Keeping up with the tools and solution providers in an ever-expanding and evolving ransomware landscape is a lot for security teams to take on.
While some security pros might enjoy the process of researching and testing new technologies, these employees are already overwhelmed with day-to-day work.
On top of that, implementing the right ransomware stack is a time-sensitive matter.
The more time your team spends evaluating potential solutions, the more opportunities cyber criminals have to exploit vulnerabilities in existing solutions.
In this article, we’ll focus on key considerations and selection criteria for ransomware solutions – so you can lock down your system ASAP.
1. DefineYour Requirements
It doesn’t matter whether it’s a strategic new hire, a managed services provider, or a few choice investments in your ransomware defense strategy, you need to figure out what you’re looking and define your requirements for before starting your search.
You’ll want to make sure that your ransomware stack addresses the full spectrum of risk vectors — and that it aligns with the specific needs and challenges of your business.
Think —identity and access management, threat intelligence, security automation, and so on — as well as any requirements specific to your industry, business model, or how you run your business.
For example, if you operate in an industry with strict compliance requirements (i.e. financial services, healthcare) or handle a lot of valuable customer data, trade secrets, or IP (i.e. professional services, tech, retail) you’ll want to look for solutions that can help you meet those additional requirements, such as automated data governance or regulatory compliance.
Audit your entire system and make sure you can answer the following questions:
- What solutions are already in place?
- What are your security goals?
- What’s missing?
- Which solutions are falling short? Why?
- Is it an issue of fragmentation? Poor coverage?
Be as detailed as possible – this will help you limit the number of solutions you test at the same time and ensure that you’re focusing your efforts/resources on relevant solutions.
2. Map Your Current Security Posture
Next, you’ll want to put together a map of your current digital estate. This includes assets, identities, networks, devices, and any existing security solutions, as well as any gaps or vulnerabilities that need to be addressed.
Aim to uncover blindspots, identify shadow IT and identities, identify riskvectors and data flows.
We recommend using the Zero Trust architecture to help guide this process. The framework is built on the following nine security pillars — all of which will need to be addressed in your stack to effectively defend against ransomware:
- Identity
- Endpoints
- Networks
- Apps
- Data
- Infrastructure
- Policy optimization
- Policy enforcement
- Threat protection
This gives you a starting point you can use to start evaluating solutions that specifically address your security needs.
According to Secureworks, threat actors target gaps between layers – processes, tools, etc. – leaving businesses vulnerable, even after implementing intelligent solutions and robust protections.
Implementinga Zero Trust architecture allows you to systematically seal those gaps and avoid costly breaches or other incidents that could have been prevented. So, ultimately, you’ll want to make sure that your solution(s) covers all of these pillars, plus any unique business requirements that might impact your security posture.
3. Evaluate Vendors and Ransomware Tools
Once you’ve established a set of baseline requirements, you’ll want to use that info to learn what options are out there.
Organizations should, at a minimum, make sure that they’re evaluating solutions and vendors that offer SIEM, XDR, and EDR functionality — and that those core capabilities can be unified in a single pane of glass.
Analyze open source and commercial tools available in the market based on your requirements.
Here are a few examples of questions you might ask to find the best-fit solutions:
- Does this solution offer comprehensive protection? In other words, does it cover the entire network or just parts of it? For example, a traditional EDR (endpoint detection and response) solution focuses exclusively on endpoints, whereas modern XDR solutions (extende detection and response) covers endpoints, as well as cloud, network, and third-party data.
- Is it reliable? Look at things like uptime, bugs, and crashes that could leave you temporarily exposed to threat actors. Additionally, you’ll want to make sure that potential solutions don’t
conflict with existing software, which could lead to malfunction or suspended protections. - Is it easy to use? You don’t want to invest in solutions that require special skills in order to detect and respond to threats. Instead, look for solutions that make it easy for everyone to follow ransomware best practices, create and enforce policies, and evolve the strategy alongside the rapidly changing threat landscape.
- Does it provide quality protection? You want to ensure that potential solutions are up to the challenge of protecting your system from all possible threats. Look at things like how often the vendor releases updates, whether security solutions have an impact on device/process/software performance, and whether they’re able to effectively remove malware from your system. You’ll also want to look at malware detection and response capabilities. For example, does it include AI and automation capabilities that can quickly isolate infected systems and remediate damage? Does it provide real-time alerts?
