Skip to main content

Fortify your anti-ransomware playbook with OS isolation

ransomware
(Image credit: Image Credit: WK1003Mike / Shutterstock )

The pandemic has moved the work environment from offices to homes for untold numbers of organizations and employees. The shift has brought certain benefits to workers -- no more long commutes, no need to maintain a business-style wardrobe, no more packing a lunch or raiding the vending machines for some quick calories.

Work has merged with home life, with laptops set up on dining-room tables, desks in home offices, or just on the nearest sofa. A sense of informality has become the norm.

But the informality has served as a new breeding ground for a familiar threat: ransomware. The cybersecurity barriers associated with work in an office environment can inadvertently be lowered when the same tasks take place in homes. Indeed, by midyear 2020, ransomware attacks had jumped by 715 percent compared to pre-pandemic times, according to one study. In 2021, ransomware remains a serious threat -- one that can damage both remote workers and the organizations they work for. Besides the possibility of a successful ransomware attack in which an organization pays the demanded ransom, indirect costs can include downtime for production systems and users, data loss, reputation damages, penalties, etc. 

At the same time, workers and companies are not eager to reinstate the separation between office and home by requiring users to employ separate laptops for different activities. In the pre-Covid work world, employees needed to access sensitive data as part of their jobs and those pathways were usually protected from breaches. But they also performed tasks that were less secure -- downloading email attachments, installing and running software, copying and pasting data from external sources, etc. -- that carried the potential for cyber threats. These “risky” productivity tasks are even more central to today’s world of distributed work.

Is it possible to provide protection while preserving the fluidity of switching between the productive and the secure? It is, and in order to see how, let’s first look at the threat and the standard approach to addressing it that is not as ironclad as we would hope.

Ransomware and the conventional approaches to guarding against it

The U.S. Cybersecurity & Infrastructure Security Agency (CISA) recently launched a campaign to help organizations guard against ransomware, which includes a detailed guide. This initiative is particularly valuable in response to wormable ransomware, such as NotPetya, and has several useful suggestions for businesses and home users. Worth noting are the guide’s tips for basic cyber hygiene (not just to help protect against ransomware). It focuses on two main avenues of ransomware protection: 

Reducing the probability of infection through software patching, phishing training, endpoint hardening, etc.

Responding to ransomware incidents for organizations that have been hit through isolating infected systems, restoring backups, etc.

Unfortunately, some of the recommended practices aren’t worthwhile from a cost-benefit perspective, especially for smaller organizations. Specifically:

Patching all software is not easy to do quickly, even if you’re just updating Windows (because your IT department has to thoroughly run tests before releasing such updates). Add to that job list patches of middleware (.NET/Java), drivers, legacy apps, management agents, etc., and all the associated work and updating becomes a Herculean task -- one that may not happen fast enough to be effective.

Backing up all critical assets and ensuring the backup work is becoming harder and harder as organizations have systems hosted on a variety of services, both on-prem and cloud, including data stored on their own devices, etc. 

Training people to ward off phishing emails is not a foolproof exercise. All of us inadvertently let our guard down from time to time, and attackers are finding ways to take advantage of our failings with more sophisticated and targeted phishing. 

Endpoint hardening undercuts business productivity by curtailing users’ ability to collaborate with customers and partners. These techniques include app whitelisting, elimination of local admin rights and the like. Such hardening efforts are even more debilitating in the Covid-19 era because users expect and need a tidal wave of new apps, thus requiring more flexibility -- not less -- on their endpoints.

What’s more, CISA’s guidance has a major shortcoming. While it provides direction on reducing the likelihood of infection and offers a post-ransom checklist, it fails to show how to reduce the impact or blast radius of ransomware. The guide cites network segmentation as a tactic to lessen the damage. That action is immediately undermined if a single user device connects simultaneously to multiple segments, especially in this work-from-home era in which users connect both to the corporate VPN and to their home network/wild internet.

The problems of separate work and home computers 

The manually intensive processes that have been the default response are not effective, as we’ve discussed. Some organizations have tried to better contain the potential for cybersecurity harm by issuing employees a separate work laptop to be used strictly on job-related tasks. These work-issued devices would be loaded with all the software a corporation would rely upon to keep its data protected and would severely curtail the actions an employee could take while logged on to the job-focused computer.

While employers don't want to encourage employees to engage in off-topic activities, spending considerable time on connectivity applications like Zoom, Slack and Teams may be vital for employees to get their jobs done. Forcing employees to transition from one computer to another to accomplish their work is inefficient. What’s more, maintaining those work computers is an operational headache for the company and can be a productivity destroyer should the laptop need servicing, repair or replacement.

Restricting workers to a dedicated device for their day-to-day job-related tasks is far from foolproof. Too many job descriptions include normal business activities that can expose endpoints and their connected networks to the same kinds of risks associated with personal tasks that a dedicated work computer is intended to eliminate. When doing their jobs requires workers to access highly sensitive corporate assets as well as all that the connected world has to offer, they need IT freedom without undue security risk.

A different, more effective approach to ransomware protection 

Fortunately, technology has evolved in ways that can solve the shortcomings of the approaches we’ve discussed. To dramatically and cost-effectively reduce the impact of ransomware and other malware, consider endpoint OS isolation. This technology automatically isolates risky activities by containing them in a local virtual machine on the user’s device. For example, clicking an unfamiliar link in an email or downloading an attachment could be redirected to this local isolated environment.

Virtual machines aren’t new, of course, but what makes this technology especially relevant today is both the rise in sophistication of attackers and the availability of virtualization on every laptop. Both hardware and OS advancements have made virtualization a first-class citizen on Windows. What’s more, there’s no need to manage another OS image for the virtual machine. The VM is instantly provisioned based on the corporate OS already running in the machine and is always up to date. And with refinements of the user experience with virtual machines of late, the VM looks and feels like just another space on the laptop screen.

With endpoint OS isolation, hardening user laptops is no longer a lose-lose proposition. Enterprises get to limit what users can do on the corporate OS, but still let them get things done in an isolated OS running on their device, including visiting any website, installing any app, getting local admin rights, and using any modern cloud collaboration tools.

If the user forgets the phishing training that the company provided and clicks a link or installs an app that turns out to contain ransomware, there’ll be no impact on the corporate OS and no corporate data will be stolen/encrypted. The malware will be confined to a separate, isolated OS running in that designated VM. Because the VM is tunneled out of the corporate network, the ransomware won’t be able to move into that network. In a single click, the VM can be reverted back to a clean snapshot and users go back to business as usual.

Pajamas and protection: The best of both worlds 

Technology is what made it possible for millions of workers to perform their jobs from the comfort of their homes. That’s a monumental achievement that would not have been possible a few decades ago and one that perhaps should be celebrated more than it has.

At the same time, technology in the hands of the wrong people can cause massive harm and disruption. The vulnerabilities of remote work have become more evident over the past year. Organizations need to shut off the pathways that have made ransomware an attractive option of late to unseen extortionists looking for openings.

Endpoint OS isolation is the next phase of technology’s evolution -- one that offers an elegant repulsion of ransomware. As organizations of all types learn to accommodate the new reality and informality of working from home, it’s a fabulous tool for keeping workers happy and the organization safe.

Tal Zamir, Founder, CTO, and Board Member, Hysolate

Tal is the Co-Founder & Chief Technology Officer of Hysolate. A passionate entrepreneur and veteran R&D leader with 15 years of experience in the cyber and IT domains, Tal had been building and hacking software for decades.