Ransomware

Heimdal Security logoHow would your customers feel if they had a Norse warrior stopping malware from reaching their endpoints? Meet Denmark’s Heimdal Security.

In days of old, the sight of Vikings on the horizon was enough to turn decent peasants’ blood to ice.

But the marauding Danes are now playing poacher-turned-gamekeeper – at least in IT security terms.

Because instead of being the threat, they’re now stopping the threats before they make landfall. (Or, at least, before they reach your customers’ endpoints!)

This is what our newest vendor partner Heimdal Security sees as its killer battle cry when compared to traditional endpoint security. And here’s why malware needs to be very afraid of it.

From last-ditch to proactive: endpoint protection transformed

“Form square and stick out your spears” – that’s basically the traditional approach to endpoint protection. Once the problem has hit the machine, the security software rings the panic bell, musters the garrison, and mounts a defence.

We Brits tried that against the (real) Vikings. It didn’t work.

But if we could have spotted their boats as they cast off – or, even better, seen activity on the quayside that indicated an attack being prepared – we could have taken proactive action against them before they reached Blighty.

This is exactly what Heimdal does. Instead of looking at application code and signatures in files that have already entered the endpoint, to work out if there’s a threat, it looks at the undercurrents in the ‘sea’ of network and internet traffic entering and leaving your customers’ businesses, to detect danger before it surfaces.

Rather cleverly, though, this isn’t just about identifying when users are being taken to places they shouldn’t be sailing towards – e.g. malicious websites – and blocking the connection to them before it’s made (although this is certainly important, as we explore below).

It’s also about using advanced machine-learning, heuristics and network forensics to detect apparently harmless network file ‘plankton’ that is in fact fodder for a coming malware attack.

Traditional security protects an endpoint with a last-ditch defence. Heimdal protects it by turning the entire network into a shield wall.

Which one are you betting your krone on?

Multi Layered Security Graphic
Conventional endpoint security is typically missing the traffic-based anti-malware protection that Heimdal delivers.

“Probably the best malware protection in the world…”

The famous Danish beer ad is tongue in cheek. But there’s a serious point to be made here about the strains of malware that Heimdal can protect against that many other security solutions simply can’t.

Take ransomware, for example. Traditional endpoint security looks for malicious code within files, but a ransomware-triggering hyperlink, or instruction to connect to a website, is neither a file nor, in itself, an inherently malicious piece of code. So, the endpoint security software doesn’t spot it.

But Heimdal is looking at the network, not the endpoint. It detects and blocks the malicious connections (to malvertising, legitimate but compromised web banners, malicious iFrames and redirects, botnets etc.) that signal an intention to activate or propagate attack strains like APTs, ransomware, Trojans, polymorphic malware and others.

In short, Heimdal gets stuck into the melee long before the blunt old endpoint battle-axe can!

Automatic software updates: that’s 85% of web app attacks defeated!

Exploit kits and other threats that exploit programs’ existing security weaknesses are a huge worry for traditional endpoint security vendors, because these weaknesses often exist at a lower level than that at which the security solutions operate.

Consequently, exploits can slip underneath the endpoint radar (the bad guys must feel like they’ve died and gone to Valhalla!)

They’re a huge worry for your customers, too, given that some 85% of web app attacks (like the kind that typically trigger ransomware and steal personal financial data) take hold of endpoints through an existing unpatched security hole of this kind.

But here, Heimdal have put a real edge on their sword. They have coupled their network traffic analysis with an automatic software update tool, to ensure that your customers’ internet-facing and non-internet-facing apps  – from Acrobat to Audacity, Flash to Firefox, Java to Jitsi, and many others besides – are constantly and automatically updated with the latest security fixes and patches, thus denying exploit kits an entry point.

The most security-critical applications are often those that are not concerned with security at all – how’s that for a typically innovative Scandinavian way of looking at a problem?

