What being a leader means and why it matters to customers
Citrix has been named a “Leader” in the IDC MarketScape report: Enterprise Mobility Management 2017 Vendor Assessment. The recognition is important for a number of reasons, and certainly underscores the commitment Citrix has made to make the world’s apps, data, and devices secure and easy to access as our customers embrace the future of work.
If there’s a single line from the IDC MarketScape report to sum it up best it is, “Strong remote access control, VPN and granular inspection and security of mobile traffic are among the most advanced capabilities in this category among competitors.”
Strong remote access control, VPN and granular inspection and security of mobile traffic are among the most advanced capabilities in this category among competitors.
The focus on security and innovation in the last couple of years has positioned Citrix at the forefront of technical innovation in not only enterprise mobility management, but also the digital workspace. Unifying management for devices beyond mobile devices, to include the management of laptops and iOT devices simplifies management across IT. The IDC MarketScape noted, “For all-in Citrix environments, XenMobile is the most logical choice of EMM platform to integrate with a larger Citrix Xen-based application and desktop delivery architecture. Even for customers not going all the way with Citrix Workspace concept, having these products together is an advantage from a cost and overall management perspective.” Hard to argue that, right?
So, what are a few things we feel helped with our position in the IDC MarketScape evaluation?
Here are just a few:
MDX technology enables IT to manage mobile apps without requiring full MDM
Integration with ShareFile, XenApp, XenDesktop and NetScaler delivers a complete workspace on-prem or in the cloud
Cloud technology enables IT to not only deploy a mobility solution in less than two hours, but also leverage a complete workspace
Unified endpoint management capabilities simplify workspace administration for endpoints including Windows 10 and Mac devices
Citrix and Microsoft partnership delivers O365 apps via MDM and enables certificate based authentication as well
Citrix embarked on a journey to shift XenMobile from an EMM-only strategy to one that incorporates EMM as part of an overall Secure Digital Workspace Solution.
As Calvin Hsu wrote recently, “Citrix embarked on a journey to shift XenMobile from an EMM-only strategy to one that incorporates EMM as part of an overall Secure Digital Workspace Solution.” Deploying Citrix XenMobile in the cloud enables IT to leverage other Citrix Workspace services from a single console, and provide users access to all their apps: windows desktop, SaaS, virtual and mobile, through a universal app store. Looking to adopt O365 as part of your workspace? At Citrix Synergy, we demonstrated the seamless integration of XenMobile with Microsoft EMS. The XenMobile Connector for EMS will provide additional security and productivity to EMS customers, customers will be able to secure data in transit between a mobile device and resources behind their firewall, a benefit for EMS customers that no other EMM vendor can provide.
We are just getting started here, so stay tuned for more.
Click HERE to read an excerpt of the IDC MarketScape: IDC MarketScape: Worldwide Enterprise Mobility Management Software 2017 Vendor Assessment”, document number US42890217e_Citrix, August 2017.
About IDC MarketScape: IDC MarketScape vendor analysis model is designed to provide an overview of the competitive fitness of ICT (information and communications technology) suppliers in a given market. The research methodology utilizes a rigorous scoring methodology based on both qualitative and quantitative criteria that results in a single graphical illustration of each vendor’s position within a given market. IDC MarketScape provides a clear framework in which the product and service offerings, capabilities and strategies, and current and future market success factors of IT and telecommunications vendors can be meaningfully compared. The framework also provides technology buyers with a 360 degree assessment of the strengths and weaknesses of current and prospective vendors.
A recent survey by Oxford Economics reveals a satisfyingly high return on investment for companies that fully embrace the digital workspace — virtualized desktops accessed through mobile devices carried by remote workers — which facilitates productivity, elevating both customer satisfaction and employee retention. If your organization isn’t optimizing its digital investments, it could be (or soon will be) losing market share to those competitors who have already embraced the digital workspace.
