There are no easy answers to outright address the ransomware challenge but Integrated visibility & workflows across endpoint and network is a big step in the right direction.
This piece first appeared on Carbon Black on 10/28/2016.
There are no easy answers to outright address the ransomware challenge.
I’m currently attending the FS-ISAC fall summit, which brings together the information security community responsible for the day-in, day-out safeguarding of our financial services. Not surprisingly, mitigation of ransomware-related risk features prominently.
We all know a ransomware infection can have a detrimental impact on an organization (and this will only become more severe and widespread as cyber criminals expand their target to encompass a growing array of smart and mission-critical devices cropping up on corporate networks), but how can you best prepare your organization to mitigate such risks?
Tackling the global impact of ransomware will require a large-scale community collaboration and will take time, but let’s explore high-impact practical steps you can take in the near term to stack the odds in your favor:
Integrated visibility & workflows across endpoint and network is a big step in the right direction
Clearly, the bulk of this ransomware war is played out on endpoints and Carbon Black already brings powerful endpoint detection and response capabilities to this fight. That said, as with most types of modern cyber attacks, the best ransomware mitigation strategy involves a collaborative, multi-pronged approach.
At Corvil, we believe packets are one of the richest sources of highly granular visibility and, over the years, we’ve done the hard work of building a solution that automatically transforms them into structured and enriched wire data that can be utilized to accelerate and achieve new levels of efficiency in detection and response workflows. While network and endpoint have traditionally been technology and data silos, Carbon Black and Corvil see them as powerful allies and have teamed up to integrate our solutions, bringing packet and process together for seamless data exchange and workflows.
Let me share four ways the combination of Cb Response and Corvil’s packet-based Security Analytics empowers security teams with a knockout combination punch for their ransomware woes:
Minimize blind spots
Today’s corporate networks have never been more dynamic in terms of the diversity of connected device types, increasing cloud usage and blurring perimeter demarcation.
Automated gap discovery
Corvil, when passively tapped to your network, automatically discovers and categorizes all the connected devices. Then, via API integration with Cb Response, Corvil performs a gap analysis in order to highlight any uninstrumented endpoints which have yet to have the Cb Response agent deployed.
| Monitoring of smart device activity
We’re entering a new era of growth in the number of connected “things” on our networks – iPhones, tablets, VoIP handsets, cameras, you name it. Gartner estimates that IoT will see 26 billion units installed by 2020. While many of these devices are fairly basic in their function today, they will become increasingly autonomous and algorithmic in how they interact on the network, which makes them an increasingly attractive target for ransomware and can be challenging to instrument.
| Wire-data based visibility & detection
Corvil monitors behavior via wire -data analytics, which can provide real-time detection of any ransomware-infected host that attempts to ‘phone home’ or laterally infect other hosts via mapping network drives. Any detected compromised hosts can be automatically fed back into Cb Response as a dynamically updated watchlist.
| Speed of response & recovery
Once ransomware hits, the clock is ticking and every minute that passes can mean more files becoming encrypted. Also, ransomware has been observed to also try to delete shadow copies which would otherwise by a potential lifeline. Restoring from backups may be an option but there will likely be operational downtime and realistically, it’s probable that files will be lost (or ransom paid in the hope of file recovery).
| On-tap file recovery, via Packet data
Since Corvil is continuously capturing packets, when ransomware attempts to encrypt files across mapped network drives, Corvil captures an original copy of the involved files, providing the facility to have those packets utilized for later extraction of file objects such as valuable and sensitive corporate documents, databases of customer records, etc.
Working in tandem, Cb Response and Corvil Security Analytics can amplify the value each delivers and provide a more comprehensive and pragmatic way to increase a security team’s ability to mitigate and tackle ransomware in their environment.
Check out the demo of our integrated solution in action and then drop us a line if you’d like to discuss further.