Even when used in combination with one of the many endpoint security solutions and patching solutions available today, the new class of “next generation” anti-virus (NGAV) and endpoint detection and response (EDR) solutions are ineffective unless they know the device is on the network and a client agent is active on every device. If an organization has any blind spots – or “undefended” endpoints – they remain vulnerable to cyber-attacks such as the WannaCry ransomware strain that spread quickly across the globe over the weekend.
How was WannaCry Successful?
WannaCry ransomware, a strain of WanaCrypt, used a vulnerability in a Windows Server component to spread within networks like the one within England’s National Health Service (NHS). The weakness was part of a set of software vulnerabilities discovered by the U.S. National Security Agency (NSA) and then stolen by a group of hackers calling themselves “Shadow Brokers”.
While Microsoft fixed the flaw in Windows 10 shortly before the stolen data was published, it failed to provide security patches to older operating systems (OS) including Windows8, Windows Server 2003 and Windows XP spanning over 10 years, only offering patches to customers operating on newer versions of the software.
Unfortunately, small to medium businesses (SMBs), healthcare organizations and government organizations often continue operating on older versions of software due to the cost and time involved in upgrading. Compounding the problem, many of these same organizations fail to keep their current systems up to date. Microsoft said it had released a Windows security update in March that would have protected against the WannaCry attack, but many users never ran it. Exacerbating the problem is that many of these endpoints are missing from known pools of managed devices based on running these old OS.
Many vendor solutions, like NAC/Internet of Things (IoT) security, Vulnerability Management, and even SIEM claim to discover networks/endpoints and offer greater network visibility; however, most these solutions are based on performing partial or even full packet captures on known networks and discovering endpoints based on them requesting formal access to the network or via events. These solutions can miss large chunks of endpoint devices and even whole networks. At Lumeta we have found that on average over 20 percent of infrastructure is unknown, whether it is rogue networks, unmanaged endpoints, shadow IT or malicious actors. Coupling this with an outdated operating system, it’s no surprise that attackers can easily compromise an organization within minutes 99 percent1 of the time.
Most vendors that claim continuous monitoring of vulnerable infrastructure not only rely on easily discovered or known assets, but are also failing to monitor the network in real-time. Many of these solutions will focus on monitoring endpoint activity while not effectively monitoring the network in real-time for suspect changes. To many of these solutions, “continuous” monitoring really means periodic, where they poll network elements and endpoints. An attacker can use this polling interval to do plenty of damage, essentially hiding in between. These solutions can miss identifying activity like WannaCry, which was able to open a path to a known malicious domain and transmit data.
How It Could have Been Prevented
With enormous growth in bring your own device (BYOD), IoT and IP managed devices, the lack of network visibility and the inability to have the necessary understanding of a dynamic network perimeter in real-time continues to enable major breach opportunities.
As the U.S. looks to centralize their healthcare system, organizations increasingly rely on third party services with an increased adoption of IoT devices and software. These changes expose IT infrastructure to a much greater attack surface. Teams must deal with tens of thousands of endpoints where there are often 1,000 plus or more network infrastructure changes every month. This creates a major visibility gap due to network changes that leave endpoints unprotected and vulnerable to compromise from rogue activity or malicious actors. Even a single unprotected host can expose an organization to a significant breach.
Lumeta has partnered with several endpoint vendors to combat this very problem. Lumeta’s flagship product, Lumeta Spectre, recursively and authoritatively indexes all connected endpoints (plus all networks and devices), whether physical, mobile, virtual, cloud. And, in real time, Lumeta Spectre immediately detects and monitors new devices connecting to the network. Lumeta Spectre, integrated with or working side-by-side with today’s leading endpoint security vendors, enables IT organizations to obtain real-time network visibility for endpoint security across the entire enterprise network.
Only Lumeta combines the “discovery+visibility+threat intelligence” that NO other vendor can match to discover unknown, unmanaged, rogue, and shadow IT infrastructure with instant real-time monitoring married with threat intelligence to prevent threats based on changes to dynamic network infrastructure.
With Lumeta, the Windows systems that went unpatched would have been identified and flagged well before to provide an opportunity to upgrade older OS, patch existing systems and install current endpoint security tools much sooner. The affected organizations could have also better protected themselves with a tighter security and segmentation policy before and even after IT could have addressed these devices. With actual real-time network and endpoint monitoring, the activity leading to the popup message would have been detected sooner, as well.
Even as talk of a newer variant on WanaCrypt is being discussed, Lumeta has the only solution to provide much more visibility into blind spots and a faster path to remediation.
Lumeta Spectre truly provides visibility into networks, even those that extend into the cloud and connected endpoints. Our ability to discover rogue and shadow networks and endpoints, including VMs even in the darkest corners of an organizations infrastructure is the first factor that sets us apart from the myriad of companies that offer lots of dubious promises.
When we take that unique level of visibility and combine that with threat intelligence we achieve a new level of what we call Cyber Situational Awareness, pioneered by Lumeta, to help security and network teams identify potential malicious or harmful activity on the network and have the context and intelligence to detect and stop threats before a breach.
To learn more about how Lumeta’s solutions can provide better protection for endpoints, please check out the Lumeta Spectre Endpoint Solution Integration datasheet and learn how Lumeta Spectre can provide unique network visibility paired with security intelligence to detect attacks visit http://www.lumeta.com/products/spectre.
1. Source: 2016 Verizon Data Breach Report