Security Excellence is Key to Ransomware Prevention

Image source: Daily Express

This article is about ransomware financial impact to business, factors that influence ransomware scalability and what role SOC optimization (security excellence) plays in ransomware prevention.

Not many discuss SOC optimization mainly for two reasons. Firstly, security services efficacy is Cyber Defense/Resilience tactics. SOC Leader organizations (incl. Leader MSSPs) have integrated ISO 27001 driven PDCA (Plan, Do, Check, Act) continuous improvement approach into their daily operations which means exercising security excellence is simply a 'norm' to them. Secondly, lack of awareness how SOC productivity optimization directly affects business continuity and resilience from people, business alignment, processes, technology, data and compliance point of view can be felt across non-leader organizations representing various industries.

Therefore, similarly to Earth's atmosphere the impact of SOC optimization could be underestimated as we don't think of air when we are breathing and we don't analyze how atmosphere traps the sun warmth when we enjoy sun. However, security services efficacy is crucial to every organization in a same way Earth's atmosphere is key to our wellbeing and existence.

Ransomware families have grown by more than 700% since 2016

Source: Gartner

According to Mimecast 'The State of Email Security' report, 6 in 10 organizations were infected with ransomware in 2020. Nearly 6 in 10 of those successful attacks (59%) include data in the public cloud (Source: Deloitte). By 2025, at least 75% of IT organizations will face one or more ransomware attacks (Source: Gartner). Tt is happening to both small and large organizations, indiscriminately, across all industries globally. More recently, ransomware attacks have brought down gas pipelines, halted logistics operations and disrupted steel production. GPS spoofing has affected ship navigation, and hackers accessed a casino’s high-stakes gamblers database through an aquarium. Table 1. sums up research findings from Ponemon Institute, IDC, Gartner and others. It focuses on business downtime costs based on the size of the organization and industry.

Table 1. Ransomware impact to business: estimated cost of downtime (Source: Quantum Cybersecurity Skills).

In the above calculations we didn't factor in 37% of Mimecast SOES 2021 survey respondents saying that ransomware downtime lasted one week or more. It doesn't take much effort to observe a trend which indicates that ransomware downtime impact to business is 20> times higher compared to an average (generic) unplanned downtime cost. There are various additional factors to be considered concerning the costs of a ransomware. These include lost opportunities, device, and network costs, reputational damage, etc. According to Cybersecurity Ventures Ransomware Damage Report, ransoms in excess of $50,000 to $400,000 are no longer uncommon. Depending on the target, ransom demands have reached into the millions. Global ransomware damage is predicted to reach $20 billion USD by 2021. Even if the organization chooses to pay ransom, research by Mimecast SOES 2021 shows that one-third (34%) never saw their data again, despite paying the ransom.

Enablers of Ransomware

- Cyber insurance. Insurance companies are nudging organizations to meet the ransom demands because it is less expensive, faster and easier to pay the ransom than cover the cost of rebooting an organization from the ground up (Source: Splunk, Comodo).

- Unclear regulatory position. Despite the fact that many countries and industries are becoming less tolerant about paying attackers, there is no unified regulation across the globe making ransom illegal.

Talion research shows that 79% of CISOs support the idea of ransomware payments being made illegal.

For example, the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) has issued an advisory to highlight the possible sanction risks associated with paying ransom demands. This is on the premise that paying attackers encourages future attacks and demands, does not always lead to recovery of encrypted files and may violate OFAC regulations (Ransomware Advisory, U.S. Department of The Treasury, October 1, 2020).

- Cryptocurrency offers a more flexible, secure, untraceable, non-regulated, middleman-free, currency agnostic C2C payment method compared to a traditional approach.

- Ease & Scalability. Customized Ransomware as a service (RaaS) campaigns offer ease and improved economies of scale. Ransomware groups are going corporate, they read the same reports Security Leaders do and they take advantage of security services inefficiencies. For example, average time taken to identify and contain a data breach is a whopping 280 days (Source: Ponemon Institute). That's plenty of time to clean the breadcrumbs!

- Oldies but goodies. Research has found that vulnerabilities as far back as 2010 are still being exploited by ransomware (Source: RiskSense Enterprise Ransomware Spotlight Report, September 2019). And it's not just about old vulnerabilities. Identifying emerging risks and aligning risk priorities with business strategy are top two challenges according to The State of Risk Management Survey Report 2021. Current mitigation speed doesn't help either. On average, the time required to mend severe cybersecurity vulnerabilities has increased from 197 days in April 2021 to 205 days in May 2021, a recent study conducted by the WhiteHat Security team shows.

CIOs, security and risk management leaders now find themselves grappling with how best to protect their organizations against these different classes and variants of attack. Here is a shocker:

Gartner research estimates that more than 90% of ransomware attacks are preventable.

Even if you strongly believe 'we don't need SOC optimization - we have a robust cybersecurity program and mature SOC/MSSP', how do you know this for sure? The challenges of ransomware and other forms of malware are the ever-changing tactics and agendas of hackers (Source: Gartner).

Annual, even quarterly penetration tests are no longer sufficient for today's Security Leaders to understand always shifting business risk posture. If you are frequently running Breach & Attack Simulations (BAS), it's a step into the right direction, however, BAS focuses mainly on risks posed by technology. It will help immediately identify issues when it comes to the efficacy of security controls, configuration issues and detection capability. The ability to run this kind of assessment repeatedly and across a range of attack techniques enables better security assessments in near real-time, however, technology posed risks are just a tiny puzzle part of a big picture. When have you last tested security services efficacy from people/skills, technology, business alignment, data quality, processes efficacy, compliance point of view? Do you know how it has changed since last week? Last month? Last quarter?

