In May, the cyberattack on Colonial Pipeline nudged many C-level executives to explore the need to ramp up their security to protect their corporate data and the company’s reputation. The thinking of many executives is that to provide the appropriate level of security, they need to use application performance monitoring (APM) software. Let’s look at the recent attack on Colonial Pipeline, what application performance monitoring is, and see how putting that information together can help other organizations protect themselves from potential attacks.Â
The Colonial Pipeline Hack
On May 7, Colonial Pipeline proactively closed down operations and froze its IT systems following a ransomware attack. Colonial Pipeline is a high-profile target because it operates a pipeline from Texas to New Jersey and provides around 45 percent of the USA’s East Coast’s oil supplies, transporting about 100 million gallons each day. As a result, shutting the pipeline impacted lots of individuals and businesses.
Apparently associated with a group known as DarkSide, the ransomware attack was pretty standard for such an attack in 2021. Hackers got inside the Colonial Pipeline’s network and set about copying corporate data – usually customer and staff details such as credit card numbers, social security numbers, names, address and passwords, etc. It’s suggested that hackers stole 100GB of data in two hours.Â
The hackers then encrypted the data and blackmailed the company, who paid $4.4 million to get the decryption key so they could regain access to their data. To prevent a company from restoring data from backups, these are also corrupted or deleted in a hack. Hackers can also sell the copied data on the dark web. That way, criminals get paid twice for a single hack.
The hackers got into Colonial Pipeline’s networks on April 29 through an unused VPN account. The password was found on the dark web, but the source of the username is still unclear.
DarkSide is a Russian-speaking hacker group that offers Ransomware-as-a-Service (RaaS) to customers on a subscription basis. The software uses Salsa20 and RSA-1024 encryption protocols. The actual cyberattack on Colonial Pipeline was carried out by customers of DarkSide, rather than DarkSide itself, which just supplied the software.
The other point to make is that the attack was on the data and not, seemingly, on the pipeline itself, which was closed because of the attack on the company’s IT system. The pipeline itself was restored manually.
The worrying takeaway for other businesses is that although they may not be a target for DarkSide itself, they may well be a target for someone who becomes a customer of DarkSide and uses their software to carry out the attack.
Learn More: Lessons From the Colonial Hack: Law Enforcement Action Isn’t Enough To Defeat Ransomware
What is Application Performance Management?
Application performance management (APM) is simply the name given to monitoring and managing the performance and availability of applications. When looked at from the end user’s point of view, they want an application to be available whenever they want to use it, and they want it to work quickly, i.e., without them having to wait too long for a response. That’s where APM comes in because it tries to detect and diagnose complicated performance problems with an application so that an agreed or expected level of service is maintained, and a flawless user experience is provided.
GartnerOpens a new window extends the definition and tells us that: application performance monitoring (APM) suites are “one or more software and/or hardware components that facilitate monitoring to meet three main functional dimensions: (1) Digital experience monitoring (DEM) (2) Application discovery, tracing, and diagnostics (ADTD) (3) Artificial intelligence for IT operations (AIOps) for applications.â€
There are, in effect, two metrics or two measurements that have to be combined in APM. There’s the users’ view of how well an application is working and there’s the IT team’s view of how much IT resources are required to make that happen. So let’s look at that in more detail.
From the end user’s point of view, a useful metric would be the average response time of an application under peak load. Probably, all applications work quickly enough when only one person is using them. Still, the response time can sometimes fall off a cliff when there are many transactions per second – lots of calculations or searches or data updates. Under these load conditions, how long will a user be prepared to wait for a response? This value may be specified in a service level agreement.
From the IT team’s point of view, they need to ensure that there is sufficient computing capacity available to support the expected peak load. They also need to identify and resolve any bottlenecks, bugs, or other functionality issues that could impact performance and negatively impact business outcomes. The idea is to eliminate any potential service interruptions.
Once this is done, it becomes possible to calculate a performance baseline. Any changes in performance from this baseline can be detected and reported. These changes can be correlated with external events and used to predict the application’s performance in the future. This is the application discovery, tracing, and diagnostics (ADTD) part, the scanning for problems and reporting them. More importantly, for organizations in the same situation as Colonial Pipeline, it could alert a system administrator of a performance issue that would indicate a ransomware attack was in progress.
Learn More: What Is Performance Management? Definition, Process, Cycle, and Best Practices
Protection from Ransomware Attacks
The third part of the Gartner APM model is AIOps for applications. AIOps proactively identify issues before they occur and automatically take remedial action, rather than identifying and fixing problems once they have occurred.
AIOps stands for artificial intelligence for IT operations, and, according to GartnerOpens a new window , combines big data and machine learning to automate IT operations processes, including event correlation, anomaly detection, and causality determination.
This use of AIOps becomes important because IT security teams can develop and build proactive cyberattack identification capabilities into the software and help to prevent attacks on organizations by people using DarkSide’s RaaS software.
In addition, rather than looking at the performance of a single application, AI allows a holistic model to be built so that the whole IT system can be monitored and compared with expected values. Any changes, no matter how slight or seemingly unimportant, could be used to identify the signature of a known hack.
Conclusion
Automating scans, automating alerting, and automating responses can mean not only better overall application performance and happier users and customers, but better security overall to protect corporate data. The actual cost of the original application performance monitoring software becomes insignificant when compared with the cost of paying a ransom plus the cost of fines for no longer being compliant with regulations affecting your industry. (GDPR fines can be 10 million euros, or up to 2 percent of an organization’s entire global turnover of the preceding fiscal year, whichever is higher.) In addition, there can be the cost of a drop in share price, the cost of lost custom, and the overall cost of a drop in the company’s reputation.
Originally conceived as a way to give some kind of business meaning or value to IT metrics, application performance monitoring can now play a key role in the protection of an organization’s critical infrastructure against cyberattacks, such as the recent one on Colonial Pipeline.
Do you think application performance monitoring will improve your organization’s defense against ransomware attacks? Comment below or let us know on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!