Why You Need EDR Security to Fight Ransomware
With one reckoned to happen every 11 seconds, the amount of ransomware attacks hitting endpoints keeps climbing and the attitude many security analysts are taking in response can be summed in one word—hopelessness. About one-third of cybersecurity decision-makers think they’re powerless to stop ransomware attacks because they have gotten too sophisticated.
Even though ransomware operators may be getting better at targeting network endpoints, all is not lost. To quote Peter Firstbrook, a Research VP with Gartner, an endpoint protection and response (EDR) platform is a “quick win” that can help organisations detect and react to attacks faster.
But beyond quick wins, consistently good ransomware defence means having 360-degree visibility into what goes on across IT infrastructure and not just into silos. Securing endpoints alongside servers and cloud environments, SenseOn is an automated threat detection, investigation, and response solution that excels at this job by combining multiple security tools.
With a single agent, SenseOn can observe the behaviours and activities of devices and users within a company’s digital estate from different angles and perspectives on a single platform. Correlating activities and learning from experience, SenseOn goes beyond EDR capabilities to help organisations stop even the most advanced ransomware attacks before they have a chance to do serious damage. Here is why the “beyond EDR” performance of SenseOn is important.
Human Error at Endpoints Will Keep Driving Ransomware Growth
Human error, i.e., unintended actions or lack of action by employees, has long been cited as one of the leading causes of cyber attacks.
In 2014, IBM found that over 95% of all security incidents they investigated could be linked to human error. Verizon’s recent DBIR shows that in over eight years, not much has changed. Last year, 82% of breaches analysed by Verizon still involved “the human element,” and human error was responsible for at least 13% of security incidents.
By compounding the risk user error creates, remote work and BYOD policies have dramatically increased companies’ risk of ransomware. According to CyberRisk Alliance Business Intelligence, remote worker endpoints are among the most common ransomware attack vectors. More than a third (35%) of respondents to Verizon’s DBIR said remote endpoints were how adversaries got into corporate networks in 2021.
Without EDR, Two Key Ransomware Infection Pathways Are Undefended
The most popular methods for deploying ransomware are desktop sharing software (40%) and email (35%), as per Verizon’s 2022 DBIR. Scarily, hackers are evolving these entry points to find new ways of evading siloed security controls.
For example, in 2021, the FBI warned organisations of a popular desktop sharing app that hackers used as an entry point into businesses’ networks. The app allowed cybercriminals and advanced persistent threats to control targets’ computer systems remotely and drop files onto their devices. The FBI likened the app’s functionality to Remote Access Trojans (RATs) but noted that its use case made abnormal behaviour more difficult to detect.
Threat actors can misuse desktop sharing apps if remote access accounts are protected with weak credentials or if they can access employee passwords via the dark web or through social engineering practices. Last year, Trend Micro noted more than 6 million tries to steal targets’ credentials via phishing emails. The good news is that the number of RDP targets seems to be declining.
On the other hand, Proofpoint’s “2022 State of the Phish” report discovered that more than three quarters (78%) of organisations were subject to email-based ransomware attacks last year. Unfortunately, email-based attacks are becoming more successful.
Anti-phishing training can help end-users identify suspicious activity and potential endpoint threats. But because attackers are moving away from “spray and pray” attacks to more targeted phishing campaigns, using personalised target information and holding extended conversations with victims, avoiding phishing attacks is now more difficult than ever.
For example, the notorious Conti ransomware gang, which is well-known for using phishing emails to distribute ransomware, sends its victims an email that appears to come from someone they trust. The email frequently includes a Google document with a ransomware payload that, when downloaded, also instals malware that connects the victim’s device to Conti’s command-and-control server.
After cybercriminals gain a foothold, they frequently look for other devices and systems they can access, often swiping user credentials in the process. Because many passwords are stored somewhere on the endpoint, adversaries that comprise one workstation/user account can often access credentials that will give them access to restricted information or allow them to perform lateral movement.
But EDR Is Not Enough….
Recording everything that happens on the endpoint (desktops, laptops, etc.), endpoint security tools like EDR give security teams visibility into every device connected to the corporate network. Through behavioural analytics, EDR tools also make it easier for security operations teams to spot potentially malicious activities and zero-day attacks that may have otherwise slipped through the cracks. For the attacks that do slip through, contextualised intelligence accelerates investigations and remediations. Most advanced EDR solutions also have automation features and can isolate the infected device automatically from the rest of the network, stopping an attack from becoming a breach.
More than 8 in 10 security professionals believe EDR to be the most important tool for fighting ransomware, and 39% of organisations plan to spend money on endpoint protection platforms like endpoint detection and response (EDR) in 2022.
Yet even with endpoint security solutions in place, many organisations admit to having seen ransomware activity increase somewhat (79%) or significantly (7%) in the last 12 months. Moreover, more than half expect to experience a ransomware attack within the next year.
The reason for this discrepancy is that EDR platforms monitor only endpoint activity, leaving many blind spots. They also suffer from a high volume of false positives. Unable to effectively correlate behaviour from across an organisation’s entire infrastructure, EDR alerts bog down the SOC with endpoint data, often letting real cyber threats slip by.
By unifying data from across an organisation’s estate, SenseOn provides unparalleled visibility into endpoints, network, and the cloud, eliminating alert fatigue and making it easier to spot potential threats. Employing a blend of detection methods and machine learning, SenseOn looks for and correlates behaviour that deviates from what is deemed “normal” for any given organisation. It also learns from experience and, through automated response capabilities, isolates infected devices to stop advanced threats like ransomware from spreading in real-time.