If the last year has taught security practitioners anything, it's that no organization - regardless of size, sector, or security budget - is immune to a ransomware attack. In fact, in 2021 alone, Colonial Pipeline, JBS Foods, Kaseya, and even the NBA were just some of the major organizations that fell victim to ransomware, making news headlines and causing major business disruption.
Business leaders and security professionals alike have only become more concerned about ransomware over time. This is due to a much more complex and broad attack surface than that of a decade ago, accelerated by the global pandemic over the past two years. In tandem, cybercriminals have taken full advantage of this shift, becoming more motivated and sophisticated in their attack methods to gain access into an organization. In fact, the Verizon Business 2022 Data Breach Investigations Report found that ransomware increased by 13 percent over the past year, representing an uptick greater than the past five years combined – with no relief in sight for the next year ahead.
Organizations must operate under the assumption that they will, at some point, be hit by ransomware. When that happens, it's not just about recovering, detecting, and protecting data but also the ability to ensure business continuity with minimal data loss or disruption. The goal is to minimize any downtime, which is simply just not an option for most businesses. Here are three best practices to help ensure business continuity and minimize data loss following a ransomware attack:
Cover the basics first: Stay up to date with patches
As with anything, organizations must first ensure they have the fundamental security basics right before considering anything else in their protection and defense strategies. One of the most important things to evaluate when covering the basics is that the organization’s infrastructure is well patched. If patching is not regularly done, one small vulnerability or blind spot could cripple a business – and, specifically, its continuity during an attack.
An effective patching strategy should ensure a business can keep up and running during important patch updates. It will also incorporate strong automation mechanisms to react quickly and effectively to any patches needed to be made immediately. Automation, paired with the human element, can help organizations stay on top of all the latest patches available and the newest vulnerabilities to watch for, which can make all the difference in both prevention and operations.
Have a clear line of sight: Visibility as the key to continuity
Once patching fundamentals have been established, it's time to move on to fully understanding the threat environment. Security teams must be able to see everything in an organization's possession in order to properly protect it and be able to operate once under attack. You can only stop what you can see, making visibility a key aspect of business continuity when under attack. For this reason, it's critical to establish a first-class view and inventory of what the organization has deployed in its environment – including what its current running state is and what the basic controls are around identity and access management.
Visibility becomes extremely difficult to achieve when one considers the amount of "noise" security teams are up against each day. Security teams are often called to investigate false alarms, or activity that looked suspicious, but ended up being harmless. Too much of this "noise" can cause already overworked, burnt-out security professionals to slowly lose their sense of urgency, which can lead to overlooking the open entry point that could cause the next big ransomware attack. The threat environment is only getting more complex, and other humans aren't enough to stop this – technology must work with them to establish maximum visibility.
Revisit your security strategy: Is XDR a part of it?
XDR, or Extended Detection and Response, is a term that nearly everyone has heard in the industry, but very few know how to use the technology to its full advantage. Ransomware attacks are the ideal moment for XDR to prove its value to the Security Operations Center and the business in general.
With XDR, defenders are given a better signal-to-noise ratio, allowing them to respond to major threats faster. Thanks to automation, XDR frees up the humans – or the security professionals on the frontlines – to look into the real threats, not the "noise." During a ransomware attack, this is critical to ensure a business is up and running as fast as possible – as the humans then focus all of their attention to the real threat in near real-time.
However, it’s important to note that network and endpoint visibility is needed for true XDR. Collecting telemetry from the network and the endpoint has notoriously been a challenge for organizations (and their technology vendors), but having insight into each packet across every access point in the organization will unlock true XDR.
“It’s not a matter of if, but when.” This is the mindset business leaders and their security teams must have before they become the next ransomware victim. By heeding the best practices above, organizations will be better positioned to ensure business continuity and minimize any data loss during the face of such attacks. Is your business truly prepared?
Scott Lundgren is CTO of the VMware Security Business Unit.