While less than half reported that their organization had taken full advantage of the digital opportunity, those Digital Workspace Leaders were able to articulate exactly how their enterprise had benefited from making the transition. What they learned can serve as more than inspiration — it can serve as a blue print for how you can replicate their success — and avoid their mistakes. Hint: at its essence, the strategy is all about customer retention, employee satisfaction, security, and choice — read more about it in my full point-of-view:
74 percent reported higher customer satisfaction ratings vs. 64 percent still using old-style processes.
74 percent also reported high levels of employee satisfaction (a key factor for worker retention) vs. 58 percent of traditional procedures.
The switch to digitization changed not just how work was done, but also how leadership thought about doing it:
Digital investing wasn’t simply purchasing a tablet for each employee. Instead, leaders often developed a strategy that tied the tech and its functions directly to corporate goals (reduced costs or higher productivity per worker, for example).
Digitization also freed the workforce from traditional schedules and confined offices. Employees were encouraged to attend to personal matters when they had to, knowing they could pick up their work projects where they left off, from wherever they happened to be at that time. This factor alone increased employee satisfaction while also encouraging more collaboration and creative thinking.
The need for advanced digital security also changed how leaders addressed risk associated with their newly mobile workforce and its virtual workspace. “There are new rules around the way data and privacy have to be treated,” says Kevin Miller, chief information security officer at Herman Miller.
This progressive approach to the enabling the workforce resulted in improved customer relations and higher conversion ratios, which confirmed the value of the digital investment. “It takes an organization with a fairly good focus on understanding end-user needs to … identify which changes to the work process make the most sense,” said Ryan Anderson, Herman Miller’s director of product and portfolio strategy.
Getting started on the path to digital work success is a strategy in itself. I’ve created an executive point of view on this topic, which provides insights and tips to begin the transformation of your enterprise into a digital workspace leader.
As a member of the Cloud Services team at Citrix, I hear a lot of questions about Citrix Cloud and Citrix Cloud services. After Citrix Synergy, the most common questions have been around the Citrix secure digital workspace. I’ve been collaborating with my Cloud Services colleagues Ken Oestreich and Steve Wilson on a fantastic webinar to help address these questions – I think you’ll find it to be very interesting. They’ll help you sort out how to make adopting cloud services part of your strategy for the future, and you’ll learn about the concepts of the Citrix secure digital workspace.
Simplifying IT: Adopting a Secure Digital Workspace
Citrix secure digital workspace – the embodiment of Citrix
IT departments need to securely deliver apps and data to their employees in a world that is becoming more mobile and more dependent on cloud services – on any device, in any location, from any cloud. We can help you do this through the Citrix secure digital workspace.
Here are the components of the Citrix secure digital workspace:
The Citrix workspace experience: By eliminating the fragmented way in which users access their applications and data – and instead provide them with secure, single sign-on – your users free up time to be more productive and spend less time seeking helpdesk support. For the IT administrator, the Citrix workspace experience helps you to combat the challenges caused by cloud service sprawl (take a look at this infographic for more information on cloud service sprawl). You gain more control as the need to support multiple systems is eliminated, and you are able to securely aggregate, deploy and manage all apps, cloud services, network and identity services into one control plane.
Software-defined perimeter: In a digital world where people move across varied locations and security domains, the Citrix Software-Defined Perimeter is a critical component of secure digital workspaces. It provides you with a continuous, consistent security posture, adapting to new devices, user behaviors, networks, and service sources. This is unlike competitive point-products, which are unable to offer multiple vantage points or enforcement actions across multiple apps, networks and devices.
Security and performance analytics: Here we combine the power of NetScaler Management and Analytics System (MAS), which monitors network traffic, with advanced user and entity behavior detection, insights, and proactive risk resolution capabilities via Citrix Analytics service (CAS) analytics. Both serve to help you track and analyze security, behavior, user performance/experience, connected devices, networking, and data use.
