Response: Ideal versus Reality

The Rise of Ransomware and How to Combat It with AhnLab MDS

Issue 11 Recent news articles are increasingly reporting hostage 1 Ransomware Response: Ideal situations–these are the new versus Reality , “ransomware”. Indeed, there has been a sharp 2 increase in ransomware, and Ransomware and Advanced new ransomware and their : Different, Yet Similar variants continue to surface, causing damages not only 3 to companies, but also to Are Patches and Backups the individual users since attackers Only Solutions? who seek financial gain deploy ransomware indiscriminately. 4 This newsletter introduces the latest ransomware trends and best practices for Ideal vs. Practical Real-time ransomware response using the AhnLab MDS (Malware Defense System). Ransomware Responses Today, ransomware is propagating under various names based on attack method and 5 specific actions such as Teslacyrpt, Cryptowall and Teerac. Ransomware is a type of Applicable to all Advanced malware that encrypts your important files such as documents and images, making them Threat Response Solutions? inaccessible. The attackers then demand a ransom to unlock the files.

6 It has only been in the past 1-2 years that ransomware attacks that encrypt important From the Gartner Files: A Buyer’s files and demand ransom payment have been reported and made known to the public. In Guide to Endpoint Protection terms of the history of malware, however, Trojan horses that ‘encrypt files’ have steadily Platforms persisted for some time. Demanding payment is also a progression from , malicious that poses as a legitimate antivirus program for financial gain, 20 About AhnLab such as fake antiviruses or as a screen-locking virus. All of these viruses share another common characteristic: they expose their purpose of attack clearly. That is, ransomware is not a totally new malware but malware that has combined with the functions of existing malware. However, seeing as there is no way to restore encrypted files without paying a ransom, ransomware is particularly heinous in that greatly frustrates individual users and organizations. Figure 1 Ransomware Attack Process

Source: AhnLab

Ransomware and Advanced ransomware and variants continually are as large as possible. ‘Advanced Malware: Different, Yet Similar engage in cyber robbery, taking ‘file malware’ hides itself for as long as Security solutions for endpoints ’ as hostage. The reason possible without becoming detected, such as the latest AV programs why sophisticated endpoint security whereas ransomware exposes respond to ransomware that solutions fail to respond to the ever- itself immediately after encrypting can cause severe damage based evolving ransomware is because the important files to demand a ransom on behavior-based detection or malware employs various techniques by a set time. To prevent being vulnerability exploit protection. used in advanced threat attacks to exposed during the attack and However, attackers are also bypass various security solutions. payment process, attackers use a network, such as HTTPS encrypted constantly finding ways to bypass the However, unlike other advanced traffic or Tor, and use bitcoin for ever-developing security protection malware, ransomware is sent to ransom payment. technology. As a result, various new unspecified masses in quantities that

Table 1. Comparison of Fake AVs, Screen-Locking Viruses, and Ransomware

Malware Type Fake Antivirus Screen-Locking Virus Ransomware Malware infection O O O Payment demand O O O Symptoms Irritates users with continuous Locks system screen or prevents Encrypts documents and image popup windows re- files Solutions without - Remove fake Antivirus - Boot in Safe Mode > Restore - key NOT restorable payment - Update Antivirus to the latest system - Limited known restoration key version and repair system - Repair with dedicated solution via flash drive

Source: Ahnlab

2 Ransomware Response: Ideal versus Reality Issue 11 Figure 2 Advanced Malware vs. Ransomware

Source: AhnLab

Are Patches and Backups the Unfortunately, some security In other words, if you can Only Solutions? vendors have misled customers effectively apply the latest on The latest ransomware attacks into thinking that their security a regular basis, you may at least tend to use new malware and solutions, such as AV programs, can prevent infection – a pre-response. their variants to bypass antivirus prevent ransomware. However, all Even if your computer is infected by programs. Since it is basically security vendors emphasize two basic ransomware, you can minimize the impossible to preemptively prevent security measures in order to prevent damages by restoring the backed up and block ransomware, we can ransomware attacks: backing up file – a post-response. Nevertheless, only establish a passive response important files and applying the latest never be assured that the situation strategy to minimize damages. security patches. is over just because you restore

Figure 3 General Ransomware Response Process

Source: AhnLab

Ransomware Response: Ideal versus Reality Issue 11 3 the encrypted files. Attackers will Ideal vs. Practical Real-time First, let’s look into the perfect not just continue to wait for your Ransomware Responses real-time technical response for payment, nor will they simply send Apart from making sure people ransomware. Ransomware is often the decryption key to victims that observe security practices such as spread via attachments or make the payment. Once your backups, patches, AV updates and URL links in email messages, or it computer is infected by ransomware, in general just exercising caution, can also be deployed by malicious your computer will be recognized as are there no technical means an websites that you are redirected an easy target or as a security hole to IT manager can use to control to in various ways. At this point, infiltrate the entire organization for ransomware attacks? Are there any you need technology that blocks further attacks. ways to minimize the attacks in terms suspicious email attachments or of real-time response? Let’s take a suspicious URLs. If not, the malware look at whether a real-time response can be a practical approach.

