How Connecting Cloud Visibility with Endpoint Security Can Stop Ransomware (Part 2)
In our last post, we highlighted the persistent and growing risks of ransomware. We also highlighted best practices such as:
- Cloud-based detection, blocking and monitoring for ransomware
- Proactively scanning for and patching the vulnerabilities that many forms of ransomware rely on
- Engaging a managed security services provider (MSSP) to provide a consolidated view of activity from endpoints, networks, and cloud platforms and 24×7 support.
Performed in isolation, these steps can improve an organization’s ransomware defenses. But the best possible protection requires bridging the gap between the first line of defense in the cloud and the reality on-premises.
Correlating Cloud Visibility and Ground Truth
Even with effective ransomware monitoring in place, the sheer volume of cybersecurity attacks that most organizations face makes it difficult to effectively prioritize response efforts. It’s not just a matter of knowing whether a ransomware threat is real or a false positive. It’s also critical to assess the likelihood that it will successfully compromise its intended target.
For example, clicking a link to malicious ransomware code that exploits a known Windows vulnerability will have dramatically different results for these three targets:
- User 1: Working on a Mac
- User 2: Working on a Windows PC that is fully patched
- User 3: Working on a Windows PC that hasn’t been patched and still has the vulnerability the ransomware exploits
The attack is the same, but the severity and incident response requirements are much different.
This is another area where MSSPs can bring value by correlating information from various best-of-breed systems to quickly provide a complete picture to an organization’s security team or managed service providers (MSPs) seeking to offer security services to their clients. By combining information from cloud API sources like Office 365 with AlienVault Unified Security Management (USM), for example, ActiveEye helps organizations see the potential impact by showing whether target devices have been patched and, if so, when.
The same can hold true for threats that are caught by Microsoft and blocked before AlienVault endpoint detection comes into play. If the reverse is true, and Office 365 misses the threat, you can see it via information from AlienVault USM to prevent the attack.
Here’s a screenshot from the ActiveEye portal that illustrates this:
Using the Wisdom of Crowds to Your Advantage
While the investment required to engage an MSSP like Delta Risk and best-of-breed technologies like AlienVault are not trivial, they are significantly less than the financial cost and reputational damage of a successful ransomware attack. According to CSO magazine, the average ransomware attack costs $5 million or more, and many have put companies completely out of business nearly overnight.
Engaging an MSSP also injects the “wisdom of crowds” into your ransomware protection strategy. MSSPs like Delta Risk have a unique vantage point across multiple organizations. Customers benefit from this collective wisdom about ransomware and other threats instead of being limited to their own first-hand experiences. Delta Risk also incorporates insights from third-party threat intelligence partners, including the Alien Labs Open Threat Exchange, to help detect and prevent threats faster. All of this is built into ActiveEye to provide a single source for combatting threats, versus trying to manually view and piece together data from multiple sources. There’s also an option for MSPs to white label ActiveEye with their own branding to seamlessly provide all these capabilities to their customers.
This guest blog is part of a Channel Futures sponsorship.