How you can buy the Citrix Secure Digital Workspace
You can get the Citrix secure digital workspace by purchasing the Citrix Workspace Service, powered by Citrix Cloud. Citrix Cloud simplifies management of the Citrix technologies portfolio contained within the Citrix Workspace Service. Unify virtual apps, desktops, data, device management, and networking on any cloud or infrastructure. This integrated approach gives you the simplest way to securely create and deliver digital workspaces and gain a view into actionable insights.
Join us on August 3 to take a deeper dive into the Citrix secure digital workspace.
Simplifying IT: Adopting a Secure Digital Workspace
Clint Newell Auto Group was at a crossroads. Existing IT infrastructure did not meet business requirements. They used Citrix software for many years and wanted to upgrade. That would involve a costly, time-consuming datacenter expansion. Instead, they moved to the cloud.
Citrix Cloud modernized IT and drove business innovation. Using Citrix Workspace Service, Clint Newell’s IT team manages third-party apps, secures sensitive data, and enables a mobile workforce; on one management plane.
Without question, security is top-of-mind within every federal agency and IT solutions are required to meet stringent security requirements before they can even be considered for implementation.
The Department of Defense Information Network Approved Product Listing (DoDIN APL) represents the DoD’s master list of secure, trusted, and approved technology infrastructure products. The DoDIN APL was developed to maintain a single, consolidated list of products that have completed Interoperability (IO) and Information Assurance (IA) certification. Inclusion on this coveted list involves a rigorous 39-step process to ensure products meets federal compliance standards and regulations.
The secure delivery of apps and data is core to our business at Citrix. We build security into our products inherently to remove complexity for our customers, cut down the volume of noise from network traffic and provide actionable intelligence to help customers reduce the attack surface. These benefits are why Citrix has been chosen for inclusion on the DoDs list of approved products.
This certification provides assurance to the U.S. Department of Defense that the Citrix NetScaler MPX solution has passed stringent security and compliance certification testing. It demonstrates our commitment to undergo a rigorous process that allows U.S. military branches such as the Air Force, Navy, Army, and Marine Corps, to procure and implement our NetScaler solution within their technology infrastructure.
What is the NetScaler MPX solution?
The NetScaler MPX solution is the industry’s leading web and application delivery controller that maximizes the performance and availability of all applications and data, and also provides secure remote access to any application from any device type. Adding the NetScaler MPX solution to this coveted certification list confirms our commitment to delivering scalability and performance solutions for high-security requirements.
For details about the APL Listing, see the approval documents on the official DISA APL Site.
Embedded deep within the Engineering group at Citrix, there’s a team of early adoption Systems Administrators. You may have never heard of us, but every time you install, run, or configure a Citrix XenApp/XenDesktop environment, you’re likely to have benefited from our work; even if, sometimes, it may not feel like it.
The team run an environment called the RTST: the Real-Time System Test.
The RTST is a live production XenApp/XenDesktop environment… with a twist. Within it, we regularly deploy pre-release, in-development builds of multiple Citrix products. It’s a real environment, complete with all the usual infrastructure any regular IT department would have: Active Directory, DNS, SQL, VPN, and so on. It has real-life users, too, doing real work things on it, all day, every day. This isn’t simply a clinical environment spun up and torn down to run some tests against — it’s been around for many years, just like many of our customers’ environments, so it’s as close to real as we can get.
So, why do we do this?
The benefits of this approach are numerous and multi-faceted, but the primary aim is to catch bugs before release. It’s also about improving customer experience, both from a sysadmin perspective and an end-user perspective.
Additional benefits of our work include building Engineering and Product feedback loops, building SysAdmin empathy, improving end-user experiences, and interoperability testing (that is, testing how well our own products work with each other).