Figure 4 Perfect Ransomware Prevention Process

Source: AhnLab

4 Ransomware Response: Ideal versus Reality Issue 11 will break into your network. Now and diagnose behavior, such as mass real-time as described above. That you need technology that uses a file encryption, as malicious. It would is, there are no security solutions sandbox to detect malware at the then automatically detect and block that can analyze suspicious URLs network level. Then, when the suspicious behavior in real-time. or files in real-time and block them ransomware infects the endpoint at the network level. Also, there system, suspicious behavior occurs Unfortunately, there are still no are no technological solutions at the OS level. A ‘perfect’ security perfect security solutions that can that accurately detect and block solution would detect file searching ideally respond to ransomware in suspicious ransomware behavior,

Figure 5 Perfect vs. Practical Response

Source: AhnLab

Ransomware Response: Ideal versus Reality Issue 11 5 such as file searching and encryption Applicable to all Advanced threats, but to also automatically at the endpoint level in real-time. Threat Response Solutions? block these threats, reflecting APT Even though these technologies are It is a fallacy to think that the response cases and the evolving implemented in security products, it practical real-time response process security threat trend. may create too many false-positives mentioned above can be implemented The sophisticated ransomware that are impossible for internal IT in all advanced threat response malware functions are subdivided security functions to handle. Though solutions that use a sandbox. AhnLab and modularized to bypass not perfect, if a security solution can MDS has provided the first-ever sandbox-based security products block suspicious URLs in real-time, agent among the sandbox-based at the network level, and encrypted analyze suspicious ransomware files advanced threat response solutions, communication is also used to and URLs in a virtual environment which was designed at the very initial bypass solutions. before the ransomware file is product planning stage, recognizing Expensive security solutions, such as executed, and let the user decide the necessity of real-time action at the SSL proxy or decryption devices, can whether to execute the file according endpoint level. Furthermore, since be additionally deployed to existing to the results, this would be the best 2013, the Execution Holding feature security products. However, if a practice for a response process that has been provided through an MDS non-standard encrypted protocol that IT managers could consider to deploy agent to not only detect unknown does not follow the standard SLL in the organization.

Figure 6 AhnLab MDS’s Execution Holding Feature

Source: AhnLab

6 Ransomware Response: Ideal versus Reality Issue 11 Figure 7 AhnLab MDS Execution Holding Process for Encrypted Traffic

Source: AhnLab

certification is used, encrypted traffic other words, it cannot respond The Broken Window Theory can be cannot be decrypted. AhnLab MDS 100 percent effectively to evolving applied to cyber crime – if a window Execution Holding feature works ransomware, and this would be is broken and left unrepaired, people when traffic has been decrypted and the same even for other solutions will think no one cares and no one files have been recombined at the developed with new concepts. is in charge; thus, the crime rate in endpoint level, so it works effectively the neighborhood will be higher. If the victim of ransomware in the encrypted traffic environment Victims of ransomware attacks may is not an individual user, but an without restrictions. be targeted with more sophisticated organization, the organization may attacks. What is important now is to Sandbox-based advanced threat be deemed to be poor in managing carefully consider and select the best response solutions are not security patches and vulnerabilities or way to provide a maximum security solutions planned and developed to actualizing Internet/email security effect from within the currently detect, analyze and respond to specific policies. There is a high possibility of feasible technological boundaries. malware, such as ransomware. In the organization being targeted again.

Source: Ahnlab

Ransomware Response: Ideal versus Reality Issue 11 7 From the Gartner Files: A Buyer’s Guide to Endpoint Protection Platforms

Endpoint protection platforms offer and data loss prevention (DLP) are The demanding management needs a diverse array of features. This guide core functions for data protection of large enterprises and the desire lists the most advanced features to and often provided by endpoint to proactively reduce the attack help buyers differentiate solutions. protection vendors. The ability to surface are also forcing EPP suites simplify client-side agents with a to replicate some PC operations Key Findings common management framework infrastructure, such as security is an advantage, but broader configuration management, patching • A wide array of endpoint enterprise DLP and encryption and vulnerability management. protection platform (EPP) solutions requirements could outweigh these Advanced solutions are starting to are available with significant advantages. add capabilities to perform more ad differentiation among vendors. hoc investigations. EPP vendors also No single vendor leads in all • Resist vendor packaging that offer data protection technologies, functional areas, so buyers need includes gateway protection with such as DLP and encryption. to prioritize their requirements to endpoint protection unless there is address the needs of their specific a clear link between these products As the form factor of endpoints business, technical and regulatory that improves overall security expands beyond the traditional environments. effectiveness. Focus on client Wintel machines to virtual servers and server as one domain and and desktops, tablets, Mac and Recommendations gateways as a separate domain. mobile devices, the need to provide • Give primary consideration to the Resource-constrained small and appropriate security utilities for malware effectiveness of a solution midsize businesses (SMBs) may these diverse operating systems is and the breadth and depth of non- want to consider the advantages expanding. signature-based techniques used, of centralized management of both By combining multiple technologies especially application control, domains, but must put a higher into a single management framework, malware sandboxing, vulnerability priority on the unique requirements EPPs have the promise of increasing detection and full software of each domain. security, while lowering complexity, attestation. cost and administrative overhead. Analysis • Look for vendors that are More Integrated systems will also The most fundamental component investing in endpoint detection and enable the conveyance of context of EPP suites is a collection of remediation tools that have high from between different elements in technical features to prevent value in detecting stealthy attacks the suite providing better security. malware infection. These tools and recovering from incidents. typically include antivirus, anti- Organizations should initially • Seek out vendors that are , rootkit detection, host- evaluate their needs across five expanding management capability based intrusion prevention, memory critical capabilities: and protection to alternative protection, behavior monitoring, 1 Malware effectiveness — Does the platforms such as Mac, , port/device protection and a solution have full security life cycle virtual desktops/servers, tablets and personal . Advanced EPP capabilities from and mobile devices. suites may also include application isolation techniques to detecting control, and malware sandboxing and recovering from malware • Consider the needs of data capability to restrict applications incidents? protection when considering to known or tested applications. endpoint protection. Encryption

