Ransomware is becoming a global menace – last week’s Wannacry ransomware attack as well as ransomware attacks earlier this year on MongoDB and Elasticsearch clusters have become common headlines in recent times. Hundreds of thousands of servers, and databases were hacked in 2017 as a result of ransomware. Clearly, as indicated by this tweet, the immediate response to Wannacry ransomware is to patch the Windows servers to remediate a vulnerability that Microsoft patched two months ago. Are there better ways to address data security more proactively? Why were thousands of servers un-patched when a patch was released by Microsoft 2 months ago? We describe data security process and three key best practices for protecting data against ransomware.
Data Security Process
Data security process has four key stages as shown below: discover and classify, prevent, detect, and respond.
The first step is to discover data in the enterprise such as databases and datastores and classify all your data into different levels such as sensitive or personal information data that requires strong security.
The second step is to apply prevention techniques to secure your data such as using proactive policies-as-code to reduce your security attack blast radius, building layers of protection with defense-in-depth, continuously taking backups and continuously auditing the security of datastore as well as security of all compute and network resources along potential attack paths with access to these datastores. Having a policy management process and management tool for automating policy checks for data security, compliance and backups would ensure that continuous automated audits happen with auto remediations. Another prevention technique is having a vulnerability and patch management process and remediation time SLAs for critical patches.
Finally, you need to continually monitor and detect data breaches and data security issues and respond to them as reactive steps to mitigate such issues. Having a vulnerability management process and server management tools would enable quick identification of vulnerable servers that indicates risks to the business and patching to remediate them.
Let us next break down these 3 practices for securing your data.
I. Prevention – Policies to continuously audit
Ransomware and other data loss can be prevented with many defensive techniques by proactively checking configurations in systems, network, servers and databases. Four key policies need to be defined and enforced through a policy management process and tool. These policies form the defense-in-depth layers that will protect the data from hackers or ransomware attacks.
- Compliance policy – There are a number of DB CIS configuration checks that must be followed to ensure that all database configurations are secured. Many default database settings such as MongoDB or Elasticsearch leave them wide open to internet. These security and compliance checks need to be continuously evaluated and corrected as one of the first measure of prevention.
- Data security policy – Data can be secured by ensuring that we do encryption-at-rest as well as customer provided encryption keys as standard practice for all databases. Default credentials should be changed as well as appropriate backups must be done and verified. All these checks can be easily defined as policies and continuously evaluated for any misconfigurations.
- Network security policy – Databases, cloud servers and networks along access paths to databases must be secured through use of appropriate firewall or security group routing rules as well as having isolated VPCs and subnets hosting the databases. Whitelisting of all database accessible servers must be done as well to limit network access. These policies can be evaluated and enforced through enterprise policies continuously.
- Server compliance policy – Databases run on servers that need to have hardened OS images and a vulnerability and patch management process. The next two best practices describe the vulnerability and patch management process and tools. All servers within the enterprise should also follow these practices as lateral movement can make database servers insecure if one of the other servers in the cloud becomes insecure.
II. Prevention – Patch SLA monitoring and continuous patching
Enterprises should define a vulnerability and patch management process with objectives on “time to remediate critical security issues”, RTO – Remediation Time Objective (not to be confused with backup RTO). Enterprises should have RTO SLA policies in place that specify “Number of days all critical vulnerabilities such as with CVSS severity scores of 9 or 10 will be remediated”. An RTO SLA of 15 to 30 days is quite common for patching critical security vulnerabilities. This SLA needs to be continuously monitored and any violations need to be notified and corrected. In the latest WannaCry attack, thousands of computers remain un-patched for more than 60 days even after a patch for this vulnerability was released two months ago. This could have been avoided with continuous SLA monitoring and remediation of RTO.
Many enterprises could go one step further by not just monitoring and actively managing RTO SLA but also automating the detection and patching. As soon as critical vulnerabilities are identified through periodic scans and patches are available from the vendors, the management tools must be able to automatically update their patch catalogs and patch servers and network devices in a zero-touch approach.
- Continuously scan environment for detecting vulnerabilities
- Select critical vulnerabilities for automated patching
- Continuously look for patches from vendors such as Microsoft, download critical patches for vulnerabilities and keep patch catalog contents updated automatically
- Automatically apply patches for critical vulnerabilities when they are discovered based on policies for RTO.
With these SLA monitoring and patching controls in place, enterprises can achieve a high degree of data security through proactive prevention.
III. Response – Vulnerability and Patching
Even after preventive controls discussed in I and II, there is still a need to detect and respond as all security attacks cannot be always prevented. In the detect and response situation, once ransomware or other data exfiltration and security threats have been identified, it is important to have the ability to identify the vulnerable servers and patch them as soon as possible. A reactive vulnerability and patch management system must have the ability to select specific CVE, assess the servers that require patching and with a few clicks be able to apply patches and configuration changes to remediate that critical CVE.
Data security starts with an enterprise data security process consisting of data discovery, prioritization, prevention, detection and response stages. The first best practice for data security is prevention where the datastores such as MongoDB, Elasticsearch as well as servers and networks are continuously audited for security and compliance through policies. A policy management tool will be a critical enabler for achieving this audit and preventive checks. These tools can be thought of as ways to “detect” and “harden” all places and paths along which data is stored, moved and accessed thereby achieving defence-in-depth. The second best practice for data security is to define a “Remediation Time Objective”-SLA and implementing a vulnerability lifecycle management process. A vulnerability management tool continuously scans for vulnerabilities, gives visibility into critical vulnerabilities with SLA violations, and automatically keeps environment patched with zero touch. Many enterprises that followed a 30 day RTO SLA were not impacted by Wannacry ransomware as they had patched systems in March soon after patch was released. The third best practice is to have an ability to assess a vulnerability and remediate it during emergencies or as a part of security incident response such as the weekend Wanncry ransomware threat. All the above three proactive and reactive practices and tools can keep the data secure and avoid costly and reputation damaging Ransomware attacks on enterprises.
BMC Software has three products: Bladelogic server automation, SecOps Response and Policy cloud services that can keep your applications, servers, networks and data safe from ransomware attacks. Wannacry ransomware was a non-event for these customers as they were proactively implementing vulnerability and patch management processes through our tools.
Full disclosure: I work at BMC Software. Check out http://www.bmc.com/it-solutions/bladelogic-server-automation.html, http://www.bmc.com/it-solutions/secops-response-service.html and https://www.youtube.com/watch?v=hSFP5-kzbT0.