Ransomware has become a board-level concern as organizations navigate data security in the face of increasingly aggressive threat actors seeking ransom payments and new employee hybrid work policies. The pandemic, which accelerated remote work and digital transformation initiatives that widened enterprise attack surfaces, created the perfect storm for today’s cybercrime explosion. What will it take for enterprises, particularly SecOps and ITOps teams, to slow this momentum and boost cyber resiliency?
The business of ransomware
After increasing sharply in 2020, ransomware attacks have not abated. They’ve grown in volume and severity. The NCC group observed an unseasonal uptick in ransomware activity in July 2022, and BeyondTrust predicts that going forward, attackers will take ransomware to the next level by personalizing attacks with double-extortion schemes and evolving the Ransomware as a Service (RaaS) business model.
Cybercriminals have proven the ROI of ransomware. Harm is so common that ransomware damages are predicted to cost the world $265 billion annually by 2031 based on a 30% year-over-year growth over 10 years, reports Cybersecurity Ventures.
Rapid ransomware adaptation—from encrypting production data to destroying backups and stealing data—tells us that cybercriminals will continue to calibrate their strategies and level up their tools to widen the ransomware blast radius (Figure 1). Their actions not only cause downtime and can damage brand reputations, but they introduce legal risks for companies that discover data they are mandated by regulators to keep has disappeared.
| Ransomware 1.0 | Ransomware 2.0 | Ransomware 3.0 | |
|---|---|---|---|
| Malware target | Production data |
|
|
| Method of attack | Encryption | Encryption | Encryption and exfiltration |
| How companies are countering the attack | Backup & recovery system | Immutable backups and data isolation | Early detection and continuous monitoring |
Artificial intelligence and machine learning (AI/ML) are propelling innovation that empowers enterprises to better protect their data. But sophisticated ransomware attacks use advanced technologies against institutions, businesses, and governments, too. Which group will be most successful—those using tools to prevent extortion or those demanding ransom—will depend on who works best together.
SecOps ransomware defense challenges
Organizations are seeking ways to strengthen security postures. In addition to recently acknowledging cybersecurity as an emerging risk with which public issuers increasingly must contend, the U.S. Securities & Exchange Commission has proposed new rules that would require, among other things, public company annual reporting and disclosure about the board of directors’ cybersecurity expertise.
This type of increasing scrutiny also is pressuring already frustrated and overburdened security operations (SecOps) professionals to do more to mount successful defenses against ransomware attackers. A recent study found that a lack of collaboration between SecOps and ITOps could impact the ability to get back up and running after a ransomware attack. i
And the complexity of the vendor landscape is holding SecOps experts back.
Many organizations manage 25 or more independent security tools, according to the fourth annual Enterprise Strategy Group (ESG) & Information Systems Security Association (ISSA), “Technology Perspectives from Cybersecurity Professionals” report.
Siloed security tools are manual and complex, requiring time and effort to stitch together contextual information about incidents and assess the likelihood of threats. In addition to inefficiencies, unintegrated tools lead to significant SecOps training overhead, manual and painful tool integrations, and difficulty delivering a holistic assessment of security risks to executives and boards.
With most organizations unable to support best-of-breed tool strategies that may have worked before cybercrimes skyrocketed, SecOps teams are challenged by the shortcomings of current approaches:
- Complexity—Investigating incidents in multiple, independent security tools without a way to confidently estimate ransomware recovery SLAs adds risk to the business.
- Siloed visibility—Lack of unified visibility into contextual data when ransomware attacks strike increases threat dwell time.
- Slow remediation—Manually coordinating multiple response and recovery teams across operational silos leads to business downtime, disruption, and burnout.
A majority of cybersecurity pros (77%) surveyed for the “Technology Perspectives from Cybersecurity Professionals” report want more industry cooperation and vendor interoperability to make the shift left and from best-of-breed to enterprise-class, integrated cybersecurity platforms.
Build enterprise ransomware muscles together
Key to the transition will be SecOps establishing defensive measures powered by advanced, automated solutions that allow teams to work together to lower the risk of a crippling ransomware attack. Forward-thinking CIOs and CISOs leading the world’s mid-sized to largest enterprises are already working to empower their human resources with AI/ML technology to defend their businesses.
Jim Meehan, Senior Investigations Manager in Verizon’s cybersecurity practice, notes the importance of outlining a holistic plan: “You have to have a specific ransomware contingency plan and policy in place, well before such an attack, because you don’t want to be making those decisions in real time. The longer an incident goes on, the more damage it will do to the company.”
Specifically targeting ransomware, the Center for Internet Security (CIS) has recommendations to help mitigate the risk of ransomware infection, including these:
- Creating and regularly reviewing an incident response plan with collaboration from business leaders and security teams to ensure that the ransomware response plan can address evolving threats
- Having a backup strategy that includes performing regular backups, storing them offsite, and creating replications to enable a clean recovery in case backups become encrypted or infected
- Providing training to help users identify suspicious emails or links and making sure users are aware of the potential dangers of opening unsolicited emails
- Adhering to the principle of least privilege, ensuring that users have the minimum level of access required to accomplish their duties
- Strongly considering utilizing behavioral-based detection methods because they can help identify malicious use of tools
Worldwide, government agencies such as the U.S. Cybersecurity & Infrastructure Security Agency (CISA) also offer ransomware prevention tips and best practices.
Beyond adding defensive security solutions with AI/ML automation, a fundamental best practice for product security organizations and SecOps teams is to “shift security left” in the product development lifecycle. This move involves anticipating potential threats and embedding security into products early and throughout the development process. Doing so reduces the number of vulnerabilities in released products that well-equipped ransomware operators can exploit while delivering the added benefit of boosting the organization’s cyber resiliency. Successful practices include following secure-by-design principles and secure development practices to make certain the enterprise delivers secure products and solutions for its customers.
Drive cybersecurity business outcomes
As organizations build for resilience, adopting a cybersecurity platform that automatically consolidates a host of security product capabilities to simplify and speed the way SecOps and ITOps professionals collaborate and respond to incidents will be a best practice. It can serve as the lynchpin to a stronger security program that allows key stakeholders to share security responsibility.
After cost (46%), security professionals surveyed for the ESG/ISSA report say product integration capabilities (37%) are their most important security product consideration. A majority (67%) define a cybersecurity platform as an “open architecture provided by multiple vendors as an open suite of heterogeneous products integrated through standard APIs and development tools.”
Organizations’ changing security technology purchasing habits reflect bias towards this view: 52% of survey respondents tend to or will transition to purchasing integrated security tech platforms. Enterprises can increase their success in scaling an integrated ransomware defense when technologies and teams work smarter, not harder, together.
A modern, well-integrated cyber technology stack with a portfolio connecting all IT infrastructure components including data-level security running on-premises and in the cloud, even multiple clouds, drives cybersecurity business outcomes as it brings SecOps and ITOps together. It lowers risk, promotes a security-minded culture, and helps teams retain security talent. Powered by the right cybersecurity platform, SecOps can work intelligently with ITOps to slow ransomware’s momentum, recover rapidly from attacks when they happen, and stay prepared.
Learn how to give your organization an advantage over ransomware with Cohesity and Cisco.
