Visibility, monitoring, and collaboration are the keys to identifying and preventing ransomware from breaching your infrastructure.

In a world of rapid digital transformation, ransomware ranks among the top concerns for cyber security professionals, and with good reason. It is elusive and can pawn even the most secure of organizations. Once the malware enters your network, it can ferret around and hold assets in other parts of your organization hostage.

Currently, ransomware primarily targets vulnerabilities within on-premise network infrastructures. However, as the majority of companies transition to hybrid or purely cloud operations, the bad guys swiftly follow suit. Though we aren’t yet seeing it make headlines, ransomware attacks to the cloud have begun. Amazon Web Services (AWS), the most commonly used cloud platform, recently released the Ransomware Risk Management on AWS Using the NIST Cyber Security Framework (CSF) whitepaper. The guidelines for protecting your cloud directly correlate to the general security best practices of Identify and Protect, Detect and Respond, and Recover. Similar to traditional on-premise network infrastructures, protecting against ransomware in the cloud requires a team effort, using multiple solutions working together for a layered approach.

The entire FireMon product suite (Cloud Security Operations, Cyber Asset Management, and Security Policy Management) provides comprehensive views into network security, data center assets, and cloud posture and assets, displaying how resources are connected to data, how they are configured, and how the network and resources are secured.

FireMon’s cloud security operations product, DisruptOps, is an AWS independent software vendor (ISV), and is designed to integrate with your AWS and/or Azure cloud infrastructure. DisruptOps breaks down barriers between development, security, and operations teams, enabling everyone to become an active defender of your cloud infrastructure. DisruptOps is a cloud security operations platform that aligns with the first two guidelines discussed in the AWS whitepaper: Identify and Protect (prevention) and Detect and Respond.

Identify and Protect

You cannot protect what you cannot see. Similar to the way FireMon’s Cyber Asset Management solution provides this for on-premise resources, DisruptOps can identify systems, users, data, applications, and entities within your cloud network. DisruptOps continuously assesses the posture of the cloud management plane and ensures firewalls are properly configured and managed. DisruptOps identifies, alerts, and remediates cloud misconfigurations (vulnerabilities).

DisruptOps Authorization Control takes prevention a step further by providing frictionless Just in Time authorizations and access using ChatOps. Stolen static credentials, like access keys, are the most common vector for cloud management plane attacks. Attackers will also target the workstations of employees with cloud access, so they can potentially steal usernames and passwords – even with federation. By providing full visibility into user access and requests, Authorization Control provides unparalleled visibility and management of user authorizations. Administrators and developers can request just the access they need, for given time windows, to only the required resources, using ChatOps for frictionless Just in Time authorizations.

This eliminates the possibility of an attacker using stolen user credentials to encrypt data since Authorization Control can require approvals for all use of encryption (or any) cloud management activity. Authorization Control can also restrict access based on tags or IP addresses. Plus, all authorization requests and approvals are fully monitored, logged, and can even be broadcast to teams to provide full visibility into who is doing what.

Detect and Respond

Time is money in regards to ransomware. The DisruptOps Cloud Detection and Response (CDR) capabilities speed up incident response times. DisruptOps includes cloud-native threat detectors for common attacks, and enhances provider alerts through advanced enrichment and routing to separate the signals from the noise. Paired with our built-in actions, responders can move much more quickly and efficiently to adverse cloud events. DisruptOps integrates with cloud monitoring feeds to provide comprehensive visibility into cloud events.

DisruptOps can immediately route alerts not only to security, but directly to the designated cloud account team for immediate investigation and response. Our CDR capabilities identify the needles in the haystack and route them to the account owners and security analysts for rapid identification of potential problems that might otherwise hide until a log review.

Contact us to find out more about FireMon’s Cloud Security Operations.