The common theme across ransomware, insider threats, and data theft is the exfiltration of data. While threat research labs usually publish the process steps of ransomware encryption, keys, and disk clean-up, the parts about accessing the data and exfiltration are often left out. Also, one security solution does not solve the problem itself, making partner integrations vital to the success of security solution stacks. Using the perspective of access and security posture, data protection and policy controls, threat protection, and analytics we can analyze these four pertinent security issues.Â
First, for access and security posture we know compromised remote access accounts (SSH, RDP, VPNs) are sold in the underground to enable ransomware operations. Netskope Threat Labs (NTL) research shows that 35% of IaaS/PaaS workloads are publicly exposed when the default posture is closed and secure. Enabling Zero Trust Network Access (ZTNA) to increase remote access security, plus federating SSO/MFA to apps and cloud services greatly reduces risk exposure. Adding cloud and SaaS security posture management (CSPM, SSPM) is an easy API-based deployment to add security and configuration checks, plus compliance validation.
Second, for data protection policy controls, NTL research notes a 300% increase in data exfiltration from company app instances to personal app instances in the last 30 days of employment, with 74% of this data flow specifically into personal Google Drive instances. So, your office reopening announcement may spur some of this data exfiltration activity as employees seek new jobs favoring their preferences for continued remote work. Plus, the data flows occur not just when employees are exiting. On average, a user on a managed device copies 20 company files to personal apps per month with source code being the third most popular file type exfiltrated. This makes data protection policy controls between company and personal instances of popular cloud storage apps extremely vital in your security stack. But it’s a capability most legacy allow/deny security defenses lack.