Security

How Managed Detection and Response Keeps Businesses Safe from Ransomware

Attacks are getting more frequent and sophisticated. Defenses need to keep up.

Melissa Delaney is a freelance journalist who specializes in business technology. She is a frequent contributor to the CDW family of technology magazines.

On July 2, 2021, while preparing to kick off the holiday weekend, Stephen Jauregui got an alert about a malicious .crt file on six servers. His company, Baxter Credit Union, based in Vernon Hills, Ill., was one of thousands hit by the notorious Kaseya vulnerability.

Even so, recalls Jauregui, senior cybersecurity manager, “I was feeling pretty comfortable.

The alert was from CrowdStrike, BCU’s endpoint detection and response platform, and since Jauregui had recently added its Falcon Complete managed service, CrowdStrike had already remediated the malicious file, investigated and found no other instances of it in BCU’s environment.

“On InfoSec Twitter, it was like, ‘Oh, God, here we go. Another weekend lost,’ and I was like, ‘We’re actually doing OK,’” Jauregui says. He gave the all-clear within 37 minutes.

Click the banner below to receive exclusive cloud content when you register as an Insider.

Record-setting cyberattacks prompted SonicWall to declare 2021 “the year of ransomware,” and the threats haven’t abated. But as attackers have matured, so have their targets. Businesses are upping their security defenses, beginning with basic prevention and building toward artificial intelligence tools and a zero-trust posture.

What’s fueling the urgency is that ransomware has itself become a thriving industry, particularly in the age of cryptocurrency, which makes it easier for attackers to get paid. Anyone can purchase Ransomware as a Service on the dark web.

“It’s a business at this point,” says Candy Alexander, board president of ISSA International. “The malicious threat actors are going to continue to grow their business because it works. It’s very entrepreneurial, in a bad way.”

Alexander urges businesses not to pay ransoms unless it’s a life-or-death situation, because payouts buttress the ransomware industry. If no one paid, it would collapse. Either way, she adds, businesses should determine before they get hit whether they would pay a ransom or try to recover and rebuild.

The risks can’t be ignored, Jauregui says: “It’s probably weird for this field, but I’m kind of a low-key person. Still, there are things that occur in this job that can raise the hairs on the back of your neck. Having something like Falcon Complete helps a laid-back person like me remain calm during taxing times.”

DIVE DEEPER: Learn how cybersecurity needs have changed in recent years.

A Robust Security Strategy Requires a Layered Defense

At LEO A DALY, an Omaha, Neb.-based architecture, planning, engineering and interior design firm, all it took was one person in accounting clicking on an email link. The ransomware spread to the employee’s contacts, including someone with administrative privileges, and to all the network drives across the firm’s 30 offices.

IT shut down external communication to the server, then worked with the company’s cloud storage vendor, Nasuni, to clean up the ransomware and determine what hit it. With help from Microsoft, they determined that it was the Trojan:Win32/Zlader threat, got the decryption key, then restored the network from the company’s Nasuni immutable storage. That was in 2016.

Looking back, CIO Stephen Held says, the attack prompted the firm to add cybersecurity protections to prevent future attacks. For instance, back then, the firm didn’t have a good method for recalling ransomware messages from employees’ emails, so others fell for the same attack over the following days. Now, IT staffers recall messages regularly. They’ve also locked down administrative privileges.

Before the 2016 attack, LEO A DALY hadn’t done much to train users to recognize and report phishing emails, but the company now uses KnowBe4 for training and phishing simulation.

It has also implemented Arctic Wolf’s hosted security incident and event management service, which provides active monitoring and alerting for workstations and servers, Held says: “They have the ability to shut it down before it propagates.”

Back to the article Autoplay Full Screen Grid View Exit Full Screen

As organizations move toward zero-trust security, Forrester’s Allie Mellen says they should take a “crawl, walk, run” approach.

Crawl: Start with prevention and protection measures, such as anti-virus software on every device, multifactor authentication and anti-phishing solutions.