8 Ransomware Response: Ideal versus Reality Issue 11 2 Manageability — How adequate consideration in any RFP. The ability • Real-time, cloud-based look- is the management capability of most organizations to accurately up mechanisms should provide for the organization? Smaller test malware engines in real- extensive two-way communications organizations may be looking for world situations is limited at best. that share computing objects, such simple set-and-forget functionality Moreover, none of the signature- as files and URLs, and include with limited options, while larger based malware engines are ever metadata about these objects to organizations may be looking for 100% effective at detecting known improve the ability to detect and more complete capability that will threats, and accuracy at detecting respond to new events. Vendors be more agile. new threats is only 30%. Low that offer real-time cloud-based distribution/targeted threats are even interactions are better positioned 3 Solution completeness — Does more elusive to signature techniques: to spot new trends and respond the candidate solution have the quicker than vendors that rely appropriate components and • Test results from organizations on traditional one-way database endpoint and server platform such as AV-Comparitives.org, synchronization schemes. coverage to satisfy current and and AV-Test Institute are useful future needs? guides on malware detection • The capability to detect rootkits accuracy, false positives rates and and other low-level malware once 4 Support and service — What is the scanning speeds. In the absence they are resident is a significant ability of the vendor to provide the of other information, good test consideration. Some solutions are adequate level of support? scores are better than poor results, limited to catching only known 5 Strategic vendor status — What is but buyers should beware that rootkits as they install, while others the vendor’s ability to service other sample malware used in tests may have the ability to inspect raw PC security needs to reduce vendor not accurately reflect malware resources seeking discrepancies management and provide future encountered in the real world, and that will indicate the presence of opportunities for integration and do not test all proactive techniques rootkits. cost savings? for blocking malware. Such • As more malware shifts to Web application control, vulnerability distribution methods, EPP solutions The major functionality components detection and configuration should include client-based URL of EPP suites are listed below, with a management and solutions filtering to block clients from review of the advanced capabilities are tested with out-of-the-box visiting websites that are security of each. Organizations should use configurations. these features to build RFPs and/or risks. scorecards to differentiate products • Traditional antivirus systems under evaluation. No product will only classify “known bad.” An Advanced Malware Protection emerging technique we call “full have all these features, so buyers As previously mentioned, antivirus/ software attestation” provides a must focus on features they deem anti-spyware databases are 90% classification of the entire process valuable for their enterprise. This list to 99% effective at detecting well- inventory. That is, it classifies all is not intended to be comprehensive. known, widely circulating threats. running processes as “good” or It is intended to be representative However, they are only 20% to “bad” and provides metadata of advanced functions which, when 50% effective at detecting new about the applications such as investigated, will help identify more- or low-volume threats. Security author, function, malware traits sophisticated solutions. effectiveness is significantly enhanced and prevalence. This is a valuable by non-signature-based techniques, service because it removes the Malware Detection collectively categorized as host- lingering doubt that an unknown based intrusion prevention systems As the anchor solution in EPP malicious file is lurking on the (HIPSs), but there is no generally suites, the quality of the malware system, by inspecting and reporting accepted method of testing the HIPS scan engine should be a major on all executable files. effectiveness of different solutions:

Ransomware Response: Ideal versus Reality Issue 11 9 • HIPS techniques have no standard a low reputation or unknown • A core principle is that the terminology. Consequently, it process is a critical capability for HIPS solution must enable the is essential for buyers to ask recovering from damaging malware administrator to choose and tune vendors to list and describe HIPS such as cryptolocking malware. the styles of protection he or she techniques so they can normalize needs based on the requirements • One very effective HIPS technique the list of techniques and compare and resources of the endpoint, and is “vulnerability shielding” (also the breadth and depth of HIPS configure protection to reflect the known as “virtual patching”) — techniques across vendors. Buyers organization’s overall tolerance for that is, the ability to inspect and should also understand which risk and administrative overhead. drop attacks based on knowledge techniques are included in the base of specific vulnerabilities they are • Notwithstanding the previous client and those that are optional, exploiting. This technique allows point, the best solutions will and what, if any, additional charges protection against attacks against provide preconfigured out- are required for additional HIPS known vulnerabilities before the of-the-box templates for techniques. Vendors are adept at vendor releases a patch, and to common application and system spinning minor HIPS techniques buy time for patches to propagate configurations, as well as a learning into invincible solutions. Buyers out to all endpoints. Of particular mode for enterprise environments must pressure vendors to provide value is a list of the actual common and the ability to test policy in a statistical information to illustrate vulnerabilities and exposure log-only mode. the frequency at which these IDs that are shielded, such that techniques detect unknown • Some vendors only offer binary administrators know when a patch malware. control over HIPSs, allowing can be safely delayed. administrators to turn them on • Memory protection to prevent • The simulation of unknown code or off only. Although we do not malicious code injection to before the code is executed to expect IT organizations to agonize common process is a critical HIPS determine malicious intent without over each setting, it is important technique. Buyers must press requiring end-user interaction to have granular control that vendors to explain which types with the unknown code (e.g., enables them to turn off certain of memory injection attack are using static analysis, simulation or rules for specific applications to blocked and what application are reverse compilation techniques) is accommodate false positives. protected from such attacks. another deterministic technique, • Malware engines should also but can be very resource-intensive Malware Removal continuously monitor file objects and should be selectively used for Modern malware is significantly and system resources for changes suspicious or unknown code (see more complex than that of previous that might indicate the presence Malware Sandbox section for off- generations, often involving multiple of suspicious code. Increasingly, endpoint techniques). components with sophisticated keep- malware solutions will store this • Behavior-based protection is a alive routines. Malware removal history to perform retrospective useful tool, but can be prone services and support assistance can malware encounter analysis to false positive unless known be beneficial. However, the wisest and for malware investigations applications are excluded. The course is often to simply reimage and remediation. There is an integration of an application machines. Increasingly, the use of emerging endpoint detection and control (see Application Control event recording will enable better remediation market delivered by section) database of known good event investigation and improved specialized providers. However, applications with HIPS can help malware removal. this technology is being adopted by automatically tune HIPS features leading EPP vendors. Cryptolocker and other ransom or to avoid false positives and to destructive malware (for example • Journaling changes (that is backing reserve more intense inspection to BKDR_WIPALL used in the up files) that are generated from unknown code. hack) represent a unique new form

