Category Archives: Patch management

Ransomware 101: What Is Ransomware and How Can You Protect Your Business?

Your organization gets hit by ransomware. Immediately, a million questions come to mind: What is ransomware? What machines are infected? What is the root cause? What is the recovery plan? How do we prevent this from happening in the future?

This was the case for many security professionals when the WannaCry ransomware hit in May 2017. If your organization had strong endpoint management and appropriately patched and updated your endpoints, WannaCry was largely a nonevent. However, if your machines were not updated, questions like these became very real, very quickly as the attack circled the globe bringing companies to their knees.

It’s not just WannaCry; ransomware attacks were the most prevalent variety of malware last year, according to Verizon’s “2018 Data Breach Investigations Report.” Meanwhile, Malwarebytes Labs tracked a 90 percent increase in detected ransomware attacks for business customers in 2017 and noted that “the monthly rate of ransomware attacks against businesses increased up to 10 times the rate of 2016.” Clearly, it’s time for companies to stop thinking it won’t happen to them — and get ready for when it does.

What Is Ransomware?

Before we get into what you can do to prepare for the inevitable, let’s clarify what ransomware actually is and how it works. Ransomware is malware that holds your data hostage and demands payment for its release. It typically infiltrates a system with a phishing email or website infection and exploits an existing endpoint vulnerability.

Ransomware then establishes a foothold, expands to other endpoints, and moves to discover, collect, stage and encrypt target data. Once the damage is done, it covers its tracks and exfiltrates data for use or sale on the dark web. Ransomware is unique because once it is in your environment, there are very few remedies available — all recourse is costly and business interruption is inevitable.

How to Protect Your Business From Ransomware

The good news is that many flaws exploited in ransomware attacks are known vulnerabilities. This means that organizations have the opportunity to prevent most ransomware from being successful before an attack is ever launched.

It is important to prepare your defense so you can respond quickly and effectively during an attack, and remediate and restore where necessary after an attack. The first and most cost-effective remedy is prevention.

Learn more about ransomware

Prior to an Attack

As the saying goes, “An ounce of prevention is worth a pound of cure.” Develop an incident response plan and practice executing it. Instead of waiting for an attack to occur, educate your employees proactively to help them recognize ransomware threats and their various infection vectors, including email, macros and compromised websites.

From an administrative perspective, understand what is on your network at all times and maintain a live inventory of these devices. This lets you know where and to what degree you are at risk from various vulnerabilities and helps streamline remediation efforts by knowing which devices to remediate first.

To minimize attack vectors from known vulnerabilities, establish an aggressive and current patch management policy for updating endpoints, operating systems and applications. Focus on achieving high, first-pass patch success rates to minimize the amount of time you have to spend determining root causes for multiple patch failures. Consider using an automated patch management tool to reduce your patch times from days or weeks to hours or minutes, increasing productivity and freeing resources to address other security concerns.

Additionally, you should establish and maintain a minimum security baseline. Incorporate security best practices into all endpoint builds and ensure a consistent “golden image” that adheres to your security policy. Enforce these configuration controls and security baselines on all endpoints. This will help eliminate configuration and compliance drift with protection that travels with the machine.

Next, ensure that your desired controls are in place and operational. Leverage antivirus, endpoint protection platforms (EPPs) and endpoint detection and response (EDR) tools to improve security and automate restart if services are stopped for any reason. Restrict execution of programs from temporary folders and confirm that only authorized executables are running on your devices. Consider prohibiting attachments with executables from email to reduce the number of potential attack agents that can infect your environment. You should also enforce least privilege methodology and restrict user accounts and applications to only those necessary to perform job functions; this will help minimize the impact a ransomware attack can have on other accounts and applications.

Finally, limit common attack vectors by disabling Flash and Windows Script Host (WSH). The more prepared you are in advance, the better your chances of avoiding (or surviving) a ransomware attack.

During an Attack

In the event that ransomware is successful in gaining a foothold in your organization, having a response plan and the right tools in place is vital to limiting the potential damage. Organizations must be able to identify the scope of the attack, contain the event quickly, protect machines that have not been affected, isolate machines that have, restore from backup where appropriate, and update and patch machines where vulnerable.

Start by knowing how to recognize a ransomware event. Look for pop-up messages that demand payment to provide access to data. See if your users are attempting to access a file on the network or on a local device and find out if it is encrypted. Then, determine if any endpoints are making connections that are out of character.

