How Connecting Cloud Visibility with Endpoint Security Can Stop Ransomware (Part 1)
Security teams are used to contending with a diverse set of security threats every day. But few things keep chief information security officers (CISOs) up at night more than the growing threat of ransomware. In this two-part blog series, we discuss the emergence and impact of ransomware, along with practical steps organizations can take to reduce their risk. We’ll look at how managed security service providers (MSSPs) and SOC as a service (SOCaaS) can help you bridge the gap between cloud and endpoint security to successfully defend against ransomware attacks.
The Growing Ransomware Challenge
High-profile attacks like Cryptolocker, WannaCry, NotPetya and SamSam have elevated ransomware awareness for both security vendors and businesses, and these types of attacks are showing few signs of slowing down. In fact, Cybersecurity Ventures predicts that a business will fall victim to a ransomware attack every 14 seconds by the end of 2019 and every 11 seconds by 2021.
The impact of these attacks is often devastating, forcing executives and government officials to consider ransom payments in defiance of FBI guidance. Even if they choose to pay the ransom, there is no guarantee they’ll successfully get their data or systems restored. For organizations that don’t pay, the costs can be even greater. For example, when the City of Atlanta was hit by SamSam in 2018, it declined to pay the $51,000 ransom. However, the city incurred an estimated $17 million in recovery costs.
Establishing an “Early Warning System” in the Cloud
Ransomware is often spread through phishing emails and other methods of tricking users into downloading malicious software. Since many organizations are shifting email and file sharing infrastructure to cloud services like Microsoft Office 365 and Google G Suite, though, there are new options for them to detect and stop malware before it reaches their on-premise environment.
Cloud-based spam and malware detection can catch links to many known ransomware types before they hit users’ inboxes. New ransomware variants appear all the time, so you can’t count on blocking everything, of course. It’s also important to monitor cloud service usage for anomalous or suspicious behavior. The volume of data that cloud services produce creates a “needle in the haystack” problem where the biggest threats are easily lost in the noise.
This is a prime area for MSSPs and SOCaaS providers to step in and fill the void, and it’s a major focus for us at Delta Risk. Our cloud-native ActiveEye platform collects detailed activity information from a wide range of cloud providers and applies both automated and human analysis to identify the most urgent threats.
Greater visibility and actionable guidance make it faster and easier to detect, contain, and recover from new ransomware threats that aren’t blocked before they hit the network.
Proactively Eliminating Vulnerabilities
Many ransomware attacks exploit known software vulnerabilities that organizations haven’t yet patched. For example, WannaCry exploited a vulnerability in Microsoft’s SMB protocol implementation. A patch was already available from Microsoft, but it was not widely installed.
In addition to active monitoring and response, Delta Risk also advises customers to proactively scan for vulnerabilities at frequent intervals and make patching a core IT competency.
Along with its native capabilities, ActiveEye integrates with AlienVault Unified Security Management (USM), which includes extensive vulnerability assessment and management capabilities. Together, ActiveEye and AlienVault USM provide both proactive and reactive protection against ransomware.
While proactive patching may seem like an obvious step, a combination of technology barriers and resource limitations cause many organizations to fail at this. Turning patching into a strength with the help of trusted partners like Delta Risk and AlienVault will greatly reduce the risk of a successful ransomware attack.
Converging Cloud and On-Premises Security
One thing you will notice about the two ransomware protection practices above is that they occur in two completely different places. Efforts to detect and block ransomware often begin in the cloud. But systematically patching systems to reduce the ransomware attack surface is largely an on-premises activity.
In our next post, we’ll discuss how you can bring disparate security activities in the cloud and on-premises together into a highly effective, end-to-end ransomware protection strategy.
This guest blog is part of a Channel Futures sponsorship.