in enterprises have often resulted from known vulnerabilities that went unpatched even after the release of patches. Failure to quickly patch known vulnerabilities puts your organization’s data at risk because cybercriminals actively seek these easy points of entry.

According to a recent IDC research report, organizations are struggling to manage data security across multi-cloud and hybrid environments. In fact, in a recent survey more than 37% of respondents indicated that the growing complexity of security solutions as a significant challenge, which often impedes data governance and policy enforcement.

5. Failure to Prioritize and Leverage Data Activity Monitoring

Monitoring data access and use is an essential part of any data security strategy. Organizations need to know who, how and when people are accessing data. This monitoring should encompass whether these people should have access, if that access level is correct and if it represents an elevated risk for the enterprise.

Taking Steps to Close Data Security Pitfalls

There is nothing easy about securing sensitive data to combat today’s threat landscape, but companies can take steps to ensure that they are devoting the right resources to their data protection strategy.

When starting on a data security journey, you need to size and scope your monitoring efforts to properly address the requirements and risks. This activity often involves adopting a phased approach that enables development and scaling best practices across your enterprise. Moreover, it’s critical to have conversations with key business and IT stakeholders early in the process to understand short-term and long-term business objectives.

To learn more about common data security missteps, read the white paper, “Five Common Data Security Pitfalls to Avoid.”

Grounding Cyber Resilience Eliteparadigm LLC

Grounding Cyber-Resilience in the IBM Cloud

Posted on

01

Managing and securing data

The most valuable enterprise asset
is data

Data—the most valuable business asset for enterprises and their customers—must be protected from unauthorized access. Always available and secure data coupled with insightful data analytics drives business innovation, increases client satisfaction and loyalty and, more importantly, gives you a competitive edge in the marketplace.

Managing data throughout its lifecycle in compliance with business, privacy and security regulatory requirements must be the top priority in cloud environments. That is why a trusted business partner with deep expertise in security, privacy and cloud deployments is critical. IBM has successfully helped customers migrate to the cloud by using extensive industry-specific products and services backed by more than 2,500 cloud technology patents granted to IBM.

The nature of global cloud computing means that the physical location of data is very relevant and is becoming more significant every day. Business transactions occur across international borders every second. Big data created in one region gets stored, processed and accessed from other regions across international borders. End users, clients and business partners using your data may be accessing it from all over the globe.

The performance of cloud workloads is proportionate to the user’s distance from the data center where your data is housed.

The performance of cloud workloads is proportionate to the user’s distance from the data center your data is housed. This is also true for cloud providers whom are expected to ensure your data moves efficiently with minimal latency around the globe. Knowing this, IBM has invested heavily in building, maintaining and growing an agile global cloud network backbone that transports public and private traffic around the globe to help ensure an exceptional customer experience.

02

Data location matters

The location of data is often given little attention, but it matters

Organizations often migrate business workloads to the cloud so that data is always available and delivered quickly and reliably to customers around the world. The actual location of data is often given little attention due to lack of clarity about concepts such as universal accessibility, guaranteed uptime service level agreements (SLAs) and high-speed network connectivity. Overlooking your data’s physical location can lead to slow uploads and downloads, unsatisfactory delays in service, a reduction in productivity and loss of customers and business. More importantly, where data resides plays an instrumental role in protecting privacy and meeting the regulatory requirements for data protection.

While the cloud delivers infrastructure as a service (IaaS), data stored on the cloud resides on physical storage devices and data in transit traverses physical networks too. Even data used by your cloud applications—data in use—needs to be secured. IBM Cloud® provides built-in security solutions designed to protect data throughout its lifecycle.

When looking at the potential performance of global networks, it is customary to use the speed of light in fiber to estimate optimal potential response times as measured in return trip time (RTT).