If you are experiencing an active attack, follow your response/remediation plan and decide if you can restore from backup or pay the ransom. Make sure you engage law enforcement — it’s worth noting that the FBI advises against paying a ransom fee. After all, there is no guarantee that paying a ransom will result in the restoration of your data. It’s a good idea to use a smartphone or camera to take a photograph of the ransom note and provide that to law enforcement.

Next, identify the type of ransomware variant. Sometimes you can find the name in the ransom note. Otherwise, you can share copies of the ransom note and/or an encrypted data file with ransomware experts who can evaluate it against known attacks and signatures. Knowing the type of ransomware will help you determine the best recovery option.

To limit damage, turn off all potentially infected endpoints and disconnect them from the network. It’s a good idea to also turn off any other devices (including external drives) for the duration of the attack until you know they are fully cleaned. Also, work offline while cleaning/checking machines and cut connectivity to local networks and file-syncing services to avoid ransomware spreading to other devices.

Many forms of encrypting ransomware copy your files, scramble the copies and delete the originals. Try to restore lost or damaged files by using data recovery tools to see if you can restore the files on your own. If this doesn’t work, continue to execute the restoration plan that was defined prior to the attack and see if you can restore your files from a backup. Before you do this, you should check to make sure ransomware is not part of the backup process and that your backup data is not encrypted.

Next, remove the ransomware from the infected device(s). Use antivirus or anti-malware software to clean the infected machine, but remember that simply removing the ransomware will not decrypt your files, and it may impact your ability to get your files back should you choose to pay the ransom. You might also consider wiping your entire hard drive and reinstalling your operating system and applications.

After an Attack

To prevent reinfection, apply all critical patches to your operating systems and applications. Start with patching the vulnerability that was exploited across your environment and validate that the malware was removed successfully and completely.

Finally, file a police report. This is an important legal step that is often required if you are filing an insurance claim or considering a lawsuit related to your infection. This also helps law enforcement monitor ransomware activity, growth and other trends.

Keep Ransomware Off Your Network

Most successful ransomware attacks gain access to your environment through a known vulnerability on a compromised endpoint. The best way to avoid this is by inoculating your endpoints against ransomware. Endpoint hygiene should ensure that patches are up to date and applications are on the most secure version. You also need visibility into what is happening on the endpoint and across the network so you can contain attacks quickly.

Use an endpoint management solution that provides the real-time visibility and control you need to fight back. It should enable you to discover, patch and report on all endpoints regardless of location, connectivity or bandwidth. The platform should also provide software inventory and asset capabilities that enable you to quickly see all patch levels, software versions and configurations on all endpoints — regardless of operating system or network connectivity. It should do all this securely, with minimal firewall changes and a rock-solid architecture.

You should also consider solutions that integrate with other key security applications you use, such as your security information and event management (SIEM), incident response (IR), EDR, network access control (NAC) and vulnerability management solutions. This will further improve your overall security posture while optimizing your time and resource investments. Most importantly, always remember that the best way to combat ransomware is to keep it off your network altogether.

To learn more, register and watch the on-demand webinar, “The Life and Times of Ransomware: Before, During and After.”

Watch the webinar

The post Ransomware 101: What Is Ransomware and How Can You Protect Your Business? appeared first on Security Intelligence.

How to Drive ROI and Improve Endpoint Security With a Managed Security Services Provider

If you’re an IT managed service provider (MSP), there’s a tremendous opportunity to help your clients save money by providing a high-value endpoint security services while you receive a high margin of return in exchange.

More specifically, businesses today are desperate to increase their endpoint security posture. In fact, the endpoint has become one of the greatest network security risks. Many can do it in-house, but they’d prefer not to if they can find a provider who will save them money and do it better. You can be that provider. But how?

The Magnitude of the Endpoint Security Problem

Enterprise networks are becoming more and more complex as the mobility of the workforce increases. Organizations must secure their systems, all of which use a wide range of operating systems, from the desktop to the cloud.

Just keeping track of all of those devices and ensuring that they’re up to date and compliant with security protocols is a huge job. But the greatest challenge comes from all the devices on the network that the security team doesn’t know about. After all, you can’t fix what you can’t see.

