Combating the Ransomware Epidemic Comes Down to Prevention, Detection, and Response
As part of Solutions Review’s Premium Content Series—a collection of contributed columns written by industry experts in maturing software categories—Wes Mullens, CTO of deepwatch, shares some industry experience on the ransomware epidemic and how businesses can fight it.
Ransomware has rightfully earned its place as a top risk for CISOs and organizations worldwide. The dangers of ransomware are apparent and repeatedly stressed. Attacks are persistent, coordinated, and supported by significant ransomware gangs and advanced ransomware-as-service programs.
Unfortunately for organizations, no single solution or technology will stop a ransomware attack. The most straightforward path to maximize ransomware readiness for a business of any size is a comprehensive security program that focuses on three primary areas: prevention, detection, and response.
Often organizations that suffer a ransomware attack are easy victims because they lack basic preventative security hygiene measures. Preventive security involves several strategies, techniques, and policies to protect the integrity of an organization’s data, the enterprise, the cloud, and assets, including:
- Prevention-Based Endpoint and Network Platforms: Legacy approaches in protecting against unauthorized or malicious binaries from being executed on a system have been getting defeated for quite some time. Organizations need to invest in technology that prevents binaries from entering the network or executing on a host.
- Data Governance: Data governance is about the planning, monitoring, oversight, and controlling of data as it moves through the data lifecycle, from capture to storage to disposal.
Other prevention strategies include network segmentation, firewalls, vulnerability management, and identity and access management (IAM). Prevention is the first critical step in a business line of defense against the ransomware epidemic.
Threat detection is about understanding and analyzing the types of threats targeting business systems, networks, and devices. Detection technologies and methods are designed to operate quickly and efficiently before a threat infiltrates and does significant damage. Threat detection helps to prevent the delivery of a ransomware payload by looking for both known and unknown threats using the following tools:
- Endpoint Detection & Security: Offers benefits such as continuous alert monitoring, validation, automation, containment, escalation, dashboards, and reporting.
- Threat Hunting: Involves proactively searching networks, systems, devices, and endpoints to identify unusual or suspicious activities using manual and software-assisted techniques and determining if any threats within the environment may have evaded detection with standard cybersecurity tools.
- Security Information & Event Management (SIEM): A SIEM combines information and event management to provide real-time alerts and indicators of compromise.
- ML & AI: Both play a critical role in cybersecurity by providing automated solutions to threat intelligence, data monitoring, big data analysis, anomalous behavior and fraud detection, incident response and forensics, and as an enhancement to human analysis.
With threat detection in place, organizations can have a real-time pulse on the possible attack vectors they’re facing, allowing them to thwart cyber-attacks actively.
A comprehensive ransomware readiness approach also includes response and remediation strategies, which address security incidents as they are underway to help significantly minimize an attack’s operational and cost impact and gather critical attack information. There are several different response strategies that organizations can implement in the event it’s necessary, including:
- Incident Response: These solutions include threat containment and eradication processes and data recovery solutions, including restoring offline backups when data is lost or encrypted.
- Attack Planning & Tabletop Exercises: These exercises facilitate a hypothetical discussion of an attack scenario using the organization’s current policies, strategies, plans, and technologies.
- Remediation: These solutions isolate impacted devices and systems, remediate unauthorized changes, and mitigate the tactics, techniques, and procedures used by the threat actors.
Responding to threats early can make a ransomware attack a far less painful experience for organizations. And although response strategies might not seem like the most important part of a cybersecurity posture from the get-go, having a response strategy in place is imperative for business continuity and ransomware attack survival.
This list of things an organization needs to be in tip-top security shape can be daunting. By utilizing Managed Detection and Response (MDR), organizations can streamline the implementation of these three key components to make the most comprehensive security program. With MDR, organizations can gain greater visibility and active detection and response, correlate and detect attacks across millions of transactions along with active threat hunting to identify sophisticated attacks, augment the in-house team with security experts, and more.
As ransomware attacks continue to increase and evolve in sophistication, having a tight cybersecurity posture is more critical than ever. By prioritizing and focusing on breaking down prevention, detection, and response strategies, organizations will have a better chance against the ransomware epidemic.