The Case for Security Automation: An Emerging Anti-Ransomware Tool

Ransomware is “the most immediate danger to UK businesses and most other organisations," warned CEO of UK’s National Cyber Security Centre Lindy Cameron at the Chatham House Cyber 2021 Conference. 

For most companies, this is not something that needs to be said twice. With attacks almost doubling last year, ransomware is top of mind for most, if not all, businesses. 85% of firms see ransomware as their biggest worry—above any other type of cyber threat. 

At the same time, nearly 50% are unsure they can defend themselves against ransomware attacks. As ransomware gangs grow and evolve, more and more companies feel like they have no choice but to give in to threat actor demands. One survey found that of the companies that fell victim to ransomware, 83% paid a ransom

However, Cameron doesn’t believe that giving up is the right approach to take. “We should not view ransomware as a risk we have to live with and can't do anything about,” she said. Rather, she advises companies to take “actionable steps” to improve cyber resilience. 

These steps include timely vulnerability patching and multi-factor authentication. But basic security controls like these won’t help companies detect intruders once they’re inside a network. As a way to layer and create defence-in-depth, emerging ransomware cybersecurity techniques like security automation are gaining attention. 

Ransomware Is Inescapable 

Today, a third of organisations deal with ransomware attacks at least weekly. 1 in 10 say they are attacked more than once a day. Here are the main reasons why ransomware is now such a common problem:

  • More organisations are paying ransoms. New ransomware gangs use ransoms as seed capital to grow their operations, i.e., buy advanced software and exploits and recruit better talent.

  • Hacking groups involved in other cybercriminal activities, like FIN7, known for credit card theft campaigns, are also moving into ransomware

  • Cybercriminals are recycling ransomware. And ransomware-as-a-service, where ransomware operators lease out ransomware tools to affiliates for a fee, is becoming more popular.

Not only are there more ransomware attacks. Attacks are also more likely to succeed. Threat actors are using new strategies, tactics, and techniques to improve their chances of sneaking into corporate networks. 

According to one report, elite groups are doing detailed recon/research to find targets and make their phishing attempts harder to spot. They are also investing in PR to instil fear and pressure victims into paying. 

Insider threats are on the rise too. Another report shows that more threat actors are reaching out to employees directly and asking for help with ransomware attacks in return for a cut of the profits.

Stopping ransomware attacks has never been easy. But now that attack rates have increased, the chances of threats slipping past the network perimeter are extremely high. Of the companies surveyed by Proofpoint in 2022, 68% said they were infected with ransomware at least once last year. 

After initial access, hackers can deploy ransomware in days or even hours. Therefore, the speed with which defenders can detect, investigate, and remediate an attack in progress is of utmost importance. This is where security AI and automation technologies come in. 

Security Automation Is Key to Mitigating Ransomware

The vast majority of professionals receive more than 10 alerts per day. And with each alert taking an average of half an hour to review, it’s easy to see how ransomware often goes undetected in a typical SOC until it’s much too late. 

It doesn’t help that, overwhelmed by security alerts, some analysts switch off or ignore alerts. More than 1 in 2 are also not sure in their capabilities to prioritise and respond to them. 

Security AI and automation are security technologies that augment/replace some of what human analysts do. These technologies automate repetitive tasks like manual security event correlation and analysis and prioritise alerts based on their urgency. 

Powered by AI and machine learning, security automation tools learn from experience and avoid human error. They can compare data from various attack vectors to determine if an alert is genuine or a false positive. Then they can decide on the appropriate automated action—all without human intervention. 

In the event of a ransomware attack, a security automation solution will immediately quarantine infected devices and escalate the alert. It will also give analysts the context they need (i.e., incident chain and next steps) to respond without delay. 

The benefits of security automation in fighting threats are well documented. One study discovered that security teams with high levels of automation resolve almost all alerts on the same day they’re issued. 

Similarly, a report by IBM found that organisations with security AI and automation identify and contain breaches much faster than companies without security automation. For companies with automation, breaches are also much less costly. 

Unsurprisingly, more security teams are getting on board with security automation. Over 65% of security practitioners say that at least half their manual tasks could be automated, giving them more time to focus on deeper and more effective cybersecurity work. 

SenseOn’s Self-Driving Cyber Defence System

SenseOn is an automated threat detection, investigation, and response platform that can quickly and automatically detect the early signs of ransomware to stop it before it causes any real damage. 

SenseOn achieves this by consolidating multiple single-point solutions (endpoint detection and response, security information and event management, etc.) into a single platform, thus removing blind spots and ensuring that no security alert is investigated in isolation. 

Since ransomware is getting more sophisticated, catching advanced threats is becoming more difficult. SenseOn overcomes this problem by using blended methods of detection (rules and signatures, user and entity behaviour analysis, deception-based detection, and supervised and unsupervised machine learning) and the MITRE ATT&CK framework. 

Once a ransomware attack is spotted, SenseOn identifies the endpoints and workloads affected and separates them from the rest of the network. This means that your organisation’s environment is protected 24/7/365. SenseOn then also issues a priority alert, with every single observation about the attack in one place, making investigations and root cause analysis as straightforward as possible.

Previous
Previous

The Hidden Cost of An Ineffective Cybersecurity Platform

Next
Next

Supercharge Microsoft Sentinel SIEM with SenseOn