- Does the vendor continuously invest in research and development? This is important because it ensures that your vendor is committed to protecting its customers against existing, emerging, and future threats. You want to make sure that you’re investing in solutions that will last for years to come – and that your vendor won’t abandon you after the initial implementation.
- What is the cost and potential impact of each solution? You’ll want to run a cost-benefit analysis before investing in a solution – or even dedicating limited time and resources into testing and trials. You might include additional questions in your evaluation process, depending on what you’re trying to achieve with your anti-ransomware investments. The idea here is to gather enough information to put together a short list of tools you’d like to test before making any big commitments.
4. Come Up with a Plan for Evaluating & Testing Potential Solutions
Once you’ve narrowed your search, you’ll want to take potential solutions for a test drive before making a final decision.
Keep in mind, you’ll want to follow a systematic testing process, evaluating solutions against the same criteria and under the same conditions. This is super important as it allows you to effectively compare solutions and find the best option(s) for your business needs.
Tools should solve for the specific needs you outlined before getting started. Those might
include:
- Improving productivity and accuracy
- Automating manual processes
- Gaining more granular visibility across your digital estate
- Improving asset discovery
- Increasing the speed of detection and response
You might consider running a pilot program. Many vendors use proof of concept evaluation criteria to help organizations understand how solutions work in context with a particular industry or use case. But those are just a starting point - a template that doesn't include the specific requirements unique to your business. A pilot program allows you to test solutions in a limited capacity - and measure the real impact they have on your business.
You should also set up sandbox environments to learn more about how solutions perform
under various conditions.
For example, you might use predictive modeling capabilities to simulate different threat
scenarios and evaluate how each solution responds against specific criteria – speed, accuracy, whatever.
5. Focuson Centralizing Security Operations
Avoid taking a “best-in-breed” approach to security.
Fragmentation slows you down, creates data issues, and locks critical insights inside silos. It’s fundamentally at odds with the agility and end-to-end visibility you need to protect yourself in this complex, high-risk environment.
According to Splunk, modern security operations centers (SOCs) must include a common workspace for everyone in the organization. This is crucial, as it removes the need to switch between different tools, eliminates silos, and gives everyone a complete picture of where the security posture stands at any given moment.
As an example, Duck CreekTechnologies replaced its existing SIEM solution with Microsoft Azure Sentinel and was able to gain end-to-end visibility across its entire digital estate.
While DuckCreek’s old SIEM also ran on Azure, it wasn’t natively integrated — which meant
it was missing some critical functions — like the ability to pull real-time reports or integrate telemetry and log data with other security insights.
As such, combining Microsoft-based data with Azure Sentinel was a game-changer. Defender
for Endpoint allowed the Duck Creek team to quickly make adjustments to security policies when COVID forced them to go remote.
And, on top of that, the company can now monitor user activity, log-in patterns, etc. at a glance, from a single pane of glass — providing extra assurance that employees can work remotely, at scale — without taking on any additional risk.
Microsoft’s security solutions can all be managed through the Azure Security Center, which provides centralized monitoring and management across the entire estate.
In the below screenshot, you can see an inventory of all resources across on-premises and cloud environments – all managed using Azure Arc via Azure Security Center.
You can also set information protection controls in the Microsoft 365 Compliance Center by creating policies, automating data labeling and classification, and enforcing custom rules using a series of triggers and actions to encrypt files, limit access, or restrict the use of third-party apps.
FinalThoughts
While tools will vary by organization, you’ll want to make sure that you cover all possible vulnerabilities from multiple angles. The Zero Trust security pillars are a great starting point for figuring out what to look for when evaluating potential solutions.
You can also take this series of self-assessments to determine the maturity of your ransomware strategy – and what it’ll take to improve your defenses against ransomware.
As a certified Microsoft partner, ACOMDev, LLC will work directly with clients, helping them evaluate their security posture, identify blind spots and risks, and implement the best-fit solutions. To learn more about working with us, please contact, ghorlander@acomdev.com.