Engineering and Product liaison
Engineering teams at Citrix like to get their products in the RTST because we’re able to provide a close-to-real-life test platform. We work closely with Product Managers and Engineering to implement pre-release builds of Citrix products into the RTST environment. If we — or our colleagues using our environment — encounter issues, we work with Engineering to diagnose and fix the bugs. And because the bug source is internal, it makes it a lot easier to reproduce the issue and collect logs. Through our relationships and with direct lines to the right people, we’re able to find bugs and fix them quickly.
Managing the underlying IT infrastructure and deploying Citrix XenApp/XenDesktop environments every week helps build a team of SysAdmins who know Citrix products inside and out. If something doesn’t work right, or is a bad experience for SysAdmins, we can use our relationships with Engineering and Product teams to make a case for improvements.
End user advocacy
Having internal Citrix staff use the published apps and desktops from the RTST environment for their daily work is invaluable. Often our colleagues notice issues while consuming our XenDesktop published resources that we wouldn’t notice ourselves in the implementation stage. We take feedback and reports from our colleagues, determine if they’re environmental or product issues, and then pass them on to Engineering, creating bug reports where necessary.
An important by-product of what we do is interoperability testing. Because we integrate multiple Citrix products and their features into a live IT environment, we end up testing the interoperability of many of our products. Our product and feature mix is fairly diverse: XenApp/XenDesktop, Microsoft SCOM, NetScaler Gateway, GSLB, PVS, MCS, smartcards, StoreFront, Linux VDA, and Session Recording, among others. If something isn’t working, we’ll know about it quite quickly and can use our experience and relationships to get the right Engineering teams talking to each other.
It’s all about finding and fixing bugs
Ultimately, the RTST environment exists as part of a collective effort from Citrix to find bugs that might otherwise be missed. In the end, Engineering wins, and our customers win, too.
So, what’s next for the team?
Right now the SysAdmins in the RTST team are focused on helping with Citrix’ cloud journey. We recently joined the Cloud Operations team for the Citrix Cloud XenDesktop service, and we’re looking forward to using our experience with our on-premises products to help test and improve our Cloud products.
In terms of our impact: we helped out, most recently, with user acceptance testing for the XenApp Essentials product, contributed to the new Citrix OS Optimization tool, and helped verify and create a reproducible environment for a recent issue with Seamless Apps not launching on 7.14 with Server 2008 R2.
We also want to talk more publicly about what we do, why and how, so expect to hear more from us over time. In the meantime though, just know that we’ve got your back, and that we’re working with everyone here to help make Citrix products the best they can be!
How Citrix solutions keep malicious attacks out of your system.
Over the weekend, news of possibly the largest ransomware attack — WannaCry — in history has permeated the globe. WannaCry is an operating system exploit, one of many that were exposed by Wikileaks. While the original exploit has been patched, that doesn’t mean attackers aren’t trying again. It’s critical that organizations step up their game — today. And it is more important than ever that we all prepare for multiple versions of attack as well as net new attacks.
The traditional approach to mitigating ransomware attacks — user education, anti-malware, frequent backups, and keeping a supply of Bitcoin on hand — is no longer a viable option by itself. Organizations need to turn to a more robust, systems-level approach to keep data out of an attacker’s reach.
Virtualization, enterprise mobility management. and enterprise file synchronization help shield devices and organizations — computers, tablets, smartphones and other endpoints — against ransomware attacks and allow for quick recovery if an incident does occur. Many of the operating system hacks published by Wikileaks can be mitigated with these types of technologies.
Citrix Protects Your Apps and Data from Ransomware Attacks
Ninety-nine countries and counting. The WannaCry attack has already resurfaced and its target list is expanding. Immediately patch the vulnerability, if you haven’t already and follow these steps to ensure you organization isn’t the next victim.
Patch and virtualize: Paying the ransom does not mean your files will be restored. Aside from the cost, payment only rewards criminal activity, and strengthens the incentive for more attacks across industries. If the bad actor does provide to keys to decrypt, restoration is often a manual process and can take weeks to recover, depending on the number of files impacted.