Why Heimdal
“Proactive” is a word you’ll hear a lot from Heimdal – and the automatic patching capability that embodies it is a good third of the company’s overall value proposition. (Click to enlarge)

Heimdal: the new word in security

Bloodthirsty or not, the Vikings gave their name to some very beneficial concepts. The word ‘law’ comes into English from their language, for example – and from where we’re sitting it looks like they’ve done it again with ‘Heimdal’!

(Loosely translated, we think the name means: “Stop the thing that’s trying to attack the longboat before it reaches the longboat.” Genius.)

Time some of your customers learnt some Danish, perhaps?

BadRabbit

BadRabbit has munched through cyber-defences, sowing ransomware far and wide. So how does it work? And can you protect your customers against it?

“Run rabbit, run”, goes the song – and ransomware attack BadRabbit has certainly done some running over the past few days!

It has got its teeth into Russia, Ukraine and many other Eastern European countries besides, with some sources also reporting cases in Germany, Turkey, and the US. It seems only a matter of time before it spreads further afield.

So what is BadRabbit – and is there any defence that can protect your customers against it?

What’s up, Doc? What BadRabbit does and how

BadRabbit Screenshot
What users see when BadRabbit bounces into view

BadRabbit is cryptolocker ransomware – it encrypts Windows users’ files using a private key that is known only to the hackers’ own servers. The user must pay for access to this key, in order to decrypt and recover their files (a Bitcoin wallet appears on screen to enable this transaction to take place).

Technically, according to this specialist cyber-security website, BadRabbit is closely related to the recent NotPetya attack, using much of the same code.

However, it executes in a different way, using hacked websites to display a fake Adobe Flash update that, if clicked on, triggers the attack (it drives users to these sites using malicious links.)

Additionally, according to this threat alert website, BadRabbit can move laterally across a network and propagate or spread without user interaction!

Can security vendors stop the naughty bunny?

In short, it seems some of them can.

Bitdefender, for example, states on its website that if your customers are “running a Bitdefender antimalware product for either home or business, you don’t need to worry, as our solutions detect this threat…”

machine-learning
Bitdefender’s inbuilt machine-learning recognises the signs of ransomware and stops it before it can execute

Enabling machine-learning in Trend Micro’s solutions also appears to detect BadRabbit, according to the former’s website, whilst Malwarebytes states that “Users of Malwarebytes for Windows, Malwarebytes Endpoint Protection, and Malwarebytes Endpoint Security are protected from BadRabbit.”

An interesting take on keeping the cunning coney at bay, however, comes from Heimdal, who point out in this very comprehensive ransomware resource that some 85% of ransomware attacks target vulnerabilities in existing applications.

By this logic, updates to software (and not just security software) are, in themselves, a key anti-ransomware security layer.

Damage caused by Ransomware graphic
The consequences of ransomware. Source: Heimdal Security

What other steps can you take to protect customers against BadRabbit?

For systems admin and IT people, of course, quick technical fixes in the form of ‘kill switches’ or similar are indispensable, and it turns out that BadRabbit, like NotPetya and Goldeneye before it, can be tamed by changing the properties of certain files (scroll down to the bottom of this article to find them).

But fundamentally, ransomware works by holding your customers’ data hostage. If this data is backed up and easily accessible, as we discussed in this recent post, ransomware, by definition, loses pretty much all of its bite.

It’s important, therefore, that you advise your customers well on how to choose an appropriate data backup and recovery solution.

For a comprehensive list of all the other steps your customers need to take to protect themselves against ransomware, this recent article from the Carnegie-Mellon Software Engineering Institute offers some thorough advice.

BadRabbit is on the loose. So share what we’ve told you above with your customers and they’ll be all ears.

vaccineOrganisations in Europe and the US have been crippled by a ransomware attack known as ‘Petya’. There are claims of a ‘vaccine’ to stop it – but how credible are they?