Cloud workloads require an infrastructure that is agile, secure, responsive and has a local presence on a global scale. IBM understands these business cloud needs and as a response has invested in a global network that offers more than 60 data centers, six multizone regions and six continents. IBM’s cloud network keeps application workloads and data secure in data centers that are compliant with regulatory requirements. IBM’s data security addresses data at rest, in transit and in use. IBM Cloud offers IBM Key Protect offering benefits like bring your own keys (BYOK) and IBM Cloud Hyper Protect Crypto Services enabling you to keep your own keys (KYOK) for cloud data encryption.

IBM Key Protect (BYOK)

IBM Key Protect is a multi-tenant key management service (KMS) with key vaulting provided by IBM-controlled FIPS 140-2 Level 3 Hardware Security Modules. With Key Protect, customers bring their own keys (BYOK) to the cloud and manage the keys themselves. IBM values the security and privacy of our customers’ data, so we also provide operational assurance that IBM will not access the keys.

IBM Cloud Hyper Protect Crypto Services (KYOK)

IBM Cloud Hyper Protect Crypto Services offers two-in-one—KMS with built-in Hardware Security Module (HSM). The offer is a single-tenant Key Management Service with key vaulting provided by customer-controlled FIPS 140-2 Level 4 HSMs —the highest available certification. With Hyper Protect Crypto Services, customers KYOKs protected by the HSMs they control and manage. The implementation provides technical assurance that IBM cannot access the keys.

Customer scenario

The ideal situation for enterprises is to deploy cloud workloads in proximity to their customers for optimal response time. Today’s global digital economy means that most enterprises conduct business around the globe and need to ensure that customers, regardless of their location, have pleasant business experiences. For the best experience, the global presence of IBM Cloud affords the opportunity for organizations to deploy their workloads in several locations that are close to their worldwide customer base.

Let’s look at a global business that is based in San Jose, CA with customers in Paris, France and Singapore. The ideal situation for this business is to have workloads deployed as close to these locations—if not directly in these cities—as possible. Alternatively, the business could choose a less optimal solution by deploying workloads in San Jose only; thus giving customers in Paris similar, delayed response times as those in Singapore. With its expansive network, multizone region capabilities and high-speed infrastructure, IBM Cloud is designed to enable businesses to serve global customers in a secure, fast and timely manner.

03

IBM Cloud global data centers

Protect and deliver services to customers worldwide

IBM Cloud data centers and network points of presence (PoPs) are connected to a global network backbone, which carries public, private and management traffic to and from servers. This global network boasts more than 2,600 Gbps of connectivity between data centers and network PoPs with up to 20 TB of no-cost outbound bandwidth (egress traffic). Additionally, the network PoPs have more than 2,500 Gbps of transit and peering connectivity to the Internet. When accessing an IBM Cloud server, the network is designed to bring you onto the IBM global backbone quickly at one of the network PoPs. Clients and end users may experience fewer hops and a more direct route that IBM Cloud controls. When a user requests data from an IBM Cloud server, that data travels to the nearest network PoP where it is handed off to another provider to carry the data the remaining distance.

Global data center locations Elite Paradigm LLC

04

Move data securely and quickly

Move files and data sets of any type and size reliably and at maximum speed

Ensuring your data is secure and protected during a migration and throughout its lifecycle is a critical priority. IBM Cloud uses the same software technology and expertise from on-premises infrastructure making the move to cloud more streamlined and secure. Two examples of this technology are IBM Aspera® on Cloud and IBM Cloud VPC.

IBM Aspera on Cloud

When utilizing IBM Aspera on Cloud, enterprises can move files and data sets of any type and size reliably at maximum speed regardless of network conditions. Aspera on Cloud uses the patented network-optimized proprietary protocol Fast and Secure Protocol (FASP) to securely move data at speeds that often exceed one hundred times the speed delivered by Transmission Control Protocol (TCP). Data transfers using FASP are encrypted for securing your data at rest and in transit. This solution is designed for quick, reliable and secure movement of large files and data sets between clouds and on-premises resources.