10 Ransomware Response: Ideal versus Reality Issue 11 of malware that is not recoverable • Application control should extend • Ability to store multiple from. Some solutions offer journaling to the execution of browser helper customizable virtual images to and file backup capabilities to objects/controls within the context match enterprise gold image and prevent malware from performing of Internet Explorer or other the ability to maintain images unrecoverable changes. browsers and Java applets and in synch with enterprise patch other scriptable objects. activities Application Control • Application control should be • Ability to inspect multiple Application control describes integrated with malware signature executable file types including the ability to restrict application and HIPS engines such that the documents and interpreted code execution to a list of known and verdict of each system can be such as Java trusted applications. The “trusted relayed to others. For example, • Automated and manual methods application” list can be as restrictive applications that are known good to submit code to the malware as the applications already installed or trusted should not be blocked sandbox, that is the ability for (aka lockdown) or as loose as by HIPS, while applications that endpoints or network agents to the known universe of cataloged are not known may execute but automatically submit unknown code trusted applications or anything in with elevated HIPS protection. between. Application control shifts to the sandbox, and administrators the paradigm from “default allow” • Unknown applications should be to manually submit code (allow any applications as long as it able to be automatically submitted • Evasion detection techniques are is not a known malware) to “default to a cloud or local malware important to detect malicious code deny” (do not allow any application sandboxes for . that does not exhibit malicious unless its providence and reputation • The workflow for users requesting behaviors if it suspects it is running are known) thereby automatically the use of an unknown application in a sandbox blocking new or targeted malware. should be integrated into the help Even in “monitor only” mode, • Integration with object reputation desk ticketing system and provide application control provides excellent databases (that is a “good” sufficient context for the help desk early detection of potential malware. application and malware to make an educated decision. databases) help conserve resource Application control features to • Support for Windows endpoints at by eliminating known good or investigate include: a minimum including XP and 2002 known malicious programs from • The size and quality of the catalog as well as optional support for the behavior analysis system of known “good” applications. Macintosh and Linux. • Comprehensive reporting that • How applications are identified describes the actions and metadata Malware Sandbox and how they are prevented from of sample and why it reached the A malware sandbox is a centralized executing (e.g., whether they block verdict resource that can execute suspect the installation of applications or code in a virtual environment and • Queue management functions just the execution). make an automatic determination of that enable administrators to set • The ability to automatically allow whether it is malicious. Sandboxes wait times before allowing local sources of trusted applications (i.e., are an early stage optional endpoint execution and user certificates, locations, processes component of an EPP, but are rapidly display functions that help users or administrators), so that even gaining mainstream adoption. understand what is happening applications not yet cataloged by Features to look for in a malware while they wait for local execution the vendor can be allowed if they sandbox include: come from a trusted source. • Centralized deployment or cloud- based deployment is preferable to deployments that must be in tap mode on specific network segments