Run a system check to ensure all patches have been made and that employees are using the most up-to-date software.
We strongly encourage companies to migrate to Windows 10 and virtualize applications and browsers through Citrix XenApp & XenDesktop, and AppDNA to keep sensitive data off the endpoint. By using Citrix XenApp to run a hosted browser, IT can introduce a layer between the corporate environment and the Internet to shield the trusted computer and its data from attack.
Educate your employees about this attack and their role in protecting the company and themselves. First and foremost, let employees know they shouldn’t open a file or click on a link under any circumstances unless they know whom it’s from. If they are concerned or need to confirm, tell them to pick up the phone or ask a manager.
On the backend, IT can use Citrix XenApp to deliver a virtual email client to protect against infection via email links and attachment previews. By publishing the email client company-wide businesses can ensure that all required security settings are configured and consistent for all users. Antivirus, DLP (data leakage protection), whitelisting, and other technologies are integrated with the published email application meaning IT doesn’t have to worry about various scenarios across devices.
Mobile devices are prime targets for ransomware and other malware. Containerization is key to preventing attacks on mobile devices by centralizing management, security and control for apps and data without interfering with personal content on a bring your own device (BYOD). Containerization also contains an attack to a single user. Citrix XenMobile blocks any non-compliant BYOD prior to enrollment by checking to ensure that a device has not been jailbroken or rooted to allow the installation of pirated or non-validated apps.
Backup everything with a secure enterprise file sync-and-share service like Citrix ShareFile. Even if the ransom is paid, there’s no guarantee the files will be restored. The options are to restore data from a recent back up or live without the files. ShareFile keeps multiple versions of each file so that in the event a file is encrypted by ransomware, users can revert to the most recent, uncompromised version, eliminating the need for a hacker’s decryption key.
As more attacks surface, stay tuned for security best practices from Citrix.
Vendor “openness” drives better outcomes for the state of information security. That’s why Cisco has invested and committed so heavily to our Cisco Security Technical Alliances (CSTA) program in recent years. CSTA now has over 130 technology partners…a six-fold increase from where we started nearly four years ago. It is a use-case driven technology partner program with certified platform-to-platform collaborations that better safeguard networks and data. Today we are announcing several extensions and expansions to the CSTA partner program with McAfee, Algosec, cPacket, CSPi, Tufin and Verodin.
The Email Threat Vector and Cisco Email Security Interoperability with McAfee
Zero-day email threats are real, and so is the risk to today’s businesses. Spear phishing and ransomware threats via email are out of control, and as cyber criminals become more sophisticated in creating threats that evade typical defenses, it becomes an imperative for McAfee customers to enhance their threat detection with strong Email protections.
With this in mind, we are proud to announce interoperability of Cisco Email Security with the McAfee® Advanced Threat Defense (ATD) solution. This presents a great opportunity for McAfee customers to review their current email defense strategy, and investigate how deploying Cisco’s Email Security Appliance (ESA) with McAfee’s ATD can deliver better protections for this dangerous threat vector. This gives our joint customers a closed-loop email security solution that quickly picks-off unsafe attachments before they get to the end-user.
Here’s how it works…Cisco ESA receives an email attachment that’s actually a zero-day threat. It notifies McAfee ATD that it’s sending the file over for inspection. Then, McAfee ATD executes the file in its sandbox while also conducting a static code analysis to determine a severity level that it sends to Cisco ESA for appropriate action, such as sanitizing the file. To see a video demo go here. To see a ‘How to” installation guide go here.