IBM Cloud Virtual Private Cloud

Build cloud native 3-tier applications on IBM Cloud Virtual Private Cloud (VPC), which offers a protected space in IBM Cloud with the advanced security of a private cloud and the agility and ease of public cloud. This allows you to control virtual networks in logically isolated segments to quickly deploy and manage compute, storage and networking cloud resources. IBM Cloud VPC adds to the security capabilities of the IBM Cloud and creates more secure environments for application workloads and data through the use of security groups and access control lists.

To ensure enterprise workloads and cloud-native applications are continuously available, IBM Cloud has multi-zone regions (MZR) comprised of three availability zones per MZR with added fault tolerance that can be leveraged by building workloads using multiple subnets within a single VPC. In addition, IBM Cloud Virtual Server for VPC offers an excellent solution for network-intensive applications, simulations or in-memory caching with general purpose profiles that provide up to 80 Gpbs of network performance.

Multi-zone regions and availability zones

IBM Cloud offers a constantly expanding global footprint to help ensure you’re meeting your customers where they are. Our IBM Cloud multizone regions (MZRs) have three or more data centers within six miles of each other. These data centers are located in close proximity to ensure high availability and resiliency. They offer a full and consistent set of services to support your enterprise-class workload needs. MZRs include the full IBM Watson® and cloud stack (IaaS, CaaS, PaaS, cognitive and data) and are connected to two POPs to help provide maximum POP resiliency. High-speed metro-area interconnects allow applications to have less than 2 millisecond latency in cross-zone communications. IBM Cloud services, such as cloud object storage, containers, API and de-identify data under applicable permissions, are regionally aware and take advantage of this solution to ease the burden on the application provider.

Deploy workloads in over 46 data centers across 9 regions and 27 availability zones globally.

IBM Cloud multi-zone region (MZR)

Diagram of IBM Cloud multi-zone region showing connected availability zones and points of presence Elite Paradigm LLC

05

Our responsibility to you

Cloud providers must be committed to the security and privacy of their clients’ data

Data is the most valuable business asset of our time. It’s the world’s new natural resource, growing exponentially not only in quantity but more importantly, form and value. Every action and interaction, every decision and relationship, every event occurring in any of the world’s complex systems, is now expressed as data. This profound shift is compelling enterprises to adopt new technologies and business architectures based on cloud; and new business processes, skills and forms of engagement. In the rush to harness potential business value from data, cloud providers mustn’t lose sight of basic expectations that individuals, enterprises and communities rightly have regarding security, trust, privacy, jobs, skills–and, increasingly–the data they own or that is collected from them.

Data ownership and privacy

IBM believes that the unique insights derived from our clients’ data are their competitive advantage, and we do not share them without clients’ explicit agreement. We employ security practices to help safeguard data, including the use of encryption, access control methodologies and proprietary consent management modules, which allow us to restrict access to authorized users.

We advocate for strong and innovative means to enhance privacy and data protection, and we will continue to invest in privacy enhancing technologies. We were an early adopter to the European Union (EU) Data Protection Code of Conduct for Cloud Service Providers for several IBM Cloud services and offerings—securing certification under the US-EU Privacy Offerings and the APEC Cross-Border Privacy Rules. IBM was the first cloud provider to deliver hyper data protection and commit to the EU’s General Data Protection Regulation (GDPR) compliance. IBM Cloud is GDPR compliant.

Data flows and access

Protecting the privacy of your data, which is fundamental in our data-driven society, is something that IBM appreciates and is fully committed to. We’ve made significant investments in our cloud data centers around the globe to give clients the flexibility to decide where to store and process their data. We believe these decisions generally should be driven by client choice rather than government mandate.