Hot on the heels of WannaCry comes Petya – a nasty ransomware variant, based on the Goldeneye code.

It has already locked some of the world’s most prominent enterprises out of their data, including construction materials company Saint-Gobain, food giant Mondelez, legal firm DLA Piper, and advertising firm WPP.

But lo! There is a ‘vaccine’ that protects against it, apparently! Simply include the file C:\Windows\perfc.dat on the PC, and the ransomware is stopped in its tracks.

(Well, it’s stopped in its tracks on that machine – though it can still propagate to other machines on the network. So still not ideal.)

We took a look at what some security vendors are saying about Petya / Goldeneye – and whether the idea of a ‘vaccine’ is truly credible.

Bitdefender: ransomware vaccine is old news

The first thing that struck us is that security vendor Bitdefender has had a ransomware vaccine available for some time now, and it’s not just a quick fix using a read-only file.

Instead, it’s rather cleverer than that. It tricks ransomware into believing the machine is already infected, and so the attack goes looking elsewhere. In addition, it can be deployed to every machine on a network simply by ticking a box – meaning that one machine can’t pass the infection to another.

There’s little information at present, admittedly, as to whether this vaccine is effective specifically against the Petya /Goldeneye attack.

However, it has been stated publicly in the Bitdefender Resource Center that “Bitdefender blocks the currently known samples of the new GoldenEye variant. If you are running a Bitdefender security solution for consumer or business, your computers are not in danger.”

That’s pretty unequivocal. And what’s particularly interesting with this vendor is that the ransomware vaccine is standalone – businesses don’t need to have invested in Bitdefender’s suite of other security solutions to use it.

Trend Micro: decrypt it if you can’t stop it

Trend Micro has an established stable of solutions that provide layered protection against a whole range of threats, including ransomware, so they’d surely argue that a ransomware vaccine is unnecessary!

However, what they do also offer is decryptor tools that enable users to recover data even after their files have been encrypted by certain variants of ransomware.

Again, whether these solutions are effective against the most recent Petya / Goldeneye attack is not clear, although Trend Micro states here that it is “in the process of adding known variant and component detections” for Petya-related patterns “and all products that utilise them.”

So, more antidote than vaccine – but it’s worth noting that these decryption tools are free, so they could be a lifesaver (and pave the way to more proactive anti-ransomware strategies and product choices in the future).

Malwarebytes: no ransomware vaccine, but you're safe

Malwarebytes, for its part, has been less than confident about the ability of the C:\Windows\perfc.dat vaccine to stop the Petya infection – in fact, the company states that “our own tests have shown that in many cases, it doesn’t.”

Whilst Windows 10 systems, Malwarebytes says, “seem to have a fighting chance” by using this method, “Windows 7 gets infected every time.”

However, Malwarebytes also publicly says that customers using Malwarebytes Endpoint Security are protected against this specific ransomware variant – so, once again, a vaccine is – theoretically, at least – unnecessary.

Ransomware: vaccines, protection, remediation

For more of our thoughts on ransomware and what security vendors are doing to fight against it, check out our previous post here.

And remember – prevention is better than cure, so keep patching!

Phishing:Despite being one of the oldest internet scams, phishing continues to unleash mayhem in businesses. How can security partners protect customers against it?

The oldest scam on the internet – phishing – is going from strength to strength.

Indeed, the Anti-Phishing Working Group report published in February 2017 tells us that the number of unique phishing sites detected in the second quarter of last year was at an all-time high.

The dreaded bogus links in incoming emails can trigger everything from banking fraud, to ransomware (the Locky attack was set off this way), to theft of Office 365 logins, as this phishing video shows.

So what advice should security partners be offering to their end-users to help them mount an effective defence against this menace?

1. No more phish and spam sandwiches

Poor spam management is a recipe for heightened exposure to phishing risk, since spam email is often the ‘bread’ around the phishy ‘filling’.