Groups such as GrandCrab in their ads on the Dark Web often include references to reports about the ransomware and how they adapted the malware in response. Ransomware creators are getting more sophisticated in how they infect systems, avoid detection and foil decryption efforts (Source: Splunk). One of the ransomware trends is called 'wiperware'. Basically, ransomware is being used as a foil to cover up serious incidents such as data breaches. Although the attack looks like regular ransomware, often delivered through phishing emails, the goal is to distract the organization from other security events happening on the network and delete breadcrumbs of the ancillary attack. The hope of the attacker is that the organization is so relieved to have recovered from ransomware that it doesn’t investigate further.

What is the role of SOC optimization in Ransomware prevention?

Figure 1. Continuous SOC optimization approach touches all business verticals (Source: Quantum Cybersecurity Skills).

Strategical Layer

The key attribute here is People. Boards are using the increased focus on cybersecurity to guide business decisions. Security leaders need to be able to give the board something that they care about and that is meaningful to them. Boards collectively generally care about three things (Source: Gartner):

  • Revenue/mission: Operating or nonoperating income and enhancing nonrevenue mission objectives. SOC optimization is tactics of an agile security, an enabler of digital transformation. It means that organizations that exercise continuous SOC optimization are likely to have less downtime, shorter recovery times, higher customer trust and brand reputation.

  • Cost: Future cost avoidance and immediate decrease in operating expenses. In our earlier article we have covered estimated cost savings delivered through SOC optimization.

  • Risk: Financial, market, regulatory compliance and security, innovation, brand, and reputation. SOC optimization approach addresses TOP 3 business challenges and risks identified in The State of Risk Management Survey Report 2021:

Building and continuously maintaining a robust security and risk program is known to be an effective strategical step to improve ransomware prevention (Source: Gartner).

Tactical Layer

Boards today are becoming more informed and more prepared to challenge the effectiveness of their companies’ programs (Source: Gartner). SOC optimization approach enables you to continuously evaluate and understand the state of security resilience and preparedness in terms of tools, processes and skills to defend against attacks. Continuously verifying organization's posture is considered as critical to successfully preventing and responding to Ransomware attacks (Source: Deloitte).

Not all organizations will experience a Ransomware attack, but they must plan for the eventuality and test their preparedness to respond when an attack occurs. Establish processes and compliance procedures that involve key decision makers. Ransomware can escalate from an issue to a crisis in no time, costing an organization revenue loss and creating a damaged reputation (Source: Gartner). Leading practices include decreasing the attack surface, hardening the perimeter, components of enterprise backup and recovery infrastructure, segmenting or micro segmenting networks, having least privilege or Zero Trust access policies and controls, effective and timely patch management of IT system vulnerabilities, and network analytics and digital behavior monitoring (Source: Deloitte).

One of the aspects of SOC optimization teaches is how to focus on the defence and response lifecycle of a ransomware attack, from strategy and planning, monitoring and incident tracking through to disaster recovery and remediation. Having strong containment and isolation procedures to minimise the impact of ransomware events is also crucial (Source: KPMG). Incident response processes should not be reliant on IT systems that may be affected by ransomware attacks or unavailable in case of a serious incident (Source: Gartner).

Operational Layer

Data quality poses challenges such as security services are lacking agility and dynamics to imposed changes. After SOC optimization, you should be able to adequately exploit data and improve SLAs.

2020 CISO Effectiveness Survey found, that 78% of CISOs have 16 or more tools in their cybersecurity vendor portfolio; 12% have 46 or more (Source: Gartner), in some cases reaching 70 or even 150 different vendor technologies. Reduce technology risk through vendor consolidation process. Too many security vendors also results in complex security operations and increased security headcount.

Organizations need to focus on early detection, preparation and early mitigation if they want to cut losses to ransomware. Security services operational efficacy of SOC Leaders is noticeable higher compared to non-leaders. In most organizations, early detection task is primarily handled by anti-malware and antivirus software. However, the growing number of successful ransomware attacks suggests that relying solely on existing tools isn’t sufficient to protect organizations (Source: Gartner). practical guidance on how to prepare for and respond to ransomware attacks has already been published by the likes of the UK’s National Cyber Security Centre (NCSC) (Mitigating malware and ransomware attacks, National Cyber Security Centre, March 30, 2021), the US’s CISA (Ransomware Guidance and Resources, Cybersecurity & Infrastructure Security Agency, 2021), and other security organizations around the world.

Feel free to discuss with us how we could help in your SOC productivity optimization journey.

You may also like below blog(s):

'Most Overlooked Areas of SOC Productivity Optimization'

'Step #1: Do You Have The Invisible Gorilla in Your SOC?'

#SOCoptimization #SOCproductivity #SOCsalability #SOCsustainability #SecOps #SOC #SOCsuperposition #InfoSec #RiskManagement #MDR #MSSPs #SOCasaService #AgileSecurity #RiskManagement #Resilience #BusinessContinuity

Organizations that are able to take a full advantage of their Security Services (SOC) are Leaders when it comes to reducing business risks, operational costs, improving resilience and business continuity. Scale and sustain the resources that you already have - it's part of an agile and integrated risk management strategy.

Quantum Cybersecurity Skills has been co-founded by seasoned SOC Managers to help SOC Managers and CISOs out there. We are your trusted Partner to deliver continuous SOC productivity optimization aligned to ISO 27001 PDCA, proactive and reactive security services, MDR and professional risk mitigation services. Our services are applicable to any size organization from any industry, whether with an in-house SOC / CSIRT / CERT or MSSP outsourced. We run operations in UK, Canada, Mexico, USA and Spain to meet customers' Data Privacy requirements.

Reach out to us:

E: W:

T: @SOCoptimization L:

22 views0 comments