Walk: Move on to incident response and data retention and recovery strategies, including network segmentation and EDR.

Run: In the last stage, fine-tune and test your defenses.

As organizations move toward zero-trust security, Forrester’s Allie Mellen says they should take a “crawl, walk, run” approach.

Crawl: Start with prevention and protection measures, such as anti-virus software on every device, multifactor authentication and anti-phishing solutions.

Walk: Move on to incident response and data retention and recovery strategies, including network segmentation and EDR.

Run: In the last stage, fine-tune and test your defenses.

Back to the article Autoplay Full Screen Grid View Exit Full Screen

As organizations move toward zero-trust security, Forrester’s Allie Mellen says they should take a “crawl, walk, run” approach.

Crawl: Start with prevention and protection measures, such as anti-virus software on every device, multifactor authentication and anti-phishing solutions.

Walk: Move on to incident response and data retention and recovery strategies, including network segmentation and EDR.

Run: In the last stage, fine-tune and test your defenses.

As organizations move toward zero-trust security, Forrester’s Allie Mellen says they should take a “crawl, walk, run” approach.

Crawl: Start with prevention and protection measures, such as anti-virus software on every device, multifactor authentication and anti-phishing solutions.

Walk: Move on to incident response and data retention and recovery strategies, including network segmentation and EDR.

Run: In the last stage, fine-tune and test your defenses.

Like most firms, LEO A DALY still faces an onslaught of phishing attempts, but its systems and people are able to stop them from progressing. Just recently, employees received text messages and emails purportedly from a company president. Multiple recipients questioned their legitimacy and reported them to IT. “They could have also hit the phishing alert button,” Held adds.

All the steps the firm has taken have moved it along the path toward zero trust, a holistic security mindset. One aspect of zero trust is least-privilege access. “You don’t have to open the door so wide that criminals can squeeze through along with your own people,” says Jim Taylor, chief product officer at RSA Security. “Only give people access to things that they need.”

Another component is no implied trust — always validate. “In the old world, where we could put a firewall up, we built a moat and a fence, we had a perimeter,” explains Taylor. “That doesn’t exist in the modern world. We all access Software as a Service. You can’t build a wall around the world. The criminals are on the inside. So, identify what’s important and secure those assets.”

The industry is moving in the right direction, Taylor adds. “I can honestly say, hand on heart, that this is one of the most exciting times in security,” he says. “It’s always been, ‘Oh, we’ll get to it. Security’s really important,’ but it’s No. 5 on the list. Companies are taking it seriously now.”

Lean on Cybersecurity Professionals For Help

The ransomware attack could have gone very differently for BCU. The vulnerability came from a phone vendor that leveraged Kaseya. BCU could have lost its phone system indefinitely, a significant blow to any financial institution, Jauregui says.

He was brought in to help guard against such threats. He started in February 2020, one month before the COVID-19 pandemic hit. The company already had CrowdStrike, which eased his mind, but with only four people on his team, two of whom were new to cybersecurity, he needed help. In addition to growing the team — he now has 10 team members — he suggested Falcon Complete, and CISO Stephenie Southard agreed that it made sense.

“There were alerts out the wazoo that we needed to field, and it just wasn’t practical to try to do that with everything else that we were charged with doing,” he says.

Some see endpoint detection and response as a silver bullet, and it certainly provides peace of mind, Jauregui says. But it’s just one piece of the puzzle. “It’s not as though once I have this in place, I can kick my feet up on my desk and my job is done,” he says. “You still have to work on the rest of your infrastructure and cybersecurity posture.

”Falcon Complete let Jauregui turn his attention to fundamentals — such as patching, configuration management, change management, access control and encryption — and other tasks without sacrificing on alerts. “We don’t have time to deal with each alert, so it was good to know that we can rely on this team of people who know what they’re doing,” he says. “They’re on the job 24/7.”

Photography by Bob Stefko