vPSO

Is Ransomeware fagtuige setting in?

 I keep asking myself, is fatigue of hearing about ransomware setting in? 

It is understandable if fatigue is setting in, but it can not be stressed enough how important this topic is.  

Why is it important? Is it the 4000+ attacks a day? That there is a successful attack rate every 11 seconds or the $20B+ damage in 2021? 

Nope, the why is “Your data has value, and your data can cause harm to your business, employees, and customers.” I tell customers, “A Ransomeware attack is as devesting or more devesting than a disaster.”

That brings us to my 1st lesson learned; I can recall a customer over ten years ago that lost its infrastructure to what would now be considered a simple malware attack that formated C:\. This month, I worked with a customer hit with a more sophisticated attack that corrupted all VMFS volumes and destroyed Active Directory infrastructure. The common thread was the sheer panic of how do I recover? Have we not advanced in this space over the last decade?

Thre is an endless array of recovery technology that backups and recovers applications from VMware Cloud Disaster Recover to Veeam. The technology is there, but the process is not in many cases.

• Have Immutable Backups Ready
• Practice, Practice, Practice Recovery! 

Not sure saying practice three times is enough; the ability to recover promptly is the number one thing you can do to protect your business from data loss and paying a hefty ransom. 

Ransomware is no longer just a single attacker; it is full fledge business to make profits, including distributing the technology to anyone willing to pay them a percentage of the ransom.

Double exfiltration is now common in all attacks. Let’s put that in context, and the attacker will extract your data and then either encrypt or destroy your infrastructure and data. Attackers want to have the only copy of your data, enhancing your chances of paying for it.

Let’s talk about protecting your data; this is a vast topic covering multiple technologies, governance, and compliance entities.

My last couple of blogs covers layered network defense and NIST compliance. I will sum it up by saying layer your network defense from the perimeter to the data source with micro-segmentation.

Identity Management is a critical protection for your data; 76% of attacks gain privileged access to carry out and avoid detection. Limiting privileged access is a massive step in the right direction.

Endpoint Protection with NGAV and EDR has become 1st thing people think of when it comes to ransomware protection. For a good reason, this is where attacks start. The ability to see unusual behavior between correlated endpoints is as powerful as seeing unusual behavior on IPS/IDS software on the network. To be clear, one is not better than the other they complement each other in a holistic approach.

As we advance in reading telemetry data from both EndPoint Detection Response (EDR) and Network Advanced Threat Protection (ATP) with different ML/AI techniques, we can detect and prevent a large number of attacks. The cynical side of me worries that now Ransomeware is a well-funded business because our attackers will also gain the advantage of ML/AI.

Let’s not forget the basics of IT hygiene. updates, patching, following security guidelines from each vendor. Remember to trust but verify; make sure you check to ensure these guidelines are followed and updated. Early we talked about privileged account access making up 76% of attacks, and doing IT Hygiene will help stop the other 24%.

In summary, assess your security gaps, layer in process, and technologies for Endpoint and Network Protection. Protect and recover your data! Practice, Practice, Practice recovery!

To close out, I want to share one last word of wisdom “Security is a team sport.” It takes every employee in a business to ward off today’s attackers.

 For many years we used the build castle analogy to secure your environments. Is it time for a change?

In today’s world, where we have malicious actors attacking your datacenters every minute of the day with various attacks from Malware to Ransomware, to name a few, we need to protect and detect these acts before they cause harm.

NSX-T 3.2 needs to be a vital part of protecting and responding to attacks from malicious actors. 

Let’s start with the outer haul of your cargo ship, your perimeter security. The haul has physical security, of course, and communication, a.k.a network security that uses a next-generation firewall (NGFW) that secures data transmission. 

Special Note: Drawings are simplified

 

There are many techniques used to build this haul that we can cover later. Let’s stay with the analogy, keep it super simple (KISS) and add some floors to this ship. My thought process is to use hardware-based NGFW to control communication/traffic flows between the floors. Wait, I thought this was a blog on protection with NSX-T 3.2; rest assured, we are getting there. KISS right? You will not change or rebuild floors of your ship very often, if ever, so let’s create zones( AKA floors) where security enforcement at hardware-based NGFW. 

Special Note: When it comes to mixing HW and SW with various protect techniques, you want to KISS and gain the advantage of looking at traffic in multiple ways and giving flexibility in protecting your most valuable assets. 

Now let’s introduce NSX-T 3.2, which brings the control points closer to the applications (AKA Cargo) where you can configure or reconfigure cargo holds. Let’s think about that for a minute, the ability through automation and manual software changes can change behavior and control points. I am now thinking about Network as a Service (NaaS) or Security as a service (SecaaS). We can create a new cargo configuration in test and development before applying it to production. 

With the distributed model expanding beyond Distributed Fire Walls (DFW) or Internal Segmentation Firewalls (ISFW) are now Distributed Next-Generation Firewalls (DNGFW). With the integrations from the Lastline acquisition, NSX-T 3.2 can provide distributed Advanced Threat Prevention (ATP) with malware prevention for known and zero-day malware. Distributed behavioral IDS looking for pattern matches and other anomalous traffic. 

Ok, let that sync in for min; let’s talk about more distributed goodness! Network Traffic Analysis to see lateral movement anomalies. Network Detection and Response (NDR) to help provide relief from alert overload with MITRE ATT&CK visualize campaign view. 

You end up with a cargo ship with disturbed security to protect and detect malicious attackers. Look at all those reconfigurable doors and control points I have negative now as a malicious attacker.

