As one of the most debilitating and disruptive threats to ever exist in the Information Security landscape, ransomware and ransomware protection has been at the top of every enterprise security program's priority list for several years now. Unlike opportunistic drive-by cyber threats of the past, ransomware is increasingly associated with highly organized financial crime and targeted persistent malware campaigns making it all the more dangerous.
According to Verizon’s 2021 Data Breach Investigations Report, ransomware appeared in twice as many breaches in 2021 than it did in 2020. A rapidly growing full-time challenge by itself, Ransomware and ransomware protection are not the only threat that enterprises must defend against by any means. Enterprise security programs are tasked with keeping their organization and proprietary data safe from all threats which today include social engineering, malware, denial of service, lost and stolen assets, disgruntled insider threats, and much more. To effectively keep their organizations safe, these security programs must adopt tools and techniques for combating threats as effectively and efficiently as possible.
The Enterprise Security Maturity Journey
Due to the asymmetrical nature of threats like ransomware vs. limited defensive threat detection and response resources (personnel, time, tools, training, etc.), the responsibility of evolving and improving an enterprise’s security program often seems daunting. Many practitioners are left to wonder where to even begin their security maturity journey or worse, fall into an analysis-paralysis trap which has the unintended consequence of reducing their security maturity and capability over time.
We are going to look at how, through focusing on a prevention-first strategy and mindset, an enterprise security organization can rapidly up-level their capabilities to scale further faster and be more effective, making the most of the resources they have. While there are many popular threat classification and detection frameworks available such as MITRE ATT&CK and the Cyber Kill Chain, they often lack prescriptive guidance for how a resource-constrained enterprise security program should best operationalize them or talk about what first steps you can take to make the biggest best impact in the shortest time.
First, other than the attackers themselves, time is a security practitioner’s worst enemy. Time is what allows an attacker to achieve their goals. The more time that it takes to detect a breach, to understand an incident and to resolve that incident, the more likely it is that the organization will be successfully compromised and exploited. Remember, for every minute that it takes to identify and then stop a successful compromise, the time it takes to remediate that incident grows exponentially. The broader the foothold that an attacker is permitted to achieve in the environment the more work and thus time it will take to ensure they’re no longer inside and haven’t planted additional back doors or other persistence mechanisms. Given the high severity and frequency of new attacks, time spent investigating and remediating one incident often means time not spent resolving or identifying another which represents an ongoing and extreme level of risk on its own.
All of which is to say, preventing an attack before it starts is worth significantly more to an organization than later detecting and cleaning up the same attack. Prevention not only keeps the business and its valuable data safe but saves the security team priceless time which can be spent on other high value work helping the team to scale with resources they already have.
The Best Ransomware Protection is through Prevention
Once an attack is successful, even if it is quickly remediated, the rippling collateral damage in the form of audits, scans, manual forensic investigation, security measure reviews and changes, plus many other common incident post-mortem activities all compound to take time from an already overwhelmed security organization, significantly increasing the risk that another attack will go unseen before it’s too late or a previous attack will not be fully eradicated.
If you are responsible for an enterprise security program and are evaluating your capabilities and tools, keep in mind that not all tools in a category include preventative technologies or tactics and those that say they do are not all created equal either. With a prevention-first mindset, you will be able to approach capability coverage assessments and even new solution evaluations with a practical and powerful litmus test. Traditional antivirus products, for example, are extremely reactive in that they are signature based and depend on a malware researcher having previously detected a given threat before adding signatures for that threat into their product. This ensures that for new attacks there will always be an infection under this model which is not prevention at all. The same can be said of many network and cloud-based sandbox solutions. Any solution that depends on having to have seen an attack in the past to know about a threat today is not going to be fully preventative. Especially in the face of modern-day sophisticated ransomware and the evasion techniques being employed like those described in our recent whitepaper Evasive Malware: How and Why Your Anti-Malware Strategy Needs to Evolve Beyond Antivirus.
Fortunately, a new breed of solutions has emerged to provide true preventative protection such as Minerva Lab’s own Ransomware Protection solution. With a focus on spinning ransomware and other malware security evasion tactics against them, Minerva uniquely prevents the breach before it even starts, saving the enterprise and end-users valuable time and money. Because there are no signatures to update or reputational sandbox dependencies, Minerva works even without an active internet connection!
Whether you are a practitioner working in a well-established large enterprise security program or are an individual SMB security ninja, you stand to benefit from being able to spend time reviewing prevented breaches and improving security posture in other areas instead of chasing down backups and doing forensic reviews while the business is offline during every incident. By adopting a prevention-first security mindset you and your entire team will be able to continue to build upon a strong secure foundation and accelerate your enterprise security maturity.