The Opportunity for Managed Security Service Providers

IT and managed security service providers (MSSPs) need to offer services that close this visibility gap for businesses. You can do so by leveraging technologies that discover all network assets and provide real-time visibility into their security and compliance status. But don’t stop there — technologies that just provide visibility only solve half the problem. Implement solutions for your client that provide dynamic situational awareness and rapidly fix the problems it finds.

Endpoint technologies that require significant configuration to work in a customer environment will increase your customers’ cost, reduce their return on investment (ROI) and eat into the profit margins of your services. These are lose-lose scenarios from a business perspective. Instead, select a lightweight, easily deployable technology that ships with extensive out-of-the-box content to find and fix the myriad endpoint problems that businesses face, including:

The solution you choose should enable to you find and fix problems for your clients within hours and with minimal effort. The required manpower should be no more than a few clicks of the mouse to deliver compliance to your clients at levels above 98 percent.

Endpoints are the center of the malware universe. When organizations suffer data breaches, it’s because their endpoints have been compromised, exposing the data that resides in them. Continuous compliance and enforcement of endpoint security policies is no longer just nice to have; it’s a requirement that should be on the minds of all C-suite executives.

Learn More About IBM BigFix for Managed Service Providers

The post How to Drive ROI and Improve Endpoint Security With a Managed Security Services Provider appeared first on Security Intelligence.

New Gartner Report Recommends a Vulnerability Management Process Based on Weaponization and Asset Value

Analyst firm Gartner recently published a report titled, “Implement a Risk-Based Approach to Vulnerability Management.” It focused on a risk-based approach for a vulnerability management process and includes several statements and recommendations that our X-Force Red team strongly supports. Some of them include:

  • “A vulnerability is only as dangerous as the threat exploiting it.”
  • “Vulnerability rating schemes that don’t take into account what threat actors are leveraging in the wild can cause organizations to address less risky issues first.”
  • “Implement a risk-based approach that correlates asset value, the severity of vulnerabilities and threat actor activity via the use of threat intelligence and analytics to calculate a realistic risk rating.”
  • “Prioritizing treatment of vulnerabilities commonly targeted by exploit kits, malware, ransomware and threat actors, while also considering asset criticality and external exposure, will focus remediation on the elimination of imminent risks.”

How Can Security Teams Optimize the Vulnerability Management Process?

X-Force Red built X-Force Red Vulnerability Management Services (VMS) with these same methodologies in mind. One of the biggest challenges plaguing security teams worldwide is figuring out which vulnerabilities, out of hundreds of thousands that are uncovered daily, to remediate first.

With limited time and resources, security teams manually sift through each vulnerability, trying to decipher which one could cause the most harm to their organization. Many have relied on the Common Vulnerability Scoring System (CVSS), but those scores do not factor in the importance of an exposed asset, or whether the vulnerability is actively weaponized by criminals.

As a result, security teams often waste time following up on false positives and minimal risk vulnerabilities, while the most dangerous ones remained unpatched.

Inside X-Force Red’s Vulnerability Ranking Formula

X-Force Red set out to help organizations tackle the prioritization problem by focusing on the same key components covered in Gartner’s recent report: weaponization, severity and asset value. X-Force Red VMS includes automated ranking.

Gartner Report Recommends a Vulnerability Management Process Based on Weaponization and Asset Value

This image is from X-Force Red. It shows how X-Force Red VMS ranks vulnerabilities, with the most critical one being clearly stated on the top of the pyramid. The ranking is based on if the vulnerability is being weaponized, value of the exposed asset and criticality.

After a scan produces an extensive list of vulnerabilities, our proprietary analytics correlate the criticality, asset value and active exploits. We then automatically rank the vulnerabilities, prioritizing those that have been weaponized to expose a high-value asset. Whereas manual prioritization methods typically take four to five days to complete, our ranking is done within minutes, enabling remediation to begin immediately.

The core function of our ranking formula is prioritizing vulnerabilities by risk. A broken door on a safe is a serious vulnerability; a broken door on a safe with a burglar outside is a more serious vulnerability. We train your enterprise to start by securing the latter.

We apply that philosophy to every vulnerability we detect, and, based on its latest report, it’s clear Gartner shares that view.

Download the report, “Prioritizing Vulnerabilities: Gartner Report Provides Risk-Based Strategy”

The post New Gartner Report Recommends a Vulnerability Management Process Based on Weaponization and Asset Value appeared first on Security Intelligence.