It sounds disgusting – but end-users are still swallowing it. In 2016, for example, 71% of ransomware was delivered via spam, making spam the most common attack vector. In fact, it’s even spawned a new term – malspam!

Strong anti-spam detection is therefore a critical ingredient in stopping phishing attacks before they reach the user, and for this a number of critical features are necessary in the security solutions end-users choose, including:

  • Antispam filters, so that detection thresholds can be adjusted in response to users’ experience of how effectively spam is being caught.
  • Connection to a global email and web reputation database, so that domains and identities associated with known malicious servers can be identified, and their IP addresses blocked.
  • IP address behaviour analysis, so that potentially suspicious behaviours like dynamic or masked IP addresses can be detected.
  • Document exploit detection to look beyond the email and into the attached files that malspam often makes use of to trigger an exploit.

At its least harmful, spam is a distraction that leaves a bad taste in the business’s mouth. At worst, it carries a truly toxic payload.

2. Beware the newly-borns…

But at the risk of sounding like King Herod, one of the biggest threats in the phishing sphere comes from ‘newly-borns’ – malicious servers that simply haven’t been around long enough to make it onto any web or email reputation database, and so might not be detected.

So it’s critical that businesses’ anti-phishing security goes beyond this, and attempts to analyse the characteristics of the phishing email itself, such as:

  • Who sent it
  • Where it’s gone to
  • What it contains
  • When it was sent
  • How it reached a user’s inbox

As this excellent summary explains, by mapping these factors automatically to known social engineering scenarios (i.e. the many ways in which users can be tricked into doing something they shouldn’t!) tell-tale signs of phishing intent can be detected, and the relevant IP addresses blocked.

Needless to say, this process involves some pretty hefty probability calculations, and social engineering scenarios are changing all the time, so the system needs to be able to constantly learn from what it absorbs and update its assessments accordingly.

Machine-learning is the key here, and if implemented effectively it can ensure that businesses’ anti-phishing protection doesn’t behave as if it were born yesterday!

3. Educate, educate, educate!

Security vendors are in this business to make money by selling software – but even they have been vocal about the need for businesses to educate their workforce to spot the signs of phishing, and take evasive action.

Content like these Tips for mitigating phishing attacks, for example, is certainly helpful - but there is a realisation that hints, tips and instructions alone won’t change security culture within organisations.

Instead, businesses must fuel constant internal security conversations using simple, accessible content, and they are looking to resellers and MSPs to deliver this to them, working through cyber-security awareness content partners.

Phishing protection will never be 100% effective. But shouldn’t every business be wishing that whatever slips through the net (or should that be Net?) could be stopped by the ‘human firewall’?

Read the latest helpful updates on ransomware and cloud security from our industry partners and contacts.

We like to put our partner and media contacts to good use in helping you and your customers to understand the security landscape.

This month, we bring you three helpful new updates – two guides to ransomware (and how to defeat it) and the other an interesting short article from Cloudworks on the benefits of cloud security for small and medium businesses.

Business guide to ransomware

New from AppRiver, this guide is subtitled ‘Understand, Analyze and Protect’, and is a very readable resource covering what ransomware is, how it works, how it spreads, and the best practices and employee training that can help defend against it.

Ransomware: Malwarebytes bytes back!

Another take on ransomware and how to combat it comes from security experts Malwarebytes, who major on the importance of endpoint security (keeping PCs and devices protected) in this informative and short PDF.

Five reasons why cloud security is important for SMEs

Big servers, large infrastructure, lots of IT staff – these are all security components that SMEs just can’t afford! This is why they must look cloudward – and this article from Cloudworks describes the benefits of cloud security neatly.

We’ll be back with more helpful advice soon!

WannaCrypt0r ransomwareThe WannaCrypt0r ransomware floored the NHS and many other organisations besides. These guys reckon they could have stopped it.

WannaCrypt0r, the global cyber-attack that paralysed 45 NHS trusts, plus businesses in over 100 countries, has woken the world up.