Data security and trust

IBM Cloud employs security practices and technologies to help safeguard workloads and data. On the IBM Cloud, data is protected while at rest, in transit and in use. We’re poised at the forefront of applying artificial intelligence capabilities to stay steps ahead of emerging digital threats. We do not put “backdoors” in our products for any government agency, nor do we provide source code or encryption keys to any government agency. You are the only party that would own your encryption keys and not even IBM would have access to those keys. IBM Cloud security builds on IBM’s heritage of providing proven in-the-field tested security solutions used by thousands of enterprises worldwide.

Reinforcing Data Resilience Eliteparadigm LLC

Reinforcing Data Resilience

Posted on

Last year, many organizations stopped talking about when the workforce would be back full-time in the office. Instead, they focused on how we build a hybrid work model for the future. 2021 was active and interesting – for lack of a better word. There’s a lot to say in terms of cyber crime in general and ransomware specifically.

As we progress further into 2022, we wanted to pause to reflect on 2021. What’s in store going forward? We spoke with Camille Singleton, a threat intelligence expert within IBM Security X-Force, to get her thoughts. See how we can prepare for what’s ahead.

Question: What Did 2021 Bring?

Singleton: We’ve seen a number of new trends in 2021, including an uptick in triple extortion. We began seeing double extortion in 2019 and 2020, during which gangs either leak or threaten to leak stolen data, which puts more pressure on victims to pay the ransom than if their data was only encrypted. Now we are seeing some groups threaten triple extortion, adding distributed denial-of-service attacks when a victim doesn’t pay after the group encrypts, steals and then leaks the data. This technique is still in its infancy, but it may become more prevalent if ransomware gangs figure out how to use it to their advantage.

On a positive note, 2021 was also the year of a crackdown on ransomware. We’ve seen a flurry of arrests worldwide, including that of Clop ransomware actors and members of the REvil/Sodinokibi ransomware group. We also saw many groups, such as REvil/Sodinokibi, DarkSide, Black Matter and Avaddon, shut down, although I expect some will come back next year. But at least for now, the tempo of attacks may be a little slower.

What Are Your 2022 Predictions for Ransomware?

First, I don’t think ransomware is going away – even with the shutdowns and government crackdowns. Ransomware actors are earning a ton of money, billions of dollars every year from ransomware attacks, which continues to attract cyber criminals to the ransomware space.

Second, I think a lot of the big groups that were shut down will rebuild and come back. I don’t know what their new names or focus will be, but they will learn from their experience to develop new ransomware and continue their operations. While I can’t predict the number of new groups, I think it may be somewhat comparable to the number shut down in 2021.

Finally, I am hopeful we will see more arrests of ransomware actors in 2022 than we did in 2021. Ideally, these arrests will eventually have a lasting effect on the ransomware landscape. For example, in 2016, hacktivism was huge, and the group Anonymous was extremely active with a high level of hacktivist attacks. But the strong law enforcement crackdown from 2016 to 2018 dramatically changed the hacktivist threat landscape, decreasing the level of hacktivist activity. There may be some hope that we will see a similar threat landscape change with ransomware over time.

What Can Organizations Do to Prevent Ransomware Attacks in 2022?

After reviewing numerous ransomware attacks spanning most geographies and industries, X-Force has found that many ransomware attackers are using similar tactics, tools and techniques. Cyber criminals are figuring out what works and communicating that to one another. In particular, X-Force has identified five stages of a ransomware attack that threat actors are using again and again. Recently, we’ve seen some changes in the details of these attacks, such as the frequent exploitation of Active Directory to steal credentials and to move laterally within the network. If organizations pay more attention to Active Directory, monitor it closely and know what suspicious activity to look for, they might be able to catch ransomware actors before they execute their objectives. We’ve also noticed that 88% of ransomware attacks used the tool Adfind, which wasn’t the case even three years ago.

Organizations should also focus on domain controllers. Almost every single ransomware attack today involves the attackers trying to get access to domain controllers and domain administrator accounts and deploy the ransomware from there. Previously, many ransomware strains “wormed around,” such as with WannaCry, self-propagating from computer to computer through the network. Now, attackers are using domain controllers to deploy ransomware on all or as many devices as possible within an enterprise network simultaneously.

