5 Steps to More Effective Ransomware Response

Security continues to evolve apace ransomware, and it’s great not to be outmatched. However, investing in some technology can often give companies a false sense of security. They think they are covered where ransomware is concerned and don’t have to improve their security posture further. 

The flip side is that as threats evolve, more vendors develop new products and capabilities yearly. Consequently, companies don’t know whether these new services offer something they don’t have or more of the same. Ransomware operators don’t stop at ‘what worked last year,’ nor can we.

To that end, here is a 5-step plan for more effective ransomware response.

Step 1: Prevent All You Can

Prevention requires visibility, and visibility involves simplicity. 

Can your organization detect ransomware at any point on the network? Remember that ransomware is continually evolving, disguising itself, and learning new ways to evade detection. 

The first step to prevention is cleaning up the enterprise. Is the environment simple enough to navigate, or do you have the tools to cut through the noise? To modernize and streamline your security stack, companies want to consolidate their vendors, migrate to next-generation protection that gives full visibility into the ecosystem, move to a cloud-first administration model, and consolidate detection and response capabilities. 

Step 2 - Respond at Pace 

To respond at pace, organizations must conduct an in-depth autopsy focusing mainly on monitoring and securing the endpoints. How many credentials did it harvest from the network? What data did it steal? What are the compromised assets? 

A scalable data platform can help answer these questions, and in today’s threat environment, that means spotting malicious patterns. In other words, an operation-centric approach. 

A behavioral-based approach that leans on AI/ML is required to spot most emerging malware strains. Is the security posture future-proof? Does it comply with NIST and the MITRE framework, and will it keep pace with the most prolific threats? 

The key at this stage is to assess if you have the staff and skills to understand the technicalities of what and how to drive the next steps or if you should take this as a service.  This is capacity planning.

Step 3 - Enrich Your Detection Fidelity 

Organizations must extend their security beyond the endpoint to create high-fidelity enriched detections. It’s one thing to receive threat data from one source; it's another to confirm it by disparate data sources throughout your environment.

From the endpoint to anywhere, this operation–centric approach gives you threat intelligence that signature-based solutions simply cannot. This data is used to identify the company’s gaps. Can you map that knowledge back into a singular process where you can see the end-to-end operation? The more you do that, the richer the detections. This creates deeper visibility into more threats and improves your ability to respond. 

Visibility also means usability. When you have just a dump of alerts, it’s almost as futile as having none. Teams get overwhelmed, events get ignored, and the problem continues. Correlated incidents and enrichment build out the Malicious Operation (MalOp™) and allow companies to see the big picture. 

Now, a tool like XDR would come in handy.

Step 4 - Optimize Your Responses 

Organizations need an effective, scalable response capability. What we’re doing today isn’t working.

According to ISC2 research, the need for more cybersecurity professionals is outstripping our ability to fill the gap. There are now 3.5 million vacancies, a 26% year-on-year growth rate. The gap grew 8.5% in North America and 52% and 60% in APAC and EMEA, respectively. 

Our current strategy – throwing people at the problem – is not working. Instead, we are digging ourselves into a deeper and deeper hole. 

We need tools that automate the tasks people can’t keep up with. We need solutions that force-multiply the teams we already have. And once data has been primed, optimized, and enriched, those technologies can go further. Guided remediations improve mean-time-to-respond (MTTR). Autonomous AI/ML-driven platforms like Extended Detection and Response (XDR) can ingest petabytes of data and analyze 100% of it in real time. This primes the pump and optimizes a team’s ability to respond.

Step 5 - Achieve Limitless Scale 

Next-generation solutions allow companies to respond quickly and at scale. Ransomware actors have technology on their side, and so do we. They’re spinning out new exploits at the pace of 10,000 every six months, and it will take AI/ML-driven platforms to stop it.

Tools like XDR can spot known malware and everything else using behavioral analytics. They can look at the endpoints, between the endpoints, and down to the level of the kernel to spot malicious exploits as they start. Then, automated remediation capabilities kick in to respond to threats at scale. Again, this frees your human resources to threat hunt, focus on critical problems, and continuously enhance your security strategy.

What’s Next?

After putting this 5-step plan in place, your organization must consider what its SOC will look like in the next few years. You’ve just leveraged the 5-step plan and assessed where you are. That’s great. But now you need to think of the ‘so what?’

Challenge yourselves. What will success look like in the next few years, and how will you get there? Cybereason is happy to have a conversation with your team about this. We work with companies to turn point-in-time solutions into predictive ransomware protection.

The solution needs to be more than a platform. It has to be a process. It must encompass a way of thinking, not the next security buzzword. It must be an operation-centric approach. 


See why Cybereason is undefeated in the fight against ransomware.

Greg Day
About the Author

Greg Day

Greg Day is a Vice President and Global Field CISO for Cybereason in EMEA. Prior to joining Cybereason, Greg held CSO and CTO positions with Palo Alto Networks, FireEye and Symantec. A respected thought leader and long-time advocate for stronger, more proactive cybersecurity, Greg has helped many law enforcement agencies improve detection of cybercriminal behavior. In addition, he previously taught malware forensics to agencies around the world and has worked in advisory capacities for the Council of Europe on cybercrime and the UK National Crime Agency. He currently serves on the Europol cyber security industry advisory board.