It’s woken a few security vendors up too, as the flurry of emails in my inbox over the weekend shows.

And, predictably, they’re all keen to tell us that customers running their security software were protected from WannaCrypt0r’s terrifying exploits.

Here’s a summary of the claims each of these wannabe ‘WannaCrypt0r-killers’ have made. It will be interesting reading for those who are contemplating where to go next with their anti-ransomware strategy!

Bitdefender

The mail from security software vendor Bitdefender states its case boldly: “Customers running Bitdefender are not affected by this attack wave.”

How so? Bitdefender has a ‘ransomware vaccine’ that users can switch on to immunise machines, and this uses the ransomware’s own programming against it.

But at a deeper level, it boils down to the ability to detect memory violations – in other words, to understand when a machine’s memory is being tampered with, which indicates that a cyber-exploit is afoot long before it can actually execute and cause any damage.

It’s this kind of device behaviour, Bitdefender implies, that, with their GravityZone products, would have shut WannaCrypt0r down before it even really got started.

Trend Micro

It’s machine-learning that’s writ large in the Trend Micro response to the WannaCrypt0r incident.

“Customers are already protected against this threat through Predictive Machine Learning and other relevant ransomware protection features found in Trend Micro XGen™ security,” the firm claims.

It’s a highly layered approach, involving email and web gateway solutions, behaviour monitoring and reputation analysis, file and website blocking, across physical and virtual machines, with the overall goal being to “prevent ransomware from ever reaching end users.”

Of course, if WannaCrypt0r has shown us one thing, it’s that ransomware is perfectly capable of activating before it reaches the end user!

However, a beacon of hope in Trend Micro’s communication that I did not see elsewhere is that it has a tool that can decrypt files affected by certain crypto-ransomware variants, meaning victims would not have to pay the ransom in exchange for a decryption key.

(How many IT guys would have killed for that last Friday evening?)

Malwarebytes

Malwarebytes’ communication slaps its cards down on the table thus:

“Malwarebytes is protecting your organization against this specific ransomware variant. Our anti-ransomware technology uses a dedicated real-time detection and blocking engine that continuously monitors for ransomware behaviors, like those seen in WannaCrypt0r.”

Like Bitdefender and Trend Micro, this is hinting at some sort of intelligent analysis of machine and network behaviours that might predict a ransomware attack, before it actually starts to execute.

Malwarebytes’ four-layered security approach – operating system, memory, application behaviour and application hardening – contributes to this detection capability, as it monitors at multiple system levels for ransomware and other exploits, simultaneously.

But Malwarebytes goes further than this in its claims. It says in this blog about WannaCrypt0r that itwill stop any future unknown ransomware variants.”

(The italics are mine – but I’m sure you’ll agree they’re worth emphasising!)

What next for WannaCrypt0r?

There are few certainties in cyber-security but what experts are predicting is that wave two of the WannaCrypt0r attack will come soon – and wearing a different guise.

Will the security solutions above recognise it rapidly enough to combat it?

Let’s see whether the communications live up to their word.

Upgrade Trend Micro Worry-FreeIf you don’t manage your Trend Micro Worry-Free Business Security upgrades properly, your customers could be at risk from ransomware! We explain what to do.

If you sell Trend Micro’s Worry-Free Business Security Standard or Advanced editions, you’ll know that both come with a convenient management console that enables you to easily watch over and control the security services you deliver.

But if you don’t act on the information and alerts you receive, and keep your solution up to date, it could mean that your end-user customers are at greater risk from threats like ransomware!

There are just three things you need to do to keep your customers protected:

1. Upgrade manually after renewals

Renewals of Trend Micro’s Worry-Free for Business Standard or Advanced editions do not automatically upgrade to the latest version, so you need to manually manage this process yourself.