Ransomware Response: Ideal versus Reality Issue 11 11 Vulnerability Management Manageability and Scalability troubleshooting of event or We know that unpatched Reduced administration overhead server issues: Ideally, dashboard vulnerabilities are the most common is one of the top concerns of elements should be actionable attack technique. Detecting and EPP administrators. An effective so that clicking on an event or patching known vulnerabilities task-oriented graphical user graph will initiate steps to better is the most effective method of interface (GUI) and comprehensive understanding the issues. More- blocking known malware. Larger management interface will offer advanced management interfaces organizations often use dedicated lower total cost of ownership. allow for easily clicking through vulnerability assessment tools. Gartner recommends creating a list from the dashboard to more detail However, EPP features that provide of the top 10 to 20 most common or and problem resolution options insight into known vulnerable critical tasks (see Note 1), and using (see below for more dashboard applications, particularly those that this list as a guideline for comparison features). are frequently exploited by malware, testing and demonstration of • Range of client information, which is a useful tool to understand the solutions. Required management can be collected and reported to security state of the endpoints and capabilities will depend heavily the management server and is a overseeing operations teams that may on the enterprise’s specific needs growing differentiator: Most EPP have a different agenda than security. and available technical skill sets. suites will collect information only Organizations that do not have a Advanced capabilities will include: about the status of the EPP suite. dedicated vulnerability assessment • Level of integration between However, as endpoint hygiene tool will find EPP solutions to be components, which is of critical becomes more critical, the status adequate for the purpose of deflecting consideration when selecting of patch levels, configuration endpoint malware. Vulnerability suites: Integration at a reporting information software inventory assessment features should: layer is easy to achieve, integration and vulnerability information • Address, at a minimum, the most of policy is harder but most is becoming more important. commonly exploited applications important is the ability to share Event information storage that and not just patches context between components. enables better investigation and Look for concrete examples of remediation capabilities will • Provide insight into the number components enhancing the security be a critical differentiator as and the severity of vulnerabilities state by operating together rather EPP vendors integrate endpoint as well as provide a prioritized list than independently. For example, detection and remediation of software to patch to provide the the integration of an application capabilities. maximum impact on security control database with HIPS • Reporting that enables multiple behavior monitoring enables more • Be combined with patch capability devices to be linked to a particular restrictive behavior-based policies to remediate endpoints or at a user: This is a good indication of for unknown applications. minimum a link to the appropriate the degree of integration of mobile patch • Varied degrees of management device management (MDM)/ enterprise mobility management • Cross-reference unpatched and reporting integration into a (EMM) functionality. vulnerabilities with shields (for common centralized management console: Consider the look and those that include vulnerability • Multiple directory integration feel of management pages and shields) so administrators know options (i.e., Microsoft active the ability to transition from which vulnerabilities are actually directory [AD], Lightweight dashboards to the configuration or shielded Directory Access Protocol [LDAP]) remediation of indicated problems. and the ability to integrate with • A home page dashboard of multiple directories and traverse real-time events and trending directories to find users groups and information that enables rapid information.

12 Ransomware Response: Ideal versus Reality Issue 11 • Methods to combine directory, • Threshold alerting capabilities — reused in multiple policies such as device and event information including email, SMS and Simple firewall/Wi-Fi policy and update to create dynamic groups are Network Management Protocol server location. Policies should also very useful for creating flexible (SNMP) — and threshold alerts be able to inherit the attributes policy: Dynamic tags allow for for dashboard statistics and policy of higher-level policy without alert prioritization and automatic thresholds alerts: Ideally threshold recreating the higher-level policy, policy implementation when event alerts should be proportional as as well as the ability to break this thresholds are exceeded. well as deterministic, that is alert inheritance when necessary. This when a parameter exceeds normal makes exceptions easer to create • A “wizard”-type installation by X percentage rather than when and manage. mechanism that provides optimal it reaches a numeric value of X. default settings for different-sized • Solutions that offer a human- environments and different types • Granular, role-based readable printable policy summary of endpoints as well as those administration, ideally with both for audit and troubleshooting that automatically add licensed predefined roles and the capability purposes. entitlements is very useful for to customize and add and remove • EPP solutions with a complete reducing the implementation options: It should be possible to audit log of policy changes, overhead. limit data visibility to only groups especially those with extensive role- that the role is managing. • Ability to automatically and based administration and delegated natively distribute the full client • Ability to create different end-user administration. agent and remove competing management GUI workspace views • A customizable toolbox element products is a differentiator: Some (for example, administrator or help that allows the consolidation of solutions simply provide an .msi desk view), with the ability for common tasks into a single user- file for manual distribution by users to adjust their default views a defined menu. other software distribution tools. plus. • Globalization: In addition to • Task-based (not feature-based) • A task/context-based help function, global support and centralized management GUI that simplifies with recommendation settings for management and reporting, look management by hiding complexity, Web configuration options. for local language support for the but also gives more technically • Configuration backup and management interface and end-user skilled users the ability to drill configuration preservation between interface. down into granular detail for more- version upgrades. technical users (see Note 2). • Management server that can collect • Policy (see Note 3) in a single view client status information in real • Solutions that provide native with intelligent drop-down pick time, rather than in scheduled management server redundancy: lists and fields that change based delta updates: The ability to For example, load-balancing, on previous optional selections: collect information from mobile active/active clustering within and Avoid solutions that have multiple endpoints that are not connected across LANs, or automatic active/ popup windows or require visiting to the network that hosts the standby failover — without a single several tabs to create a single management server is a significant point of failure. policy. differentiator. • Centralized management with • Policy creation that is object- • Management system that can automatic configuration and oriented so that policy elements automatically detect new/rogue policy synchronization among can be created once and used in endpoints that do not have an EPP management servers in large multiple policy instances (see Note client installed: This function may deployments. 4): For example, the definition of be integrated into network access off-LAN can be created once and control (NAC). However, it should

