Why organisations are failing to close the gap on ransomware
by Marty McGregor, Co-founder and CEO
May 12, 2021
There may not be a silver bullet to stop ransomware, but there is a way to turn the cloud into a security opportunity.
Cloud presents great opportunities, but the rush to get there also means organisations aren’t taking full advantage of its capabilities. Many businesses are simply moving what they did on-premises into the cloud, which is increasingly shown to result in inefficient and expensive outcomes when compared to a cloud-native strategy.
Organisations are also missing out on some of the inherited on-premises security characteristics of network segregation and private networks that may have been overlooked as protective measures. At least the ‘Soft-Centre/Hard-Shell’ security model had a hard shell.
In the cloud, businesses are effectively shifting and exposing their data to a hotbed of malicious activity, opening every user’s device as a doorway to that precious data. There has been a 600% increase in malicious emails alone during COVID-19.
Attackers seeking the path of least resistance are actively looking for organisations that haven’t considered how employees access infrastructure, assets, and information online.
Ransomware doesn’t have a ‘silver bullet’ solution.
Today, organisations are attaching the effectiveness of their security controls to their identity. IT departments are therefore incentivised to say they have ransomware under control, even when they know they haven’t.
Externally, cybersecurity is growing so rapidly that a slew of vendors are entering the space, also pledging that they have got organisations covered.
Businesses are evaluating the effectiveness of these cybersecurity solutions by whether it lets them sleep at night.
A quick scan of local media reports in the last few days provides evidence that organisations are not covered. Demands to NSW Labor, Uniting Care Queensland, and a pokies outage in Tasmania – to name a few. Then there’s the “shock report in Forbes that “92% who pay don’t get their data back”.
Not to mention the catastrophic failure of US Pipeline operator Colonial to prevent a ransomware cyber-attack by the criminal DarkSide group, closing operations and preventing the flow of fuel in the US.
All of this is eroding trust. Despite assurances from IT and vendors, and significant investment in shiny hardware and software, businesses are shocked that they are still victims of ransomware attacks.
However, when you look at what it takes to defend against ransomware, very few organisations have the necessary measures to address it effectively.
Ransomware itself isn’t as complicated as it seems, but it takes many layers of security, alongside many different approaches and controls, working in unison to effectively deal with it. IT and vendors are part of the solution, but it is going to take more than the approach typically followed by organisations today.
Effective ransomware protection relies not only on integrity and control over data; it requires consistent management across all devices that access that information, which is much harder to achieve with a traditional endpoint security approach.
Patching systems is one of the critical steps to protecting against ransomware, by helping prevent the adversaries to gain a beachhead, but more than 77% of ransomware victims had up-to-date endpoint protection (based on 2018 data). That is when the median cost for ransomware attacks was $133,000 and, on average, successful ransomware attacks resulted in at least one other attack on the same organisation. The situation has gotten worse since 2018, not better and it is clear that traditional endpoint security alone is no longer sufficient.
Organisations giving employees access to their cloud environments can increase exposure to (often automated) ransomware attacks, to take advantage of permissions or access to exploit end-user devices. The remote working and distributing workforce that was desired, and then required, by COVID19, must be addressed from a security perspective too.
Employees still need to get their jobs done while working from home, even though the rise in remote working has led to a rise in opportunities for attack across all sectors. The current approach to facilitating visibility of remote devices is to use a VPN, but that opens an organisation’s information to employee devices.
We celebrate the individual or team that says they have ransomware covered, but it is an unrealistic expectation. IT typically does not have adequate funding or resources to deal with ransomware effectively before an attack.
Backups are unreliable and untested, endpoints and devices lack adequate security to prevent their use to pivot to other systems and access the data, and organisations don’t have visibility of where the threats are.
When an attack happens, organisations tend to open a big “emergency” budget, which contractors take advantage of while the client is vulnerable. It’s a reactive approach, which is inefficient, costly, and ultimately ineffective. Even those that survive the ransomware attack find themselves vulnerable, and often succumb to subsequent attacks.
Organisations must stop making ransomware IT’s reactive problem. They need to see it as a business problem that is everyone’s responsibility, and learn from successful attacks.
Businesses need to set a business-as-usual benchmark that they are keeping up with the basics, such as patching, and applying sensible security models, based on consistent security baselines across the entire fleet. This helps prevent the adversary gaining the initial foothold from which they build their ransomware attack.
The CIS Benchmarks, for instance, are designed by security professionals to provide the greatest coverage from the widest array of attacks, by applying best-practice security controls to the operating systems and software we rely upon. Institutions of any size can implement these benchmarks, without buying endpoint software or investing in unnecessary predictive measures like artificial intelligence and machine learning.
Ultimately, it comes down to good management and sensible hygiene.
Tackling ransomware requires a layered security approach that includes discipline in lots of different areas, prioritising requirements based on what the threat looks like. Patching is the first step, but it is just as critical for organisations to ensure they have visibility over all devices, their software, and security posture.
Devicie quickly detects devices that are falling behind, so they can be updated effectively without letting months pass. Devicie offers consistent management of Windows, Mac, Android, and iOS devices anywhere in the world.
Devicie applies the CIS Benchmarks and other controls to satisfy the ASD Essential Eight, then monitors and auto-heals every control on every device. We constantly research how adversaries are exploiting organisations using frameworks such as MITRE ATT&CK, and we apply those learning configurations.
We also use the MITRE ATT&CK framework to evaluate how effectively the controls in place provide mitigations for real world attacks and exploitation. These auditable mitigations can then be monitored by an organisation’s IT team via a live dashboard.
Devicie manages privilege escalation for local accounts. Local administrator access and applications are controlled, as when applications and access are provided seamlessly to the end user, employees don’t need local admin access, and the risk is mitigated.
Devicie-managed devices are segregated from each other, and corporate systems, by eliminating the requirement for a VPN with modern application management. Even if a device were exploited, the impact would be isolated to the single device.
Devicie adds proactive and easy-to-monitor management for a fleet that makes it simple to keep devices updated, identify the ones that aren’t, and isolate devices that may have been compromised. This is a radical leap forward in addressing the way organisations can prevent, manage, and mitigate ransomware attacks.
We’d be delighted to discuss how we can help you quickly improve your end user device security and management. Contact us.