Ransomware explosion is the latest security wakeup call for CxOs

Embrace big-data security analytics to break the ransomware attack chain

The massive data breach of US retailer Target was a wakeup call for senior business executives too often disengaged with cybersecurity issues, but surging ransomware attacks are honing CxOs' attention on the need for automated analytics tools to detect security breaches as they happen – rather than months later, or not at all.

Forensic examinations of major data breaches invariably show a string of telltale signs that might have triggered alarms, and the suspicions of security specialists, had they not been buried in an avalanche of security logging information that is overwhelming even the most determined security staff.

One large US customer, for example, relies on security vendor LogRhythm to collect and sift through what amounts to around 4 billion security logs and other information every day. Even with aggressive filtering of information in near real-time, however, this volume of information still produces 10,000 to 20,000 action items that need investigation.

For even moderately sized businesses, this is the reality of security monitoring tools that have gotten better at collecting data but are still struggling to reduce it to manageable size. This has fueled a stubborn gap between the time a security incident occurs and the time it is detected – often many months later, after mountains of sensitive data has been surreptitiously stolen.

It is in filtering this 10,000 to 20,000 items down to a manageable size that threat-analytics firms like LogRhythm have emerged as lifesavers for corporate IT-security teams that have been struggling to keep up. By applying intelligent algorithms that cross-correlate collected data logs, the company's tools help filter that volume of alerts down to a manageable number.

“By corroborating those alarms with additional algorithms that take multiple dimensions into consideration and risk-score them, we produce about 50 actionable alerts every day,” explains Bill Smith, senior vice president of worldwide field operations with LogRhythm.

“Because we're able to bounce it against more things, we can bring it down to a reasonable level. Fifty alerts a day is no problem to handle when you're a Fortune 500 company.”

Breaking the ransomware attack chain

Such detection mechanisms have become a front-line defence in the right against advanced persistent threats (APTs) – which quietly infiltrate a company network and may download the actual malware threat later, once they have run extensive reconnaissance on the network established a beachhead from which to exploit it.

Yet with the right processes, real-time analysis is also proving promising against the malware threat that has emerged as the most insidious problem facing corporate networks today: ransomware.

Due both to the success its purveyors have enjoyed and the availability of increasingly-effective ransomware kits, this type of attack – which encrypts a victim's files until a fee is paid to unlock them – has become far and away the most common threat facing businesses this year.

A recent analysis from email-filtering vendor PhishMe found that by the end of March 93 percent of all phishing emails contained ransomware payloads, up from 56 percent in December and just 10 percent during the rest of 2015. Vendors like FireEye and Symantec have joined the chorus of security specialists that have noted an explosion in ransomware this year, making Australia the top ransomware target in the APAC region and, indeed, among the top targets in the world.

While there's no guarantee that a specific company will be targeted with a specific APT, the sheer volume of ransomware – and its tendency to be spread via social-engineering strategies that continue to be frighteningly effective at tricking employees to running malicious attachments – make it inevitable that businesses will eventually face this threat. Business and IT executives must be prepared with a policy about how they would deal with a ransomware attack, which can sometimes be circumvented using fastidious backup procedures that many businesses still lack.

However, says Smith, the right monitoring infrastructure can pick out the telltale signs of ransomware as it's executed for the first time – and stop it dead in its tracks. This becomes possible when a security-analytics tool has had a chance to establish itself long enough to determine a range of baseline characteristics over time.

When the baselining is done correctly, the telltale signs of new ransomware executing stand out like a sore thumb: new system processes will be launched; a surge in disk activity will be obvious as the ransomware looks for files to encrypt; the ransomware may 'phone home' to get an encryption key for its work; new libraries will be run to handle the actual encryption of the files.

Each of these activities has telltale signs that can be easily picked out of a stream of network activity traffic by a security-analytics platform with sensitive enough algorithms. By combining detection with policies to control what is and isn't allowable, it's possible to pick up on the activity of even previously unknown ransomware.

“There are many places along the chain of activities – some at the network level, some at the server level, some at the user end – where ransomware can be interrupted,” says Smith. “It's really important to look at all the attack surfaces. And we find more bad things happening by looking at network behaviour anomalies than anything else.”

Network anomalies are only one of several telltale signs of ransomware activity, however: even user behaviour can become a key indicator of attack if monitoring systems detect activity that doesn't fit in with previously observed behaviour – for example, if a user's account is suddenly trying repeatedly to access a server that the user is not authorised to access.

Similar monitoring of cloud applications can provide additional insight if, for example, a user account is seen to be rapidly creating new users or downloading large volumes of data. The more and varied types of data that can be fed into a security-analytics system, the better the potential results because the system can more effectively cross-correlate suspicious activities to prioritise the most potentially problematic issues.

By prioritising the collection and analysis of such data – along with the improvement of backup regimes that can help recover from ransomware and other attacks – CEOs can leverage innovation in security analytics solutions to build the kind of security defence that gives them a fighting chance to avoid becoming the next Target.

“We're a big-data solution so we can track many different dimensions of a person's behaviour,” Smith explains, noting that the business world is “in a transitional state” as growing executive concern promotes the adoption of new, more-effective technologies.

“We can pull together lots of not-normal things and correlate them with other potentially-risky things,” he says. “It's not that detecting this stuff is impossible; we see it every day where ransomware and other malware gets stopped. It just takes a slightly different thought process.”

Join the CSO newsletter!

Error: Please check your email address.

Tags cybersecurityBill SmithsecurityDavid Braueencryptionsocial-engineeringransomwareLogRhythmCSO Australiaransomware attacksadvanced persistent threats (APTs)

More about APACAPTBillFireEyeindeedLogRhythmSymantec

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place