Ransomware Response: Ideal versus Reality Issue 11 13 not be dependent on NAC and • Client interface that is adaptable • Management dashboards should should be able to detect clients that to enable a full range of delegated provide continuous display of key have already joined the domain. control for end users: Advanced performance metrics, such as dwell solutions allow administrators time, vulnerabilities outstanding, • Some solutions that offer a to delegate or restrict any client time to containment, remediated software-as-a-service (SaaS)-based option. infections, most dangerous managed console to eliminate the users/groups, and threat type need for a dedicated server for • Options to limit the client impact distribution as well as summary managing endpoints: This feature is of scheduled scans are a significant info of operations dashboard. more useful for SMBs and regional differentiator: Scheduled scans are Comparisons to global local and offices. Ensure that vendors are one of the most annoying aspects vertical industry norms would be clear on the level of integration of signature-based anti-malware. beneficial. between the SaaS management Advanced features include the and on-premises management ability to delay scans based on • Dashboards should offer data servers. Also, insist on a list of battery life or running process or feeds with relevant external news, the functional difference between CPU utilization. More rare is the such as global malware activity, SaaS-based consoles and on- ability to “wake and scan” PCs in Or additional context, such as premises-based ones. For example, off hours. Scheduled memory scans malware family, relevant URLs SaaS consoles cannot typically find should be independent of disk and IP addresses, etc. vulnerability rogue machines that do not have scans. information or other events, the client installed. are desirable. External trending • Administration that is simplified information enables administrators • The typical ratio of management when solutions include protection to better understand internal servers to clients in practice and for a broad range of platforms, activity levels and compare them to the factors that affect this ratio including Macintosh, Android and global events. are important considerations for Linux, and specialized servers, large enterprise and will impact such as SharePoint, Exchange • Dashboards should be the total cost of ownership (TCO): and virtual servers from a single administrator-customizable, so that For smaller organizations, the management console. information that is most relevant management server should work can move up to the top of the on a shared server or a virtualized Dashboard and Reporting Capabilities page, and display options (such as server. pie charts, bar charts and tables) Real-time dashboard and analytics should be configurable so that • Ability to stage and phase the capabilities are a key differentiator information can be displayed in the rollout of signatures or policies of current EPP solutions and will format that specific administrators and to roll back changes quickly become increasingly important in need. is important: Fewer users test the shift to continuous monitoring signatures before deploying them. and long-term data retention. For • Reports and dashboards should example: include trending information • Number of required clients, against customizable parameters. the client disk and memory • Dashboards should provide a For example, create a dashboard footprint are good indicators of real-time prioritized list of actions view or report that shows the level of integration between and alerts that need attention percentage compliance against a EPP components, as well as the of security and operations specific configuration policy over efficiency of the client: Ideal administration — what we like to time. solutions will provide a single call the “cup of coffee” screen. At consolidated agent that has its most basic, it should provide • Dashboard information should component parts that can be a list of suggested actions and always offer one-click detail to remotely enabled and disabled. graphical views of anomalies enable administrators to quickly worthy of investigation. drill down into detail, rather than

14 Ransomware Response: Ideal versus Reality Issue 11 forcing them to switch to the Real-time queries against live data Most new virtualization deployments reporting application and manually will be increasingly critical. today use a model where server or select the appropriate report and desktop has its own full copy of an • Reporting engines should recreate the parameters that include OS. Because the guest is essentially include a facility for creation of the condition they are interested in identical to the OS that runs on a completely ad hoc reports similar investigating. physical device, most vendors will to SQL queries, rather than just state they support running their agent • Dashboards should also offer modification of the parameters of in a VM. However, the reality is quick links to remediation actions predeveloped reports. that there are substantial differences (i.e., clean, quarantine, patch or • More-advanced solution will between different EPP vendor’s distribute software), as well as include analytics cubes that enable supports of virtual environments. quick links to other resources, such very complex queries that answer Simply running unmodified EPP as malware wikis, to resolve alerts. specific questions — for example; agents in virtual machines can create • Solutions should include the ability “show number of users in active significant resource contention issues. to import or export data and directory group ‘finance’ that have For example, if all the signature alerts with security information an unencrypted laptop that have files of an agent are updated at management systems or other had more than three infections in once across hundreds of VMs, or reporting systems. the last two years.” if anti-malware scanning of the kicks in all at the same time. • Reporting engines should be The impact on network bandwidth, Virtualization Support capable of running on-box for CPU utilization and storage input/ smaller solutions or moving to Virtualization has become ubiquitous output can be significant. Because a centralized reporting server in modern data centers (desktop and of this, a poorly implemented EPP for consolidation and storage of server) and nearly every EPP vendor solution can reduce VM density and multiple management servers’ log offers some form of support for negatively affect the overall TCO of information without changing the running their solution in a virtualized the virtualization project. look and feel of the reports. environment. However, there are some key differences and before At an absolute minimum, EPP • Dashboards should have the ability looking at vendor solutions, buyers solutions should support: to create custom reports — in must understand their organization’s • Randomized scanning in which HTML, XML, CSV and PDF approach and use of virtual servers. output types — save them and the scheduled scanning is schedule them for distribution via The first consideration is whether “randomized” so that all scans do email or FTP, or move them to the it is a full virtualization solution, not kick off at the same time. network directory. The ability to where each system gets its own • Signature files (commonly referred put multiple reports together in a virtual machine (VM) and its own to as DAT files), which should not report package and schedule for copy of an OS, or is it the older all update at the same time; ideally, distribution is a more advanced terminal services model, where a these can be delivered once and feature. single copy of Windows is used in shared either directly or copied in a multitenant fashion to support a peer-to-peer fashion among VMs, • Databases must enable rapid multiple simultaneous sessions. The reducing bandwidth requirements report queries and the ability to distinction is important because during updates. store historical data for long-term while most vendors support their EPP storage in a standard format. agents running in a full VM, they • Gold image files, which ideally Bonus points for natural language may or may not have redesigned their should be cached so they are not queries capabilities. offering to run in a terminal services rescanned if unchanged. environment. • Latency of the data should be customizable (i.e., faster refresh rate) with minimal network impact.

