Stay Safe Online with the FireMon 5 Cybersecurity Safety Tips. Learn More

Ransomware is in the Cloud

Visibility, monitoring, and collaboration are the keys to identifying and preventing ransomware from breaching your infrastructure.


In a world of rapid digital transformation, ransomware ranks among the top concerns for cyber security professionals, and with good reason. It is elusive and can pawn even the most secure of organizations. Once the malware enters your network, it can ferret around and hold assets in other parts of your organization hostage.

Currently, ransomware primarily targets vulnerabilities within on-premise network infrastructures. However, as the majority of companies transition to hybrid or purely cloud operations, the bad guys swiftly follow suit. Though we aren’t yet seeing it make headlines, ransomware attacks to the cloud have begun. Amazon Web Services (AWS), the most commonly used cloud platform, recently released the Ransomware Risk Management on AWS Using the NIST Cyber Security Framework (CSF) whitepaper. The guidelines for protecting your cloud directly correlate to the general security best practices of Identify and Protect, Detect and Respond, and Recover. Similar to traditional on-premise network infrastructures, protecting against ransomware in the cloud requires a team effort, using multiple solutions working together for a layered approach.

The entire FireMon product suite (Cloud Security Operations, Cyber Asset Management, and Security Policy Management) provides comprehensive views into network security, data center assets, and cloud posture and assets, displaying how resources are connected to data, how they are configured, and how the network and resources are secured.

FireMon’s cloud security operations product, DisruptOps, is an AWS independent software vendor (ISV), and is designed to integrate with your AWS and/or Azure cloud infrastructure. DisruptOps breaks down barriers between development, security, and operations teams, enabling everyone to become an active defender of your cloud infrastructure. DisruptOps is a cloud security operations platform that aligns with the first two guidelines discussed in the AWS whitepaper: Identify and Protect (prevention) and Detect and Respond.

Identify and Protect

You cannot protect what you cannot see. Similar to the way FireMon’s Cyber Asset Management solution provides this for on-premise resources, DisruptOps can identify systems, users, data, applications, and entities within your cloud network. DisruptOps continuously assesses the posture of the cloud management plane and ensures firewalls are properly configured and managed. DisruptOps identifies, alerts, and remediates cloud misconfigurations (vulnerabilities).

DisruptOps Authorization Control takes prevention a step further by providing frictionless Just in Time authorizations and access using ChatOps. Stolen static credentials, like access keys, are the most common vector for cloud management plane attacks. Attackers will also target the workstations of employees with cloud access, so they can potentially steal usernames and passwords – even with federation. By providing full visibility into user access and requests, Authorization Control provides unparalleled visibility and management of user authorizations. Administrators and developers can request just the access they need, for given time windows, to only the required resources, using ChatOps for frictionless Just in Time authorizations.

This eliminates the possibility of an attacker using stolen user credentials to encrypt data since Authorization Control can require approvals for all use of encryption (or any) cloud management activity. Authorization Control can also restrict access based on tags or IP addresses. Plus, all authorization requests and approvals are fully monitored, logged, and can even be broadcast to teams to provide full visibility into who is doing what.

Detect and Respond

Time is money in regards to ransomware. The DisruptOps Cloud Detection and Response (CDR) capabilities speed up incident response times. DisruptOps includes cloud-native threat detectors for common attacks, and enhances provider alerts through advanced enrichment and routing to separate the signals from the noise. Paired with our built-in actions, responders can move much more quickly and efficiently to adverse cloud events. DisruptOps integrates with cloud monitoring feeds to provide comprehensive visibility into cloud events.

DisruptOps can immediately route alerts not only to security, but directly to the designated cloud account team for immediate investigation and response. Our CDR capabilities identify the needles in the haystack and route them to the account owners and security analysts for rapid identification of potential problems that might otherwise hide until a log review.

Contact us to find out more about FireMon’s Cloud Security Operations.

About the Author

You May Also Like

AWS Permission Boundaries for Dummies

AWS permission boundaries are confusing. I know they are confusing because they confused me, and it took me a couple years to figure them out. I also know they are confusing because Corey Quinn said so, and asked for someone to make them less confusing. AWS Copilot, a CLI for

Read More >

Back to Basics: What’s the Password?

Cyber safety is not just for CISOs or techies anymore. Technology touches all of us nearly every single day, from baby nurseries to nursing homes. It is so important that everyone understands the basics of safe cyber activity. October is Cyber Security Awareness Month and FireMon is here to provide

Read More >

Get 9X Better

See how to get:

90% Efficiency Gain by automating firewall support operations

90%+ Faster time to globally block malicious actors to a new line

90% Reduction in FTE hours to implement firewalls

Schedule a Demo