By David Mahdi, Chief Strategy Officer and CISO Advisor, Sectigo
While ransomware is malware, security leaders must go beyond legacy anti-malware approaches to mitigate risk. Ransomware is a data-centric threat; that is, ransomware preys on corporate data. Cunning and successful ransomware attacks hijack user access with an aim to encrypt sensitive files, stealing data. So, if ransomware is all about the data and the hijacking of user access to get to the data, then the more data a user can access, the more attractive target the user is for the attacker.
Ransomware is a multi-faceted cybersecurity issue, and best practice dictates using email security and antivirus, in addition to other tools to fend it off. Indeed, while these are good best practices, IT leaders need to undergo a crucial perspective change when it comes to ransomware and understand it isn’t solely a traditional malware problem. Bad actors want access to data, and they gain access by compromising user accounts, or in other words, by compromising the identity layer of an organization. Without considering the importance of identity and data access, organizations will remain vulnerable to attack.
Yet, organizations and security leaders can’t simply lock down identity and data access to prevent ransomware. Typically, IT departments tend to over privilege users to avoid interrupting business. While this approach generally helps day-to-day operations, it’s also precisely what allows bad actors who breach the perimeter to run amok throughout the environment. If a highly privileged user and their associated accounts have a lot of access, when compromised, the amount of damage could be catastrophic. Focusing on identity and data security in terms of right-sized access will significantly reduce the attack surface for many threats, including ransomware.
With that in mind, enterprises must focus on establishing and maintaining trust for every single identity in their environment, both human and machine (software, bots, devices, applications, etc.). Otherwise known as identity-first security, the aim is to mitigate the damage from identity and data-centric attacks, such as ransomware.
Right-Sized Access and The Least Privilege Principal
Once trust is established with a digital identity, security leaders must then think about right-sized access. That is what that identity (or user) needs access to in order to fulfill its role requirements. Simply put, the path forward would be to leverage a “least privileged” approach, as reflected on the website of the U.S. Cybersecurity and Infrastructure Security Agency.
Of course, ransomware attacks can still occur even with a least privilege or right-sized access approach. As such, behavior monitoring that focuses on identities and data is critical. By constantly gauging normal, anomalous, and malicious behavior, security leaders can achieve a better balance of security and business agility. The goal is to ensure that users and machines have the access they need, but that there is a safety net if a security issue occurs (I.e. insider attack, ransomware, or other threats).
Establishing Digital Trust for Digital Identities
Enterprises need a clear method of verifying and establishing digital trust for all (thousands or hundreds of thousands) types of identities, ensuring only valid and trusted users and machines can log into networks.
One proven way to establish digital trust in identities is by leveraging public key infrastructure (PKI) digital certificates. This technology has been around for decades and remains the most secure way to provide authentication and continuously prove identity, especially as the volume of both human and machine identities continues to rise. Certificates, issued by Certificate Authorities (CAs), provide validation that the user or machine is trusted and secure. PKI uses cryptographic keys to authenticate identities and is much more reliable than passwords or other traditional forms of authentication. When it comes to fending off ransomware, using PKI-based identities can and should act as the baseline for digital identities. Rooting digital identities in digital certificates, for humans and machines, ensures that identity-first security has a strong foundation.
Gartner, which first coined the concept of identity-first security in 2021, describes the approach as putting “identity at the center of security design.” This way of thinking is a major step forward in cybersecurity because it replaces the legacy and dated approach of the walled fortresses pre-pandemic that left organizations feeling secure behind firewalls.
Connecting Identity-First Security to Data Security
While there are several best practices to employ from an overall identity-first security perspective, let’s focus on data security. Data can take many forms, structured (databases), unstructured (I.e. files) or semi-structured. Regardless of the data type, knowledge about the data, its risk, sensitivity levels, and therefore classification should be established. Understanding the risk and classification levels of data should then be aligned to the overall identity-first security strategy. Ultimately, it will help security leaders understand what kind of data their users and machines have access to. Leveraging data access governance (DAG) tools are one approach to help close the data-access gap. However, DAG tools are only as good as the trust in identities that they leverage to control corporate data access. As such, security leaders must start with establishing trust in digital identities, as we discussed above.
Identity-first Security Is the Most Important Line of Defense for Ransomware Attacks
It’s impossible to stop all cyberattacks, regardless of how much time, money, or labor enterprises pour into security. However, establishing digital trust for every identity – both human and machine – in the company environment and ensuring right-sized access can limit the damage done by the attackers who break through.
Going forward when we think about ransomware, we need to recognize that at its core it is an identity and data access issue. Ransomware wants access to data, and it will typically compromise accounts/user identities to gain access to that data. So, rather than worrying about just malware detection, security and business leaders looking to improve their chances of coming out of a ransomware attack unscathed should establish strong identity-first and data security strategies. This includes knowing where all the sensitive data resides, and monitoring user and machine access to that data in order to mitigate ransomware and other cunning cybersecurity attacks.
About the Author
David Mahdi is the Chief Strategy Officer and CISO Advisor of Sectigo. In his role, David leads the company’s overall strategy, direction, and M&A efforts to expand its leadership in the digital trust space. With 20+ years of experience in IT security, most recently serving as Vice President and Analyst in Security and Privacy at Gartner, David has helped large organizations tackle digital transformation projects in the digital trust, identity, cryptography, and cybersecurity spaces.