Happily, it’s an easy thing to do. There’s a link to Trend Micro’s Download Center at the top of every console homepage. Click to upgrade your renewed Worry-Free Business Security edition to the latest version (see images below).

Alternatively, you can go to the Help tab, click on Support, and then click on the Download Center icon at the bottom of the page (see image below).

No uninstall or reinstall is required, the upgrade will automatically be picked up from the server by all the connected security agents, and your customers will stay protected.

What’s not to like?

Worry-Free Console
(Click to enlarge)
Worry-Free Console
(Click to enlarge)
Worry-Free Console
Upgrading Worry-Free Business Security after renewal is easy! (Click to enlarge)

2. Get notified by RSS as well

If you’re not on v.7 or upwards, you won’t get console notifications, so you need another way of receiving them.

And even if you are on v.7 or upwards, there’s certainly no harm in having a backup notification channel to be doubly sure the message hits home.

This is why the Download Center website supports RSS. You can set up upgrade notifications and reminders from that site straight into your RSS feed (see image below), and then go into the console to act on them.

Trend Micro software download RSS Feed
You can subscribe to the Download Center website’s RSS feeds to get upgrade and service pack notifications – whether the notification feature is also available in your version of the console or not. (Click to enlarge)

3. Act on those notifications!

As we’ve shown above, the console – even in pre-v.7 guise - contains the necessary links for you to download upgrades or service packs, and you can also find these links in the Download Center, whose icon is at the bottom of the console page (see image above).

So it’s a cinch to stay ahead of the game – but you do have to make sure you download the upgrades and packs promptly from the links.

That way, your customers will continue to be fully protected.

Keep Worry-Free worry-free!

Pay heed to your console, reminders and notifications and your Worry-Free Business Security solutions will totally live up to their name (more so, in fact, if you upgrade to the cloud-based Services edition that significantly simplifies life for both you and your end-users!)

But miss an upgrade or a service pack, and fast-moving, destructive threats like ransomware are, in all probability, already one step ahead of you and your customers alike.

And that will prove very worrisome indeed.

Bitdefender updated its  GravityZone cloud console with new features that you may not be taking full advantage of.  Here at Blue Solutions we are happy to guide you through these changes and how they will affect you and your customers.

Ransomware Vaccine

The big news is that Bitdefender has now incorporated Anti-Ransomware vaccine for all its cloud customers, that immunises end-users against both existing and emerging ransomware attacks – at no additional cost!  This module is activated through the policy section  Antimalware --> On Access settings

Bitdefender Policy
(Click to enlarge)

By activating this module, machines will be protected from all currently known forms of Ransomware. The Vaccine works independently, does not need any other modules to be installed, and is switched on simply by ticking the box in the customer’s policy.

Other New Features in GravityZone

  • Update Rings - this feature allows Administrators of the program to  choose when in the validation cycle an update is received.
  • Anti-Exploit Techniques - a new set of powerful techniques which further enhances existing technologies to fight targeted attacks.  These are integrated into the existing Advanced Threat Control module.
  • Web Access Control Rules - The categories list has been updated with multiple new categories added.
  • Exchange Protection - This can now be enabled/disabled when editing a customer with a monthly license subscription.

For more details on the above features and a look at the other features included please click here

Bitdefender Authorized Distributor

RansomwareThe word “ransomware” terrifies individuals and organisations alike. We look at how this threat works - and how to fight it!

The ransomware mood music isn’t good this year. As security publications and commentators tell us, ransomware is expected to dominate the malware arena in 2017.

More than ever, then, security partners need to offer sound, confident advice to end-users on both the nature of ransomware, and how to defend against it.

So look no further!

Ransomware: how it works

Ultimately, the aim of ransomware is to paralyse companies’ operations, usually by encrypting data, then demanding money to decrypt it and render it usable again.

For security partners and their customers, one of the challenges with ransomware is that it can enter the network through many different routes – malicious links or infected file attachments in emails, drive-by attacks triggered by a visit to an infected website or ad, botnets, USB drives, Yahoo Messenger images… the penetration potential is extremely high.