We have covered one way to protect with NSX-T; we touched on detect. We will dive deeper into detecting using telemetry and management tools soon. We will also cover using Carbon Black to respond and different recovery strategies. Stay tuned to hear more about VMware Security or reach out and ask how VMware can help secure your business. 

With recent cyberattacks across the world, it is essential to have a solid design for security. VMware has recently bought multiple security solutions to help create an intrinsic security portfolio. I will always contend that security solutions should have numerous vendors, so let’s use Cisco to do the switching and routing with ACI in network-aware mode and Palo Alto firewalls with Panorama. 

In today’s modern data centers, the number of physical devices is shrinking to under 3% of total servers. We still need to account for them in our design from both network and security perspectives; of course, the virtual environment will need hosts and storage to run on. Let’s start with Cisco fast switching transport underlay.

Using typical spine and leaf architecture for the switching underlay, let’s set up ACI zones with VRFs following the Purdue model.

Internet-facing DMZ – Zone 5+

User Networks – Zone 5

DataCenter – Zone 4 

IDMZ – Sub Zone of 4 some will call it 3.5

OT – Zone 3 and below is not part of this design.

All traffic within a single zone will East/West traffic and have further segment and security controls via NSX. All traffic between zones with travel North/South and will pass through the Palo Alto Firewall. These zones are overlay constructs that will provide the underlay for NSX.  

ACI Zone will host all physical devices, including server hardware for ESXI, NFS Storage, EUC devices, and other legacy items like LPARS. ACI is switching fabric, and the only way to secure devices is through ACLs. A good thing change rate for physical devices is tiny and is an exception to the rule that requires either manual configuration or custom-built automation. If the change rate is low, 2-3 changes a year, I recommend a well documented manual process. 

Now let’s add in NSX; we will start with edge cluster and T0s for management, data center, and the IDMZ. The T0s will route traffic to the corresponding ACI Zone. The edge device can provide stateful firewall services to help further segment the workloads. If attackers were to gain access to the ACI zone, they would not have access to corresponding NSX networks.

Now we can do some exciting things; we can create multiple T1’s to create more separate and secure networks with stateful firewalls and transport zones to control who can talk to who. In this case, we will use HR, FIN, and Call center for the use case, but you could replace ACI zones or create DMZ’s all within NSX. We will generate transport zones so the HR can talk FIN but not Call Center, and Fin can talk to Call Center. We have now created smaller attack services, making it difficult for attackers to move around your network. 

So I have an ACI zone that layers above my physical switch’s that can’t see the NSX network without passing through a stateful firewall. If the attacker gained access to inside T0, the T1’s would provide another control point, and beyond that, transport zones can restrict access further.

Let’s add the last layer, Microsegmentation, by using DFW. Firewall as close to source VM as possible at the hypervisor! A distributed firewall that travels with VM to secure the application. Let’s count the doors the attacker has to get through now:

1. Perimeter Firewalls 
2. ACI Zone
3. NSX T0
4. NSX T1 
5. DFW (Microsegmation) 

That’s a lot of doors to open and a lot of firewall rules to manage. Let’s walk through how we can manage this potential operational nightmare.

Let’s simplify things to start doors, one through four rule sets should not change often. These doors rule sets only change when making changes at physical or infrastructure levels. Changes to door three and four (T0/T1) can be day two actions in vRealize Automation (vRA). 

DFW is applied through security tags that can be used both on VM creation in vRA or as an onboard process. Tags are added in the cloud template and have portable ymal code for new VMs. A workflow will need to be created to add security tags to an onboarded VM.

Ok, so I can manage the addition and change though policy and tags for my VMs, how do I get a handle on all the rules I need to make? Two ways you can use vRNI to generate a report on ports and protocols for each of your applications or use NSX Intelligence that will make rule suggestions inside of NSX that you can apply. Yes, that is right, rules are given to you apply within NSX! 

Ok, this sounds great, but how do I make sure network and security policies are in a known good state? How can I visual see my entire network? I need to be able to do this across virtual, physical, and even my SD-WAN.

No problem! Let me introduce you to vRNI with SD-WAN and visibility/assurance. With these two add ons, you will get a visual of the entire network! Virtual, Physical, and even SD-WAN is giving you a complete view of your network. Assurance will allow you to see changes in the whole network on 30 min intervals. An attacker or Jr network admin change an ACL in ACI? Get an alert so you can react or trigger an automation to change your configuration back to a gold standard.

vRNI has grown-up other ways it can be useful is for vRNI to tell vROPs about application groups or use HCX fling to create application move groups for migration with HCX. 

You can see deep security posture and the ability to monitor and assure you are in a known good state. Now let’s talk about Advance security with IPS/IDS and Carbon Black.

To honestly say we covered 6 of 12 MITRE attacks tactics, we have to add AVI and WAF for credential access to our applications. We were now adding NSX IPS/IDS for real-time deep packet inspection, automatic signature updates, and giving you the latest defense to alert on and drop or reject traffic.

Wow! 5 doors to unlock and security to catch attackers in the act; I feel safer now. But what if someone does get through to an endpoint? 

Carbon Black can help with Next Generation anti-virus with anomaly traffic detection that can stop malware, ransomware, and next-gen attacks in their tracks. EDR can provide seamless detection through threat hunting and containment. Carbon Black cloud will inspect devices and track and report on a drift. Say an attacker broke through all the security above, you have a way to see what was touched to respond appropriately. 

Well, there you have intrinsic, intent-based security from VMware. The best news is this just the start with recent acquisitions, LastLine and Salt Stack. The Intrinsic and intent-based security story from VMware is only getting started.