In terms of how ransomware attackers are initially getting in, phishing and vulnerability exploitation are the two infection vectors we are commonly observing. Ransomware attackers are cooperating with QakBot, Emotet and Trickbot operators who gain initial access through phishing emails and drop malicious attachments. They then deploy their malware, and the ransomware affiliates continue the attack from there. Organizations should continue to protect against phishing through user awareness training, behavior-based anti-malware detection and phishing email software solutions. Organizations should also use a robust vulnerability management program to address relevant vulnerabilities quickly.

While there is no way to 100% prevent ransomware, understanding the techniques threat actors are using today can help organizations know where to focus to prevent attackers from getting into the network and then finding them once they breach the network.

What Should Organizations Do to Prepare for an Attack?

On a certain level, organizations should expect that a ransomware attack will happen. They should prepare for an attack beforehand by planning their response, considering how to diminish the impact on their network and putting backup plans and redundancy in place so they can get up and running quickly. Organizations should also consider how to handle the public relations aspect of a massive ransomware attack. Everyone from the CEO to the lowest level security operations center analyst needs to know what they are going to do next in a response scenario. The goal is to prevent attacks as much as possible but be ready in case one happens, whether that’s in 2022 or beyond.

Speeding Threat Detection

Speeding Threat Detection

Posted on

Today, we’re announcing new data resilience capabilities for the IBM FlashSystem family of all-flash arrays to help you better detect and recover quickly from ransomware and other cyberattacks. We’re also announcing new members of the FlashSystem family with higher levels of performance to help accommodate these new cyber resilience capabilities alongside production workloads.

Cybercrime continues to be a major concern for business. Almost every day we see reports of new attacks. The average cost is $4.24 million, and recovery can take days or weeks.1 Cyberattacks have both an immediate impact on business but can also have a lasting reputational impact if the business is unavailable for a long time.1

How Cyber Vault Can Help Businesses Recover Rapidly

Even with the best cyberattack defense strategy, it’s possible that an attack could bypass those defenses. That’s why it’s essential for businesses to have both defense and recovery strategies in place. Storage plays a central role in recovering from an attack.

IBM Safeguarded Copy, announced last year, automatically creates point-in-time snapshots according to an administrator-defined schedule. These snapshots are designed to be immutable (snapshots cannot be changed) and protected (snapshots cannot be deleted except by specially defined users). These characteristics help protect the snapshots from malware or ransomware and from disgruntled employees. The snapshots can be used to quickly recover production data following an attack.

Recovery from an attack involves three major phases: detection that an attack has occurred, preparing a response to the attack, and recovery from the attack. Each of these phases can take hours or longer, contributing to the overall business impact of an attack.

An offering implemented by IBM Lab Services, IBM FlashSystem Cyber Vault is designed to help speed all phases of this process. Cyber Vault runs continuously and monitors snapshots as they are created by Safeguarded Copy. Using standard database tools and other software, Cyber Vault checks Safeguarded Copy snapshots for corruption. If Cyber Vault finds such changes, that is an immediate sign an attack may be occurring. IBM FlashSystem Cyber Vault is based on a proven solution already used by more than 100 customers worldwide with IBM DS8000 storage.

When preparing a response, knowing the last snapshots with no evidence of an attack speeds determining which snapshot to use. And since Safeguarded Copy snapshots are on the same FlashSystem storage as operational data, recovery is fast using the same snapshot technology. Cyber Vault automation helps speed the process of recovery further. With these advantages, FlashSystem Cyber Vault is designed to help reduce cyberattack recovery time from days to just hours.

IBM FlashSystem Cyber Vault is part of IBM’s comprehensive approach to data resilience: high availability and remote replication for disaster recovery in IBM FlashSystem. Backup, recovery, and copy management using IBM Spectrum Protect Suite. Ultra-low-cost long term storage with physical air gap protection with IBM tape storage. Early attack detection through IBM QRadar and IBM Guardium. And proactive attack protection using IBM Safeguarded Copy.

