Introducing FireMon Policy Analyzer Learn More

Ransomware is in the Cloud

Visibility, monitoring, and collaboration are the keys to identifying and preventing ransomware from breaching your infrastructure.


In a world of rapid digital transformation, ransomware ranks among the top concerns for cyber security professionals, and with good reason. It is elusive and can pawn even the most secure of organizations. Once the malware enters your network, it can ferret around and hold assets in other parts of your organization hostage.

Currently, ransomware primarily targets vulnerabilities within on-premise network infrastructures. However, as the majority of companies transition to hybrid or purely cloud operations, the bad guys swiftly follow suit. Though we aren’t yet seeing it make headlines, ransomware attacks to the cloud have begun. Amazon Web Services (AWS), the most commonly used cloud platform, recently released the Ransomware Risk Management on AWS Using the NIST Cyber Security Framework (CSF) whitepaper. The guidelines for protecting your cloud directly correlate to the general security best practices of Identify and Protect, Detect and Respond, and Recover. Similar to traditional on-premise network infrastructures, protecting against ransomware in the cloud requires a team effort, using multiple solutions working together for a layered approach.

The entire FireMon product suite (Cloud Security Operations, Cyber Asset Management, and Security Policy Management) provides comprehensive views into network security, data center assets, and cloud posture and assets, displaying how resources are connected to data, how they are configured, and how the network and resources are secured.

FireMon’s cloud security operations product, DisruptOps, is an AWS independent software vendor (ISV), and is designed to integrate with your AWS and/or Azure cloud infrastructure. DisruptOps breaks down barriers between development, security, and operations teams, enabling everyone to become an active defender of your cloud infrastructure. DisruptOps is a cloud security operations platform that aligns with the first two guidelines discussed in the AWS whitepaper: Identify and Protect (prevention) and Detect and Respond.

Identify and Protect

You cannot protect what you cannot see. Similar to the way FireMon’s Cyber Asset Management solution provides this for on-premise resources, DisruptOps can identify systems, users, data, applications, and entities within your cloud network. DisruptOps continuously assesses the posture of the cloud management plane and ensures firewalls are properly configured and managed. DisruptOps identifies, alerts, and remediates cloud misconfigurations (vulnerabilities).

DisruptOps Authorization Control takes prevention a step further by providing frictionless Just in Time authorizations and access using ChatOps. Stolen static credentials, like access keys, are the most common vector for cloud management plane attacks. Attackers will also target the workstations of employees with cloud access, so they can potentially steal usernames and passwords – even with federation. By providing full visibility into user access and requests, Authorization Control provides unparalleled visibility and management of user authorizations. Administrators and developers can request just the access they need, for given time windows, to only the required resources, using ChatOps for frictionless Just in Time authorizations.

This eliminates the possibility of an attacker using stolen user credentials to encrypt data since Authorization Control can require approvals for all use of encryption (or any) cloud management activity. Authorization Control can also restrict access based on tags or IP addresses. Plus, all authorization requests and approvals are fully monitored, logged, and can even be broadcast to teams to provide full visibility into who is doing what.

Detect and Respond

Time is money in regards to ransomware. The DisruptOps Cloud Detection and Response (CDR) capabilities speed up incident response times. DisruptOps includes cloud-native threat detectors for common attacks, and enhances provider alerts through advanced enrichment and routing to separate the signals from the noise. Paired with our built-in actions, responders can move much more quickly and efficiently to adverse cloud events. DisruptOps integrates with cloud monitoring feeds to provide comprehensive visibility into cloud events.

DisruptOps can immediately route alerts not only to security, but directly to the designated cloud account team for immediate investigation and response. Our CDR capabilities identify the needles in the haystack and route them to the account owners and security analysts for rapid identification of potential problems that might otherwise hide until a log review.

Contact us to find out more about FireMon’s Cloud Security Operations.

About the Author

You May Also Like

FireMon Cloud Defense Introduces Free Enterprise-Scale CSPM

FireMon is incredibly excited to introduce the industry’s first completely free unlimited CSPM for any size cloud deployments. A curated subset of features from our Cloud Defense platform designed to help cloud customers identify and manage baseline security and compliance risks. At FireMon we believe all organizations and individuals deserve

Read More >

FireMon Policy Analyzer – Understanding Your Assessment

If you’re reading this blog, you’re likely interested in learning more about FireMon Policy Analyzer or have just run your first assessment and are curious how to get the most out of your results. Either way, we’re excited you’re here! As a reminder for those who aren’t familiar with Policy

Read More >

Get 9X Better

See how to get:

90% Efficiency Gain by automating firewall support operations

90%+ Faster time to globally block malicious actors to a new line

90% Reduction in FTE hours to implement firewalls

Schedule a Demo