Ransomware & Advanced Attacks: Servers are Different

Ransomware and other advanced attacks are the scourge of the modern IT security team. If allowed to gain access to your IT environment, these attacks could shut down the organization, denying access to mission critical applications & data for potentially days, or even indefinitely. The result? The disruption of service delivery, lost productivity and a hefty hit to reputation and profits.

While traditionally thought of as an endpoint issue – 93 percent of phishing emails are now ransomware – the reality is that ransomware and other advanced attacks are also focused on your servers. The combination of instantly available infrastructure via the public cloud and the increasing velocity of application delivery to create competitive advantage, has made servers an important target for cybercriminals.

Servers are different than a traditional endpoint: the applications and operating systems that run enterprise workloads in the data center, in the cloud, and in containers can be extremely dynamic, making the approach to security different.

A recent Gartner report states that “Server workloads in modern hybrid data centers use private and public cloud computing and require a protection strategy different from end-user- facing devices. Security and risk management leaders should use risk- based models to prioritize evaluation criteria for cloud workload protection platforms.” <Source: Gartner, “Market Guide for Cloud Workload Protection Platforms”, March 2017 G00302941 >

The fundamentals still matter – get patched

Servers are workhorses of the enterprise, driving your business forward and supporting your most valuable data; it’s only natural that the bad guys are heading straight for this part of the IT infrastructure, whether it’s in the data center or in the cloud. Ransomware & advanced attacks are being created to take advantage of vulnerabilities found on servers, including the recent WannaCry ransomware, which leveraged a Microsoft Windows SMB vulnerability to inject itself onto servers and endpoints. Not to be left out, Linux servers – the dominant server for public cloud workloads—are also being targeted, with the recent Erebus attack that had a serious impact on a large web hosting firm (and their 3,400 customers!) in South Korea.

Patching is never easy, but no IT security professional can deny the importance of patching. Modern IT environments are complex systems which require IT departments to manage multiple disparate patching processes, including new approaches like blue-green deployments. For mission critical systems, patches are sometimes delayed because organizations simply can’t afford the downtime needed to test and roll-out fixes. It’s estimated that it takes enterprise firms approximately 250 days for IT and 205 days for retail businesses to fix the software flaws in their enterprise applications. It only takes one exploit to get through for your organization to hit the headlines as the next major ransomware victim. In addition, for either operational or financial reasons, close to two years after end of life many organizations are still running Windows 2003, which means no patches are available and mitigation strategies – often expensive – have to be in place or the risk of exposure goes up exponentially.

Hybrid cloud is complicated

The hybrid cloud includes physical, virtual, cloud and container workloads, with new technologies like serverless functions and processes like DevOps introducing new complexity in the way that your organization operates. While embracing new technologies to gain benefits like increased agility and rapid application delivery make good business sense, the reality is that existing architectures also need to be maintained and secured at the same time. If this means that you have accumulated multiple tools along the way to the hybrid cloud, you are probably feeling significant pain just keeping everything running!

Unfortunately, this complexity can also leave gaps – who isn’t too busy to get everything done, right?—which cybercriminals are only too ready and willing to exploit. You might have put in place perimeter security, for example, but what if a compromised endpoint accesses a vulnerable file server? Then you have an attack which started inside the network, bypassing traditional security controls. And of course, there is no perimeter in the cloud…so what then? 

Layered security is the right answer

The answer lies in advanced server security solutions like Trend Micro Deep Security. It’s been designed to protect workloads across physical, virtual, cloud and container environments with host-based security to shield servers from a wide range of threats including ransomware. Having one product with multiple controls is a great way to both increase security and reduce operational overhead. Powered by XGen™ Security, Deep Security includes a range of cross-generational security techniques that can help stop ransomware from hitting your enterprise servers, enabling you to easily:

  • Stop network attacks and shield vulnerable applications & servers, leveraging Intrusion Prevention (IDS/IPS) and firewall techniques;
  • Lock down systems and detect suspicious activity on servers, using techniques like application control and integrity monitoring that have been optimized for the hybrid cloud; and
  • Prevent malware and targeted attacks from successfully infiltrating your servers, leveraging proven anti-malware and advance techniques like behavioral analysis & sandboxing

With 752 percent growth in the number of ransomware families in 2016, the black hats have found a way to generate enough revenue – $1B in 2016 – to invest significant resources in rapidly evolving their attack strategies. With servers at the center of the enterprise, it’s clear that you need a strategy that both secures workloads wherever they might be – physical, virtual, cloud, containers – and aligns with the need for business agility that modern technology enables.

Find out more about how Trend Micro can help at www.trendmicro.com/hybridcloud.

Leave a Reply