According to a study published by Radicati Group, Inc, the number of worldwide email users will grow from over 3.7 billion in 2017 to over 4.1 billion by 2021. With a significant amount of data exchanged through organizations’ email infrastructure—including critical financial reports, strategic customer and partner information and even employee performance and personal details. No wonder that email is today’s #1 threat vector and will likely continue to be so in the future. Cisco Email Security provides McAfee customers the most advanced protection against ransomware, business email compromise, spoofing, and phishing. It uses Cisco Talos advanced threat intelligence and a multilayered approach to protect inbound messages and sensitive outbound data. With a choice of physical appliance, virtual, cloud-based or hybrid deployment, Cisco Email Security helps customers to stay one step ahead of threats, keep inbox highly secure and protect vital business assets. This couples nicely with McAfee® ATD which enables organizations to detect advanced targeted attacks and convert threat information into immediate action and protection.
Posture Modeling, Forensics and Firewall Configuration Consistency – Keys to Prevention and Mitigation
Cisco is also pleased to announce some new and some newly enhanced integrations with Algosec, cPacket, CSPi, Tufin and Verodin. Each of these partners provides a key piece in the threat prevention and mitigation puzzle; we are pleased to work with them in creating a complete threat defense picture.
Firewall Policy Management Integration with Algosec and Tufin Algosec and Tufin are long-time firewall platform management partners. Later this summer, these partners will be updating their integration with Cisco Firepower Management Center by supporting the latest Firepower REST API with policy “read” and “write” capabilities. This enables management of Firepower firewall configuration from these 3rd party management tools, which simplifies management of diverse firewall deployment environments and achieve audit and compliance goals.
Packet Capture Integration with cPacket and CSPi for Detailed Security Forensics It’s one thing to have security event data. Most networks have plenty of that. Making it actionable is the key. cPacket and CSPi leverage Firepower intrusion event data to automatically export and store PCAPs from their full packet capture and storage solution. Full packet capture technology helps intrusion event analysts by extending visibility into the offending traffic beyond the PCAP collected by Firepower’s Snort based IDS/IPS engine. Pivoting from specific intrusion events, users can view a vast time window of captured traffic in the partner’s console or download large PCAPs for analysis in a decoding tool of their choice. This helps incident response analysts move from “suspicion” about a security event to “conviction” about the appropriate response.
Get Ahead of Threats: Verodin Integration Across the Cisco Security Portfolio
Verodin’s goal is to measure, manage and improve cybersecurity effectiveness with quantifiable, evidence-based data. Verodin enables security teams to observe and adjust real responses to real attacks without ever putting production systems in danger. With broad integration across the Cisco Security portfolio—including Firepower, Stealthwatch, Umbrella, and Advanced Malware Prevention for Endpoints—Verodin is helping our joint customers get ahead of threats. By enabling security teams to see the impact of their modeled threats, as well as security analysts response (or lack thereof) to those threats, they ultimately drive better prevention via stronger network security posture.
Cisco welcomes all these new and expanding technology partners to our CSTA ecosystem. Deploying these solutions together enables “openness” that solves customer security issues. Cisco Security…“Simple, Open, Automated.”
On Friday, 12 May 2017, one of the largest cyber-attacks in modern history had started. Ransomware WannaCry (or WannaCrypt) had infected more than 230,000 computers in 150 countries in a very short time. It had global impact, spreading over the globe faster than any pandemic could – helpfully providing victims with translation in 28 different languages.
Fig 1: Infections during the last 24 hours, source malwaretech.com
WannaCry infects enterprise networks remotely either by exploiting the SMB vulnerability or through phishing attack. After infecting the first machine, it exploits a vulnerability in SMB protocol (EternalBlue exploit) to quickly spread to all machines on the local network and internet. After infection, ransomware encrypts all data and installs DoublePulsar backdoor for remote control. The ransom note is then displayed.
Fig 2: Oops. When you see this screen, it is already too late.
According to Europol, this attack was unprecedented in scale. Was this the worst that we can expect?
We were lucky this time
94% of security breaches are related to espionage or financially motivated. With the proper motivation, we can expect to see not only more attacks, but also a lot more sophisticated attacks in near future. In March 2017 during the Pwn0Own hacking contest, Chaitin Security Research Lab has shown not one, but a chain of six (!) zero-day exploits joined together. They won $35,000 for this successful demonstration. According to the FBI, ransomware CryptoWall generated over $18m in revenue in 2015 alone. We can still only imagine what could be possible with the proper motivation.
