Stephen Oliver, General Manager North EMEA, Gigamon, writes of the value of advanced network intelligence against ransomware.
Ransomware is now the most significant cyber-threat facing UK businesses, according to the National Cyber Security Centre (NCSC). Recent research would seem to bear that out. It finds that 95pc of global organisations have experienced an attack over the past year and 59pc expect one to come their way over the coming 12 months. Serious compromise could lead to major financial and reputational damage and potentially career-changing repercussions for security managers. So why do so few (4pc) organisations feel confident they are prepared for the threat?
Many are turning to cyber-insurance. But as premiums rise and coverage declines, more will have to be done. That means looking towards proactive rather than reactive security with more advanced network intelligence. By investing in deep observability – the addition of this network intelligence to amplify the power of current monitoring and observability tools – security teams can enhance detection and response efforts so that breaches can be stopped before making an impact.
Always innovating
Some 59 per cent of global IT leaders we spoke to believe the ransomware crisis worsened in Q2 of 2022. They’re right to be concerned. Groups like Conti are thought to be making billions of dollars by exploiting the security gaps present in many organisations. They’re leveraging an “as-a-service” (RaaS) model to encourage avaricious affiliate groups to get involved in what used to be a specialist’s game. This is helping to drive up profits and the volume of threats globally.
Our study found that two-thirds (66pc) of UK firms also cite the increasing sophistication of cyber-criminals themselves as a leading cause of the spiralling ransomware crisis. Indeed, aside from innovative new operating models, the bad guys are also continuously looking for new ways to evade traditional defences. Their use of legitimate tooling like Cobalt Strike for covert lateral movement is now well understood, but still manages to ensure many breaches fly under the radar. Some groups are even innovating in their extortion methods. Data theft and leakage is well known. But one group was observed hacking their victims’ corporate sites to display a ransom note, while a second was seen creating bespoke leak sites for each corporate victim to put the pressure on.
The job of the corporate cybersecurity team has been made even harder after two years of digital investment to adapt to the radical new business environment brought about by the pandemic. That has led to a broadening of the cyber-attack surface via unmanaged remote working endpoints, the hybrid cloud environment and infrastructure which may be under-protected and misconfigured, and risk-taking home workers. Hybrid cloud is a particular challenge: many organisations are struggling to gain enough visibility to continuously manage risk in these environments, especially with skills in short supply. UK respondents were most likely to cite the digital skills gap (60pc) and misconfigured cloud assets (41pc) as a driver of ransomware compromise.
Interestingly, 60pc of IT and Security professionals in the UK also believe cyber-insurance is exacerbating the current ransomware crisis. Are they right? While it’s worrying that a fifth (21pc) of organisations we spoke to claim insurance is literally their entire cybersecurity strategy, things are changing. Insurance is no longer the “get-out-of-jail-free card” it once was. Insurers are attaching ever-more rigorous conditions to prospective customers to ensure they at least have some baseline cybersecurity controls in place.
In fact, due to heavy ransomware losses over recent years, premiums are now surging while coverage is being reduced—especially for firms without a mature security posture. The concern, therefore, is not that companies over-rely on insurance, but that they aren’t able to get coverage at all. By embracing more proactive security, organisations can benefit from lower prices and increased insurance coverage whilst also reducing their cyber risk. Deep observability can play a huge role in keeping prices down, by allowing security teams to spot behavioural anomalies through metadata analysis. Rather than waiting to react to a breach, this visibility enables teams to proactively mitigate threats, boost security posture and become far more attractive prospects for insurers.
An extra layer
The good news is that ransomware is now on the agenda of global boardrooms, with 89pc considering it a priority concern. However, there’s still some debate over how best to tackle it. Improving observability into assets and data flows across the entire on-premises and cloud environment is a crucial place to start: you can’t protect what you can’t see. In fact, 87pc of respondents agree they need more insight into their hybrid and multi-cloud environments. This is where network-level intelligence can be a force multiplier for mitigating cyber risk.
By extracting network-level data from key points across physical, virtual and cloud infrastructure, applying intelligence and sending that information to SIEM and other security monitoring tools, organisations can optimise detection and response. That means breaches are contained and remediated before they can turn into serious incidents. This level of deep observability offers a fantastic way to regain control against ransomware actors. It’s about going beyond traditional monitoring approaches that rely exclusively on metrics, events, logs and traces, to add a critical extra layer of insight.
In fact, with deep observability, a successful ransomware attack can start to look less like an inevitability, and more like just another cyber risk that can be managed.