Ransomware Response: Ideal versus Reality Issue 11 15 • Configuration testing for In a Microsoft Hyper-V environment, Likewise, the EPP solution can be organizations implementing “thin Microsoft has not delivered run in public clouds where VMs provisioning” where the VM equivalent for agentless are used, but where none of the images are reset back to known malware scanning, but one of leading infrastructure-as-a-service good state on each reboot. The Microsoft’s partners, 5nine Software, (IaaS) providers offer - configuration should be tested has implemented this using licensed level API access due to security to understand how the signature signatures. concerns. files will be updated on each Using hypervisor-specific APIs has Even if hypervisor-specific APIs machine reboot and subsequent its pros and cons. On the positive are used locally and agent-based regeneration. This process can side, resource contention can be protection is used in public create issues if all users login at greatly reduced. However, on the clouds, the agent and management the same time in the morning and a negative side you are creating lock-in infrastructure should be architected new session is generated, requiring to the vendor’s hypervisor platform. to provide a single pane of glass an update of the DAT file if it is Another negative is that your for managing agents seamlessly provisioned from an out-of-date capabilities are limited as to what is across hybrid physical, virtual and source. exposed by the APIs. For example, cloud-based infrastructure without More advanced solutions will offer behavioral and memory protection requiring different consoles for centralized scanning by exploiting as well as application control aren’t configuring policy and viewing the hypervisor-level application yet exposed via the VMware APIs, security events. programming interfaces (APIs) opened so the EPP solution loses these Finally, licensing models should up by VMware to perform “agentless” capabilities unless an additional agent favor simplicity. In most cases, the scanning (the term agentless is is introduced. EPP provider will charge the same somewhat of a misnomer as there is For this reason, some of the EPP amount for all endpoints, physical stub code placed into each VM by vendors have implemented “Hybrid” or virtual, easing the complexity VMware’s tools). Using this approach, architectures where a small agent in of licensing for enterprises. Cloud the file-based anti-malware scanning each VM coordinates with a master virtual deployments that auto scale can be offloaded to a “security VM” “security VM” running separately. should be capable of accounting for that coordinates the anti-malware This combination can centralize utilization bursts without excessive scanning on all virtual hosts. anti-malware scanning, but keep a auditing requirements or over Additional features to look for in small local agent for behavioral and capacity buying (see Note 5 for agentless scanning include: memory protection. This hybrid additional checklist for virtualization approach has several benefits: protection solutions). • Support for agentless anti-malware scanning using the VMware • The small local agent can perform Data Encryption and DLP hypervisor APIs inspection not possible using the hypervisor APIs As organizations become increasingly • Agentless file integrity monitoring concerned about data loss, EPP and agentless access to network • The EPP solution can be vendors are advancing data streams for firewalling and IPS architected to be hypervisor- protection through endpoint data exploiting VMware APIs neutral and therefore run in encryption and DLP capability. VMware, Hyper-V, KVM and Many EPP vendors are selling other virtualization environments. encryption in the related mobile data protection market and are successful

16 Ransomware Response: Ideal versus Reality Issue 11 in selling both stand-alone and iOS) are more secure out of the create back doors to corporate suite installations. Some EPP DLP box, protection typically takes the resources, have no business value or solutions are components of broader form of managing the protection may increase legal risk. Vendors like enterprise DLP solutions, while features built into mobile OS, Appthority have created the mobile others are stand-alone endpoint- which is generally referred to as application catalog; however, few EPP only solutions. Endpoint DLP that is “mobile device management” vendors have made the investment in integrated into the EPP suite offers and now “enterprise mobility creating a mobile application catalog the promise of more content-aware management”. EMM functionality is or licensing one yet — but that is the port/firewall and encryption policies, not well-integrated into EPP suites, desired direction. simplified agent management and although several vendors have made distribution, and lower cost. Stand- investments in solutions with plans to Service and Support alone EPP DLP will likely satisfy integrate this functionality. Consider Service and support are essential many businesses’ early needs but may the following when looking at EMM concerns for secure endpoint not be suitable for more-ambitious functionality: protection suites, as they are for future data protection plans. • Proactive auditing and upward any business-critical technology. Buyers should certainly evaluate reporting of status of system Capabilities to consider include: prospective EPP DLP capabilities encryption policies and the vendor’s longer-term road • Dedicated product engineers’ maps to determine how well it aligns • Policy support that takes advantage resources or direct access to Level 2 with business needs. Mobile data of all management capabilities in a support protection (encryption solutions) given platform does not need to be tightly integrated • Global support presence with local with EPP solutions. However, there • Proactive detection and language support engineers in are administrative and cost savings countermeasures for necessary geographies “jailbreaking,” rooting and data when they are integrated. Moreover • Evidence of extended tenure of leakage prevention integration of port control to support staff selectively enable removable storage • Support for three major mobile with DLP and encryption enable • Vendor willingness to agree to platforms (Android, iOS, policies based on the content of the high service-level agreements for Windows), realizing that this is not files in use — for example, forcing callback responses a monolithic challenge encryption on a file transferred to • SLAs for the production of a USB drive if it contains sensitive In addition to EMM, EPP suites also signatures for unique malware information. offer antivirus protection for these discovered in the enterprise platforms. The traditional approach network. Enterprise Mobility Management and of only identifying malicious Protection applications is tempting at this early • Support resources, including user As more endpoints in organizations stage of the market; however, an forums, best-practice guidance and take the form of mobile devices application control approach that white papers and mobile operating systems, catalogs all aspects of both good • Installation assistance and training EPP vendors are responding with and bad apps will have more long- protection and management features term business value. Security risks • Clear and consistent escalation for these platforms. Since the will extend to applications that leak policies mobile OS (primarily Android and sensitive or private information,