It might be surprising, but WannaCry is a low-tech threat. It is not a zero-day attack – the patch from Microsoft has been available since March 2017. None of the techniques introduced is new or innovative in any way. The $300 ransom that was demanded was very low for the damage it has caused – and based on feedback from some of the companies that decided to pay the ransom, decryption and recovery of data is a fully manual process that was clearly not designed to scale. Based on everything we have seen, the success of WannaCry was a surprise not only to the companies worldwide, but also to the authors of the ransomware.
WannaCry accidentally left behind a hole thatallowed one of the security researchers to quickly activate the kill-switch that prevented it from spreading. Since then, new variants have been seen in the wild – v2 included the same kill switch and was quickly stopped by another security researcher and v3 contains a corrupted archive that prevents it from encrypting the files. This provided the necessary temporary relief for all the companies that could quickly patch or isolate their systems to stop the attack.
It is scary to think what the impact of WannaCry could have had if released by more professional group. Next time, we might not be so lucky. If (or should I say when?) professionals start using the real zero-day exploits, the situation will get more serious than it is today.
Why Citrix customers are not crying
The purpose of this blog post is not to summarize the WannaCry ransomware – you can read about it on almost every internet or major news web site. The goal of this blog post is to explain how Citrix solutions could be used to prevent, stop or minimize the impact of similar attack. This is not a new topic – my colleague Florin Lazurca wrote a blog post about ransomware and medical facilities over a year ago.
As the patch for EternalBlue has been available for almost two months, traditional advantages of VDI/RDS apply – single image management to quickly patch all systems, non-persistent machines for fast recovery and centralized management to improve response times. And if everything else fails, prompt disaster recovery and failover to backup data center. By using Citrix solutions, you could be more prepared when the next generation of malware strikes.
This ability to quickly patch large numbers of computers with few clicks is now even better than before. Our new Citrix App Layering supports not only traditional application layers, but also layered images. With layered images, you can update multiple separate images at once, replace the low-level components (such as hypervisor tools or drivers) on all images or manage images across multiple hypervisors. Understanding the capabilities of this new mode is important, as it enables Citrix App Layering to act as an operating system and application management solution.
Let’s quickly summarize the kill chain of the WannaCry ransomware:
Infection – Single machine initially infected through spear phishing email
Distribution – Ransomware distributed to all local machines through SMB exploit
Extortion – All data encrypted, ransom demanded
Fig 3: WannaCry distribution in traditional IT environment.
Phase 1 – Infection
To prepare the best possible security defenses, it is important to understand the initial infection vector for these attacks. Per Data Breach Investigations Report 2017, a whopping 99.6% of ransomware is distributed by either email or a web browser. This is based on a sample of 50 million on-the-wire detections, provided by data from 65 sources.
Earlier this year, we worked with our partner Bitdefender on a technical whitepaper that is specifically targeting this infection vector, including a section about deployment tips and tricks and best practices. While this technical whitepaper is focused on secure browsing, secure email can be delivered using the same architecture with the same security benefits.
Citrix XenServer is used as a preferred hypervisor in this architecture. XenServer includes a new unique security feature called XenServer Hypervisor Introspection, which enables third party security companies to leverage memory introspection techniques from a hypervisor-layer security appliance. Partners, such as Bitdefender can integrate with XenServer and work with the raw memory and without any in-guest (VM) agents. Bitdefender HVI detects techniques, rather than detecting patterns, which means that it can prevent even unknown attacks and exploits.
