C-Suite Priorities: Protecting against ransomware with cyber security incident response

C-Suite Priorities: Protecting against ransomware with cyber security incident response

This article was originally published as a guest post on the Cyber Security Buzz blog.

Security executives are under increasing pressure to keep sensitive networks, systems and data safe from threats which are rapidly increasing in both frequency as well as complexity. It’s no surprise, then, that CSOs and CISOs often find themselves in the hot seat when it comes to the topic of cyber security. Their roles are changing along with the new daily challenges they face, and as such, they are working tirelessly to remain abreast of the latest cyber-threat news.

In particular, with ransomware steadily on the rise and cyber criminals developing new and improved ways to expose and exploit vulnerabilities, IT leaders have no choice but to re-examine their cyber security strategies to ensure that they are strong enough to withstand the variety of incoming threats they face. By investing in an incident response plan as the first line of defense, executives can provide the added protection of instant identification and isolation of the threat before it has a chance to wreak havoc.

The fact is, as the landscape of cyber threats continues to evolve and expand, it’s becoming abundantly clear that traditional preventative approaches to network and data security are no longer effective. In fact, even Gartner believes that detection and response are the foundation of a successful cyber security strategy. No organization is immune to potential attack and without the ability to quickly pinpoint and remediate a successful breach, the outcome could be nothing short of devastating, both from a financial as well as a reputational standpoint.

Compounding the problem is the increasingly widespread adoption of cloud technology and the IoT. Simply put, migration to the cloud fundamentally changes IT security. In a cloud or hybrid environment, the focus must shift to monitoring and managing incident response. Likewise, with more and more connected devices being incorporated into the workplace, the risk of potentially becoming a victim of a ransomware attack increases exponentially. Now, instead of a few vulnerabilities, the office becomes a potential gold mine for hackers, which means much more work for security professionals.

What’s the solution? While preventative measures, such as firewalls and malware monitors have their place, the best defense an organization can take against security breaches is a more robust incident response strategy that covers all bases. Specifically, a system that integrates with, enhances and extends the capabilities of existing systems and applications to create a more holistic, streamlined and highly-effective process.

A strong cyber security incident response strategy should be able to not only detect the signs of ransomware, but automatically analyze, isolate and contain the threat so that it cannot cause any additional damage. The isolated virus can then be eradicated and the recovery process can automatically begin, effectively mitigating damages. This type of approach essentially closes the loop, creating a much more impervious defense against cyber-attacks, regardless of when, where and how many points of entry exist. Best of all, this can be handled entirely without the need for human input, solving the staffing shortage and addressing skills gap in one fell swoop.

With the worldwide expenditure on enhancing detection and response capabilities expected to be a key priority for security buyers through 2020, the time for security executives to begin shifting their focus is now. By investing in a robust, automated cyber security incident response plan as the first line of defense, executives can provide their organizations the added level of protection they need to effectively thwart would-be attackers and manage threats in a way that will limit damages as much as possible.

To read the original published article, please click here.

How to Get Critical Systems Back Online in Minutes

Guest Post: How to Effectively Isolate Malicious Files Before They Spread

Virtually every organization deals with a firehose of potential malware on a daily basis. Infosec teams are often overwhelmed with arduous digital forensics and incident response (DFIR) processes dealing with the flood. Typically these DFIR processes involve manual, repetitive checks. Sound familiar?

Chances are your organization, like many others today, struggles to stay ahead in the fight against malware. Evasion techniques employed by sophisticated zero-day malware, manual processes, which increase the workload of security teams and open the door to human error, and the lack of automated orchestration tools to deal with malware attacks are just a few of the many challenges that most organizations are faced with today.

Ayehu’s automation and orchestration platform combined with VMRay’s agentless malware detection and analysis engine enables security teams to mitigate the risk of potentially malicious files through fast automated threat analysis and detection.

How does it work?

Alerts from Security Information and Event Management (SIEM) platforms are usually the trigger for infosec teams to begin investigating potential attacks. Simple integrations with SIEM platforms like Splunk enable Ayehu to receive alerts of suspicious files in an organization’s network. Through an automated process Ayehu submits the suspicious file to VMRay Analyzer for further analysis.

The file is automatically vetted through VMRay’s built-in reputation engine, which has the ability to determine if a file is known malicious or known benign within milliseconds. The ability to deal with known threats so quickly using a fully automated process makes threat mitigation processes much more efficient and effective.

Ayehu VMray Connector

What if the reputation engine cannot classify the suspicious file as known good or known bad? How can I protect my organization from zero-day malware?

If the reputation engine returns an “Unknown” reputation score, the next step in the analysis process, is to automatically put the file through a detailed behavioral analysis.

The suspicious file is detonated in a customized virtual machine and is monitored for all system interactions. With this approach, it is almost impossible for the suspicious file to detect the analysis engine and evade analysis. The dynamic analysis engine then returns a VTI (VMRay Threat Identifier) score by considering several factors such as:

  • Filesystem, registry and network activity of the suspicious file
  • Process creation, code injection or driver installation performed by the suspicious file
  • Evasion techniques used by the suspicious file
  • System Persistence techniques used by the suspicious file
  • YARA rule matches

If a file is deemed malicious by VMRay Analyzer, Ayehu can automatically escalate it as a top priority by generating alerts to security teams. With specific playbooks, Ayehu has the ability to automatically quarantine a user’s device by:

  • Blocking IPs/Hashes
  • Disabling the User
  • Terminating Processes

Automated analysis eliminates the risk of allowing potentially malicious files into your environment while relieving your security team of manual, error-prone processes.

To learn more about how VMRay and Ayehu can effectively isolate malicious files before they spread, click here to launch your free trial of Ayehu or contact VMRay.

Read the Ayehu and VMRay solution brief

 

About the Author…
Rohan Viegas – VMRay, Product Manager
Rohan brings over 12 years of experience in product development and management roles to VMRay. In his role as Product Manager for Hewlett-Packard Enterprise, prior to VMRay, Rohan managed a portfolio of products including network management and security software.
At VMRay, Rohan’s responsibilities include product roadmap planning, project management, and technical collateral development.