Ransomware Response: Ideal versus Reality Issue 11 17 Note 1. Sample Critical Tasks Note 2. Evaluating a Task-Based System Common tasks might include: A task-based system can be evaluated by creating a list of common tasks • Review home page dashboard, paying particular attention to the placement of and comparing the number of steps indicators that illustrate negative changes in the security posture of endpoints. required to complete each task. Look for direct links to more information, recommendations and action steps to resolve events. Note 3. Choosing an Enterprise’s Policy • Identify patterns of noncompliance. Some users, workgroups or tasks may cause Interface repeat occurrences of policy violations that can be recognized by historical event An enterprise’s policy interface — analysis. like its policies — should be chosen fundamentally to address the needs • Tour the report center, create a custom report and schedule it for delivery to an of the business. Excessively complex email box or Web server/portal. and technical policy interfaces • Show alert configuration capability, and integrate an alert with an external and reporting will force IT to subscriber identity module. interpret and implement business policy, increasing both workload • Show real-time data that lists clients on a network that do not have an EPP agent and the potential for errors and installed. miscommunication. A policy interface should be intuitive and usable by • Create or edit the policy elements that can be delegated (or restricted) to end users. nontechnical business personnel — • Create or edit the policy configuration for client update distribution and step- for example, HR and legal staff. A through policy creation. good way to test the usability of an interface is to give such personnel an • Create or edit the policy to automatically push the EPP client to an endpoint that opportunity to test it. does not have it installed.

• Configure scheduled scans for endpoints. Focus on the ability to limit CPU Note 4. Reusable Policy Objects utilization, and delegate the ability for end users to delay scan execution. Reusable policy objects are critical to the creation of a scalable policy • Create or edit the port (i.e., USB, CDs, infrared) control configuration. Pay environment. Objects such as particular attention to the granularity of the restrictions and the linkage to file dictionaries should be separate types and encryption, if any. referenced databases, files or • Create or edit VPN policy (i.e., deny split tunneling) for a specific active directory subroutines, so that they can be group. reused in multiple policies but updated centrally. Policies that • Create or edit location-based policy, and pay attention to the level of automation in use hard-coded objects require selecting when a policy should be invoked. administrators to update multiple policies to make a simple change. • Create or edit a Wi-Fi-specific policy.

• Create or edit a whitelisting and/or lockdown configuration for a certain group of PCs. Add a new executable program to the whitelist. Autogenerate a whitelist from the installed applications on a PC. Authorize a software distribution method and directory as a whitelisted source of applications.

• Show a single-page summary of client configuration information, and print it for review.

• Review HIPS policy configuration and step through the false-positive-handling process, including deactivating a specific HIPS rule for a specific application.

• Edit role-based administration and hierarchical administration to add a new role.

18 Ransomware Response: Ideal versus Reality Issue 11 Note 5. Checklist for Virtual System Support • Which terminal services and virtualized environments are explicitly supported by the vendor?

• Does the support go beyond staggered scanning?

• How are DAT files updated across VMs?

• Is the agent architecture different than the one used for physical endpoints?

• Are hypervisor-specific APIs used and have you considered the pros/cons of this approach, including vendor lock-in?

• Does the EPP offer less functionality when running virtualized? What functionality is lost?

• Does the vendor offer a hypervisor-neutral option?

• Does the vendor offer a hybrid light agent/coordinating security VM option?

• Is the same management console used across physical/virtual?

• What is the EPP vendor’s strategy for protecting workloads in public cloud IaaS?

• What public cloud IaaS providers are explicitly supported?

• For highly variable public cloud IaaS models, does the vendor offer usage- based licensing- per month or per hour?

Source: Gartner Research Note G00274074, Peter Firstbrook Neil MacDonald, 29 January 2015

Ransomware Response: Ideal versus Reality Issue 11 19 About AhnLab, Inc.

AhnLab creates agile, integrated solutions for corporate organizations. Founded in 1995, AhnLab, a global leader in security, delivers comprehensive protection for networks, transactions, and essential services. AhnLab delivers best-of-breed threat prevention that scales easily for high-speed networks, by combining cloud analysis with endpoint and server resources. AhnLab’s multidimensional approach combines with exceptional service to create truly global protection against attacks that evade traditional security defenses. That’s why more than 25,000 organizations rely on AhnLab’s award-winning products and services to make the internet safe and reliable for their business operations.

Ransomware Response: Ideal versus Reality is published by AhnLab. Editorial content supplied by AhnLab is independent of Gartner analysis. All Gartner research is used with Gartner’s permission, and was originally published as part of Gartner’s syndicated research service available to all entitled Gartner clients. © 2016 Gartner, Inc. and/or its affiliates. All rights reserved. The use of Gartner research in this publication does not indicate Gartner’s endorsement of AhnLab’s products and/or strategies. Reproduction or distribution of this publication in any form without Gartner’s prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. The opinions expressed herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a public company, and its shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartner’s Board of Directors may include senior managers of these firms or funds. Gartner research is produced independently by its research organization without input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartner research, see “Guiding Principles on Independence and Objectivity” on its website, http://www.gartner.com/technology/about/ombudsman/omb_guide2.jsp.

20 Ransomware Response: Ideal versus Reality Issue 11