Its almost a year now when the world first faced WannaCry attack. The first wave of attack of the new WannaCry virus affected more than 320,000 computers around the world and led to disruptions in the work of such major global companies as Telefonica, KPMG, Megafon, Sberbank, a network of hospitals in the UK, the Russian Interior Ministry and many others. The first wave of attack is replaced by new modified viruses, which take into account the measures taken by users to combat WannaCry and the number of newly infected computers is not decreasing.
What features of the spread of this and other similar viruses need to be considered in order to build effective protection? Infection and infiltration into the network occur not instantaneously, but in stages, and the virus is interactive, i.e. It is distributed under certain conditions and in the absence of a ban from the control center. This implies generating additional traffic on the client’s network ports and a small delay between activation and distribution that can be used to take protective measures. To counteract such threats, one signature method of protection and installation of an antivirus on the client device is not enough. If the virus is new or modified, it may not be in the signature database, and if only the computer or user’s VM is protected, the reaction time is too short.
Modern GIS to effectively combat such attacks should be complex, with several levels of protection, should have a very high performance, which does not count the hacker, analyze network traffic and customer behavior. One of the GIS options for a Windows Server virtualized environment is 5nine Cloud Security .
It is integrated into the Windows Server 2012/2016 virtual switch, it includes agentless antivirus, virtual firewall and intrusion detection system (IDS) in one centrally managed software product. How can 5nine Cloud Security help you defend against attacks like WannaCry?
- The firewall isolates the enterprise infrastructure segments and prevents the virus from spreading over the virtual network.
- WannaCry tries to spread the network through a vulnerability in SMBv1 by scanning IP addresses through port 445. The Intrusion Detection System (IDS) analyzes network traffic and warns the user about unusual activity on the ports of the network. This allows you to determine the source of the attack and block the threat.
- 5nine Network Scanner scans all the HTTP-traffic both inside the virtual environment and when exchanging it with the physical network for viruses, which will determine the threat before the infection of virtual machines (VMs).
- If you enter the VM memory, the virus will be detected and moved to quarantine using the Active Protection system or a non-agent antivirus scan. 5nine technologies allow you to do this up to 70 times faster than other manufacturers due to incremental scanning, based on the analysis of the system of recording virtual disks. The virus does not have time to perform the penetration and activation operations. It is detected and disinfected with the help of antiviruses from leading vendors: Bitdefender or Kaspersky Lab.
- Integration with the Windows Server operating system at the hypervisor level to 30% reduces the load on the server resources during anti-virus scanning, which allows supporting the operation of enterprise information systems even with a massive attack.