High Performance Hybrid Cloud Storage Systems

To ensure cyber security does not have to come at the expense of production workload efficiency, IBM is introducing new storage systems with greater performance than previous systems.

Built for growing enterprises needing the highest capability and resilience, IBM FlashSystem 9500 offers twice the performance, connectivity, and capacity of FlashSystem 9200 and up to 50% more cache (3TB). The system supports twice as many (48) high-performance NVMe drives. Likewise,FlashSystem 9500 supports up to forty-eight 32Gbps Fibre Channel ports with planned support for 64Gbps Fibre Channel ports.2 There’s also an extensive range of Ethernet options, including 100GbE RoCEv2.

speeding-threat-detectionm-1.jpg

Supported drives include new IBM FlashCore Modules (FCM 3) with improved hardware compression capability, Storage Class Memory drives for ultra-low latency workloads, or industry standard NVMe flash drives. FCMs allow 2.3PB effective capacity with DRAID6 per control enclosure and 4.5PB effective capacity with forty-eight 38TB FCMs in a planned future update. These new FCM 3 drives help reduce operational cost with a maximum of 116TB per drive and an impressive 18PB of effective capacity in only 16U of rack space with FlashSystem 9500.3 FCM 3 drives are self-encrypting and are designed to support FIPS 140-3 Level 2 certification, demonstrating that they meet rigorous security standards as defined by US government.

FlashSystem 9500 also provides rock solid data resilience with numerous safeguards including multi-factor authentication designed to validate users and secure boot to help ensure only IBM authorized software runs on the system. Additionally, IBM FlashSystem family offers two- and three-site replication plus plus configuration options that can include an optional 100% data availability guarantee to help ensure business continuity.4

“In our beta testing, FlashSystem 9500 with FlashCore Module compression enabled showed the lowest latency we have seen together with the efficiency benefit of compression. FlashSystem 9500 delivers the most IOPS and throughput of any dual controller system we have tested and even beat some four-controller systems.”

— Technical Storage Leader at a major European Bank.

New IBM FlashSystem 7300 offers about 25% better performance than FlashSystem 7200, supports FCM 3 with improved compression, and supports 100GbE ROCEv2. With 24 NVMe drives, it supports up to 2.2PB effective capacity per control enclosure.

speeding-threat-detectionm-2.png

For customers seeking a storage virtualization system, new IBM SAN Volume Controller engines are based on the same technology as IBM FlashSystem 9500 and so deliver about double the performance and connectivity of the previous SVC engine. SAN Volume Controller is designed for storage virtualization and so does not include storage capacity but is capable of virtualizing over 500 different storage systems from IBM and other vendors.

speeding-threat-detectionm-3.png

Like all members of the IBM FlashSystem family, these new systems are designed to be simple to use in environments with mixed deployments that may require multiple different systems at the core, cloud, or at the edge. They deliver a common set of comprehensive storage data services using a single software platform provided by IBM Spectrum Virtualize. Hybrid cloud capability consistent with on-prem systems is available for IBM Cloud, AWS, and Microsoft Azure with IBM Spectrum Virtualize for Public Cloud. These systems also form the foundation of IBM Storage as a Service.

For more information about these new offerings, watch our webcast or explore IBM FlashSystem.
[1] Source: IBM Institute for Business Value 2021 Cost of a Data Breach report, https://www.ibm.com/security/data-breach [2] Statements by IBM regarding its plans, directions, and intent are subject to change or withdrawal without notice at the sole discretion of IBM. Information regarding potential future products is intended to outline general product direction and should not be relied on in making a purchasing decision. [3] Effective capacity is based on compressibility of data, which will vary among data types. Some data (already compressed or encrypted) will not compress at all. Refer to IBM compression estimator tools. [4] Available only for HyperSwap configurations deployed by IBM Lab Services.