Malware has been the archenemy of organizations around the globe for years, with ransomware being an extremely deadly foe, in particular. It locks down victims’ files through encryption and demands a ransom for decryption, a very effective tactic for cybercriminals. There’s been a steady stream of successful ransomware attacks in the news as of late, but those responsible aren’t resting on their laurels.
These bad actors are continually refining their tactics and have recently turned to double extortion, whereby they threaten to leak victims’ sensitive files in order to increase the odds of ransoms being paid. Kaseya-style supply chain attacks are another example of ransomware’s growing sophistication. In any event, falling victim to an attack can disrupt business operations, harm brand reputation, lead to significant financial costs, and more.
Adversaries are constantly searching for soft targets they can attack to penetrate enterprise defenses, and in recent years, SaaS applications have emerged as appealing prey. Such apps are designed to enable rapid file sharing, collaboration, and automation, and as a result, ransomware, when successfully implanted, can easily spread to connected applications as well as to users’ devices. What’s more, SaaS apps contain countless files that can be stolen and used for double-extortion.
When misconfigurations exist in data-rich SaaS apps, they create dangerous gaps that can extend access to malicious parties looking to infiltrate the enterprise. Unfortunately, almost no SaaS apps provide native threat protection, and the few that do lack the technological sophistication to identify zero day threats; they are limited to detecting known threats. Legacy security technologies (in the form of on-premises hardware appliances that lack scalability) complicate things further in that they’re not designed to defend against malware or protect data in our cloud-first, work-from-anywhere world.
The gaps to be filled
Organizations need comprehensive defense against the proliferation of malware and ransomware both within and across their SaaS applications. This requires the use of a security solution architected for the modern cloud world and capable of defending against malware for any user, any device, and any app over any network (without the need to backhaul traffic to an appliance on premises).
Such a solution needs to be able to prevent infected files from being uploaded to cloud applications, but it also must be able to identify threats that have already made their way into the cloud. Organizations must also be able to trust that their solution of choice can defend against any threat, including zero day ransomware, not just known malware. In the event of (increasingly common) double extortion attacks, organizations need to be able to defend their data from being exfiltrated via SaaS, as well.
Controlling the kill chain with cloud DLP
When ransomware successfully infiltrates an organization, cybercriminals typically begin working quickly to appropriate data. As mentioned above, stealing data and threatening its leak is a common strategy for improving the odds of a ransom being paid. Even if companies don’t feel compelled to pay for decryption, the threat of data exposure can prove to be sufficient incentive. However, for double extortion to be effective, malicious actors need to successfully exfiltrate data from the enterprise.
This is where cloud data loss prevention (DLP) becomes particularly valuable. Leading DLP solutions scrutinize the content and context of outbound files and prevent their movement as necessary to prevent leakage. This disrupts the attack chain by stopping malicious actors from stealing the data from SaaS apps that would allow them to engage in double extortion.
How CASB helps you fight ransomware
Cloud access security brokers (CASBs) serve as visibility and control points in the cloud and, as such, can help with the challenges ransomware presents. In particular, a multimode CASB proxies traffic to secure data in motion in real time and integrates with application programming interfaces (APIs) to secure data at rest in the cloud. Consequently, it prevents malicious files being uploaded into SaaS applications and responds to malware and ransomware that already exist inside of corporate cloud apps.
Leading CASBs provide advanced threat protection (ATP) capable of identifying any threat—even zero day ransomware—through tight integrations with cloud sandboxing. As cloud native solutions, leading CASBs require no hardware appliances in data centers and deliver scalable, omnipresent protections.
Fixing misconfigurations with CSPM
When deploying and managing a SaaS application or IaaS instance, there are many configuration settings that must be properly applied to ensure that the app functions properly and securely. Where misconfigurations exist, malicious actors can gain access to corporate systems; for example, to place a ransomware payload or to exfiltrate data for double extortion.
Cloud security posture management (CSPM) addresses such vulnerabilities by identifying costly misconfigurations that could be exploited by attackers. As an illustration, if sensitive data repositories (such as AWS S3 storage buckets) can be openly accessed from the internet due to a misconfiguration, the issue can quickly be located and remediated.
Choosing the right protection approach
An integrated approach helps stop ransomware all along the kill chain without the complexity of deploying and managing multiple point products. Zscaler Cloud DLP, CASB, and CSPM are core components of the integrated Zero Trust Exchange, along with leading SWG and ZTNA technologies. In other words, Zscaler has everything necessary for companies to comprehensively defend against malware and ransomware (as well as address their secure access service edge (SASE) requirements).
Zscaler DLP provides the breadth and depth of functionality needed for stopping data exfiltration and thwarting double extortion from predefined and customizable dictionaries to exact data match (EDM) and indexed document matching (IDM). Our multimode CASB shields enterprise SaaS apps from malware and ransomware infections; threats in transit are detected and blocked via real-time proxy, while malicious files at rest can be identified and quarantined or deleted via API.
Leading advanced threat protection (ATP) technology is refined by 160 billion daily platform transactions and 100 million threats detected each day. Zscaler Cloud Sandbox, powered by machine learning, safely identifies and blocks zero day threats both at upload and at rest. The platform’s CSPM scans SaaS and IaaS instances for potentially fatal misconfigurations that could enable attacks, prioritizes uncovered risks, and empowers organizations to respond before malicious parties can take action.