But to rub salt into it, ransomware also dodges many of the traditional anti-virus defences.

It disguises filenames and attributes and hides behind legitimate file extensions. And it often uses secure communications protocols like https and Tor, and encrypts its communications as it goes, obscuring the tell-tale server calls that would ordinarily betray its presence.

What this means is that most anti-virus protection is none the wiser to the threat – and so the latter finds its target, which is usually the most critical data the business holds. (Indeed, the notorious Cryptolocker ransomware, as this blog, from Bitdefender, explains, hunted out 70 different specific file extensions, precisely for this reason).

Ransomware: how to stop it

A threat that can infect via so many different channels, and hide its tracks whilst it’s doing it, clearly can’t be stopped by a single “silver bullet.”

It can only be stopped by layered protection that detects and blocks at all the levels at which ransomware can penetrate and spread.

Research carried out by Trend Micro has found that 99% of over 99 million ransomware attacks were found in malicious email or web links, so robust defence at the email and web gateway level, as well as at the endpoint and network levels, are a must.

Protecting email and web traffic from ransomware

Analysis is the key here; in the absence of the normal malware “cues” that signal a threat, security solutions have to look harder, deeper and wider for signs of the miscreants.

This means not just analysing links in the body of an email, for example, but also the links in the attachments that that email contains – as well as the attachments themselves.

It means scanning for zero-day and browser exploits, and other favoured ransomware entry points that are buried in applications (such as within Office 365 – 2 million threats discovered to date, according to Trend Micro!), rather than just in links or attachments.

And it means both being able to instantly compare links with a global database of known malicious URLs, and automatically rewrite links (as we discussed in this post) to divert them into a sandbox and analysis environment.

There, they can be triggered and inspected at no risk - even if they are not “known suspects.”

Protecting endpoints from ransomware

But what if the threat enters the network from an endpoint, like a PC – triggered, perhaps, by an infected document on a USB stick?

Actually, it’s at this level that some of the most useful indicators of ransomware behaviours – rapid encryption of multiple files, for example, or exploit kits that look for unpatched software vulnerabilities, as a prelude to sending ransomware through them – can be detected.

A security solution that can isolate the endpoint can stop the ransomware from spreading further via the network. And on that point…

Protecting networks from ransomware

The network itself must of course be protected.

But network traffic flows across myriad nodes, ports and protocols, so security must be capable of identifying ransomware and attacker behaviour in and across each of these sub-layers.

Here, too the sandbox analysis that we mentioned above is a powerful resource, mirroring the actual network environment so that the presence of typical ransomware behaviours can be accurately tracked and their effect (and therefore likely objective) revealed.

And blocked!

Ransomware immunisation: using the threat against itself

But one of the slickest anti-ransomware developments we’ve seen recently is a “vaccine”, which literally uses the ransomware’s own programming against it.

Ransomware typically prevents a machine it has already infected from playing host to any other infection that could interfere with the ransomware’s own endgame.

But this same feature, deployed on uninfected machines, effectively blocks the ransomware itself, as we have previously described in this post. So, does this mean ransomware is finally hoist by its own petard?

I wouldn’t bet on it. But by sharing knowledge about how ransomware works, how we can defeat it, and where businesses and security partners can go for more advice, we make every hostage that bit more difficult to take.

And that’s a ransomware result.

Padlocks SecurityMultiple combined security solutions can be expensive for partners and customers alike, and can cause security gaps. So do integrated suites make more sense?

Calling all security partners - here's a scenario you might recognise: you sell the customer an individual “point” solution to address a specific security need, then you widen the customer’s understanding of their needs and gradually sell them a range of other point solutions to suit. Right?

But is this really the most profitable sell? And isn’t its viability called into question by the fact that the point solutions are only as robust as the glue that’s holding them together?

