Ransomware: What happens when the first layer of defense fails?

Ransomware: What happens when the first layer of defense fails?

76% of respondents see ransomware as a major business threat today, according to a recent Information Security Media Group (ISMG) survey, “2017 Ransomware Defense Survey: The Empire Strikes Back,” aimed at understanding the true impact of ransomware on organizations.

While this news isn’t worthy of breaking into the latest episode of Madame Secretary, what follows in the Varonis sponsored survey is an alarming disconnect between perception and reality of how these attacks happen and how to defend against them.

Key findings among the results:

    • 83% of respondents are confident in their endpoint security to detect ransomware before spreading to workstations and infecting critical files via file-share.
    • But only 21% say their anti-malware solution is completely effective at protecting their organization from ransomware.
    • 44% of respondent’s state that users are the single biggest weakness in the security chain related to the surge in ransomware.
    • Only 37% of respondents who suffered an attack proceeded to improve internal user access controls to reduce future attack footprint and 36% sought to improve detective and recovery capabilities.

People are placing their faith in endpoints to stop ransomware, but we see this threat bypassing that layer. Organizations should ask themselves: “What happens if this layer fails?”

They need to consider other layers of defense to counter this threat, including prioritizing protection around the assets that are most valuable to their organization and productivity. Ransomware target the data on file shares where there is 10 to 1,000 times more data than on a laptop or workstation.  It makes good defense sense to place a micro-perimeter around this data, restrict access to reduce an attack’s footprint and monitor for ransomware-like behaviors in order to immediately stop those threats that sneak past your outer defenses.

A lot of organizations like to think they don’t have insider threats, but often times it’s the loud intrusion of ransomware that is alerting an organization to over-exposed, unmonitored permissions and data. When a user with excessive permissions to data across the network is infected and the ransomware spreads to every file to which that user has access, organizations cannot ignore the crippling effects of hijacked data.

They should be thanking the ransomware criminals for shining a big, bright spotlight on the holes in their defenses. If ransomware can temporarily halt productivity due to overexposed permissions, only imagine what a malicious insider or external actor with co-opted credentials can do to your organization and how long they can go undetected.

Organizations should monitor how the data they depend on is used — especially files and emails that are frequent targets of breaches– and then perform regular attestations of access rights to reduce overexposed sensitive information from being hijacked in the first place as well as deploy user behavior analytics against data activity that look for signs of ransomware.

Read the full survey here.

Then see how our customers are using Varonis to detect ransomware when anti-malware tools fail.

Get the latest security news in your inbox.