Bitdefender tested the Hypervisor Introspection against the EternalBlue (an exploit used as an initial attack vector by WannaCry) a month before the current wave of attacks and confirmed that any machine running on XenServer would not be impacted and the initial exploit would not be successful. This protection would work even on unpatched system or against another zero-day exploit that is using similar method
Phase 2 – Distribution
Traditional IT architecture does not provide sufficient protection from ransomware. From a security architecture perspective, the problem is that the most valuable assets, data, is stored on the same devices and network segment as the most vulnerable assets, endpoints. Any of the unprotected devices or any of the users that click on a phishing email can lead to a security incident.
Citrix XenApp has been used by many customers worldwide to provide this level of segmentation. The ability to take any existing client-server application and inject a middle-man in between is a very powerful tool in a security utility belt. Concept of Internet isolation is becoming more and more popular and we’re seeing increased interest from customers all around the world. Even if malware is successful during initial infection, it will reside in a non-persistent, isolated zone where it can be easily destroyed.
Fig 4: Segmentation of email and browser.
Your company is only as strong as its weakest link – this important principle is often ignored by companies that focus on components that are easy to secure, while leaving other, often older, parts of the environment exposed and vulnerable. The reason that healthcare has been hit so hard by this wave of ransomware attacks is due to often outdated devices that are still being used. As many as 70,000 NHS devices could have been affected, including magnetic resonance scanners, blood-storage fridges and other medical equipment. Securing the medical device that is still fully functional, costs $100k, but runs older version of embedded operating system and requires Windows client application is daily reality for many healthcare administrators. Citrix XenApp with NetScaler can be used to secure these devices, as well, while providing enough time for IT to solve the security issues. In the field, isolation combined with proper access control is often the most realistic approach to security.
When designing how you deploy and silo your applications, it is important to understand their behavior. This is often challenging, especially with older applications that are only passively maintain and original developer is no longer available. Citrix AppDNA can help you to analyze these older applications and better understand how to handle them. It also includes new module called Security and Compliance Manager, which can look for the most common vulnerabilities and identify security issues. If you have application that cannot be updated and includes a vulnerable SSL module, you can always isolate it on a dedicated set of servers.
Fig 5: Network isolation for medical devices.
Phase 3 – Extortion
It is very hard to talk about ransomware and avoid talking about the data. Preventing access to data is what ransomware it all about – whether it is done through a simple lockout from system or encryption of the files. If your multi-layered security has failed and ransomware have been successful in breaching your defenses, it is time to consider your next move.
An enterprise data sync service like Citrix ShareFile can be great advantage in recovering from a successful attack. The versioning functionality keeps previous versions of each file, so IT can revert impacted files to the last known version. This is very powerful combination with non-persistent machines, managed through a single image management solution like PVS or MCS. IT can quickly apply the patch, release new image to all machines, reset the whole environment to the last known state – and then simply recover the last know version of all files from a centralized backup.
ShareFile can not only help you to recover from an attack, it can also help to prevent it. ShareFile provides a support for various antivirus vendors that can automatically scan all uploaded files and data.
Fig 6: ShareFile with ICAP antivirus support.
While traditional antivirus is still a critical part of security, new and more innovative approaches are needed. ShareFile provides API access for third-party cloud security platform partners, such as Avanan. Using this approach, ShareFile can not only scan any file using multiple (up to 40) AV engines, but also include advanced anti-malware solutions, like sandboxing or macro based detection.
Finally, ShareFile has a server-side detection for certain ransomware strains. For example when malware changes the file extensions, ShareFile can detect the change and prevent the client from overriding the server data.
Fig 7: Example security stack for ShareFile.
IT security is like a disease that cannot be cured – you can only carefully treat it and hope that it will never hit any of your vital organs. Prevention, emergency planning, and recovery are more important than ever (and it feels that I’m using this phrase almost every week now) and it is important to have a security framework that can cover all your applications and data – from the old legacy systems to the latest and greatest SaaS/web apps. WannaCry was a glimpse of things to come and Citrix portfolio can help you to be better prepared for the next generation of malware.