Here’s what some of the security partners who are our customers told us.

"Individual security solutions inflate costs."

As the quote above suggests, partners must balance the relative ease of progressively selling point solutions with the upward price spiral (and competitive impact) that this process tends to introduce.

Integrated suites of solutions, however, typically tend to be priced much more favourably; entire suites of security products can often be bought by the partner for a fraction of the price of combining point solutions!

But it’s not just about licensing costs. As you’ll read below, industry analysts support the idea that an ecosystem of integrated solutions will be more resource-efficient, enabling repositories to be shared effortlessly between the component solutions within it, and minimising operational costs too.

“Managing complexity is an expensive problem with point solutions.”

Essentially, this boils down to two issues.

Firstly, effective security has to work seamlessly across multiple layers (endpoint, application, network) but it has to do so in a user-centric way.

But if you stitch myriad point solutions together there is typically no centralised console for easily managing security across all these layers. Solutions for every layer then have to be managed in isolation, seamlessness evaporates, and admin and management overheads are multiplied, biting deeply into operating margins.

Secondly, point solutions, by their nature, are not greatly flexible, so they put partners into a complex and therefore potentially costly technical position when it comes to scaling to meet growing user demand, or deploying across mixed on-premise, cloud and hybrid environments.

In short, layered security suites are essential to enable partners to protect their customers comprehensively – but if those layers can’t be controlled from a “single pane of glass” then those partners are heading for a huge profitability drain.

“Combining point solutions doesn’t work 100% - it leaves security gaps.”

This is perhaps the most fundamental observation of all, explained best by industry analyst firm Forrester in this paper.

They say that in systems “protected by separate point products with isolated intelligence analysis/policy engines and management consoles, complexity increases and gaps in security coverage are more likely to present opportunities for exploit by malicious parties.”

They also confirm that integrated suites incorporating layered security offer partners (and customers) significant reductions in “operational friction” and cost, as we have already mentioned above.

“Point solutions have limited threat coverage.”

Related to what we’ve said above, if point solutions struggle inherently to work together, it’s logical to assume that, as attack surfaces and threat vectors proliferate, this shortcoming degrades even further - and there comes a juncture when point solutions effectively become functionally unable to cover off the full spectrum of threat sources.

A cursory glance at the kind of threats that integrated security solutions must now protect against reinforces this view.

Endpoints, smartphones and tablets no longer cut the mustard. Instead, protection must extend to USB, removable drives, mail and file servers, messaging and web gateways, collaboration portals, instant messaging (IM) servers – and, as we noted in a previous post, cloud applications (like Office 365) whose use within businesses is skyrocketing.

Clearly, however, not all point solutions are created equal. A carefully assembled, multi-vendor solution, using only established best-of-breed components, might arguably be up to the tasks demanded of it -  but at what cost?

Disparate licensing agreements. Disparate billing arrangements. The need for a separately purchased and configured remote monitoring and management (RMM) console...

These obstacles are a world away, in cost and complexity terms, from a one-vendor solution with specialist components that target specific security layers, and with its own in-built "single pane of glass", delivering unified management, from very first use, across the customer's entire security estate.

Buyer beware!

Conclusion: integrated suites make security (and business) sense

According to experts quoted in security publication CSO Online, 2016 is the year of advanced cyber attacks, insider threats, ransomware, “cloud wars” - and a huge shortage of in-house cyber talent that security partners will have to help their customers to fill!

Against the backdrop of this surging demand, the notion that partners can profitably supply and effectively manage individual point solutions to simultaneously address such a vast (and growing!) expanse of ever more sophisticated threat sources doesn’t stand up to reasoned analysis.

There seems to be only one sensible way forward for partners in the security channel, and Forrester once again nails it when it writes: “Integrating the security management and analysis within each layer is crucial when protecting against advanced or targeted attacks.”

The day is surely coming when there simply won’t be much point in point solutions.