As part of the recent VMWorld virtual event, I had a chance to sit down and talk with Chris Frenz, CISO at Interfaith Medical. Turns out, he has a long history of working with VMWare products that goes back to 2015 when he first ran a ransomware simulation in his organization.
At the time, he used an EICAR test file that was completely harmless, but for the majority of antivirus products it is flagged as a problem for his ransomware test. To learn more about this file and his mock ransomware attack, check out this AEHIS “Mock Malware Outbreak” guidance document.
Essentially what happened is they copied the virus to all the computers to test which controls worked and which ones didn’t. Frenz shared with me that they found out some really interesting things. First, network segmentation really worked. However, they also learned that they didn’t segment nearly enough. In fact, they’d segmented by department which means that a virus or ransomware attack could have taken down an entire department which of course would be a major problem. Lucky for them, it was just a simulation.
What did they do in response? Well, they implemented much more granular network segmentation. For example, they microsegmented the server subnet and only allowed PCs to communicate with the servers and not PC to PC.
They also learned that physical device security is good, but it was also valuable to look at virtual software security. For example, Frenz is using a VMWare app defense product to better protect their virtual machines. With this product, they put a virtual machine in learning mode so it can learn the regular behaviors and actions of that machine. It essentially creates a normal profile of the machine and what it should be doing and more importantly what it shouldn’t be doing.
If you’ve ever had to manually punch holes in firewalls, you know how painful that can be. That’s what makes the learning mode so powerful. However, what makes this product even better is that when a virtual machine starts presenting odd behaviors, the system can automatically quarantine the virtual machine. Doing so can help to mitigate the spread of a virus or ransomware and stop it from propagating to other machines.
While we’re all familiar with some of the benefits of virtual machines when it comes to scaling up and deploying desktop machines, I was really impressed by the security aspects of virtual machines as well. Plus, Frenz mentioned that one of the benefits of having all this security in place pre-COVID was that once COVID hit and they had to scale virtual desktops to facilitate remote work, they could do so in a secure way quickly. All the work they’d done ahead of time paid off during COVID.