The role of Zero Trust in fighting ransomware


ZERO Trust has become a well-recognised framework in the cybersecurity world. 

SecOps teams (formed from a combination of security and IT operations staff) are championing this: Trust no-one” strategy to support the fight against the escalating risk of cybercrime, and in helping to monitor threat actors across their network. In fact, research from Gigamon found that 70% of IT leaders agree that Zero Trust would enhance their IT strategy.

In short, this approach to cybersecurity eradicates the implicit trust often given to internal traffic within a network. This security-first mindset also benefits business efficiency; 87% of IT teams believe productivity has increased since the start of their Zero Trust journey, as systems run faster and downtime is reduced due to fewer breaches. 

However, the threatscape is evolving. Ransomware now represents one of the biggest threats to businesses across the world and many are falling victim to catastrophic attacks. This type of malware surged by 82% in 2021 and it shows no signs of stopping, especially as 82% of British firms which have been victims of ransomware attacks reportedly paid the hackers to get back their data. 

So, can Zero Trust Architecture (ZTA) help organisations protect themselves from one of the biggest threats in today’s cyber landscape? 

What Does Zero Trust Mean Today?

When putting trust into something, we should always have a rational reason for doing so. However, this has not always been the case in IT. Instead, for years IT teams have used approximations for trustability, often because mechanisms to support trust-measurement were not practical in the past. This could be because an organisation owns a system, if a user is an employee or if the network has previously been secure. 

Yet, these are not actual trustability measurements, they are instead gross approximations often based on assumptions. When that trust assumption fails, risk is introduced. And when a threat actor recognises those assumptions are part of an organisation’s security strategy, they can use them to evade network controls and cause problems for cybersecurity. 

Zero Trust changes this. It dynamically measures whether something is trustworthy by analysing how it works and assessing whether an organisation has a rational basis for trusting it and allowing the connection. This is not only the case for entire systems, but also for individual devices, security mechanisms and users. 

Given the prominence of BYOD (bring your own device) policies and remote working, it is essential that trust is earned rather than given freely, and all users should be considered threats until proven otherwise. In a world where the workforce has shifted significantly to a “work anywhere, work anytime” model, embracing a ZTA simply makes sense.

By introducing micro-segmentation — which separates data, assets and applications and represents a key pillar to ZTA — organisations can stop one compromised device becoming an entirely disrupted network. One famous instance is the Las Vegas casino that was hacked through its IoT (Internet of Things) thermometer in an aquarium in the foyer. From here, the attacker was able to access the casino’s entire network. 

How can businesses protect themselves from this level of threat? With IoT expanding, and adversaries clearly using more innovative tactics and techniques to breach a system, Zero Trust has to be part of the security strategy.

Ransomware and Deep Observability

The cornerstone of ZTA is visibility. A clear view across all data in motion — from the cloud to the core — means IT teams can best understand any threat to their network. 

From here they can authorise safe activity, as well as detect undesirable application behaviour and analyse the metadata that will detail the origin and movement of an attack. In other words, you cannot protect against what you cannot see. 

The deeper the level of observability into a network, the more insight an IT team can gather and then action to improve their entire security posture. This is actually explicitly required by NIST SP 800-207, the gold standard of Zero Trust.

The very nature of ZTA is deep and thorough inspection of all users and all data, including encrypted traffic. With this architecture and micro-segmentation in place, it will also stop cybercriminals moving laterally within a network — meaning adversaries looking to traverse an IT infrastructure and deploy ransomware across more critical data will be unable to do so. 

Over recent years, cybercriminals have become far more savvy and sophisticated in how they deploy this kind of malware. An attack in today’s climate will typically be carefully considered and strategically targeted against known vulnerable organisations that store critical data. 

It is also common for bad actors to penetrate a network and lay dormant for months at a time. Visibility is central in the fight against ransomware; by eradicating blind-spots across the network, adversaries will no longer be able to exist on a network undetected. 

With Zero Trust and deeper observability into all data, criminal dwell time can be cut dramatically from the current average of 285 days. 

It’s important to remember that Zero Trust is not the singular silver bullet to ransomware protection. However, paired with visibility, it will be essential for bolstering a company’s cyber posture. 

By prioritising deep observability, ZTA becomes far easier to introduce and ransomware threats will become far easier to detect.

Ian Farquhar is the field CTO at Gigamon, a company that delivers unified network visibility and analytics on all data-in-transit, with more than 4,000 customers worldwide, including over 80% of Fortune 100 enterprises.