Varonis debuts trailblazing features for securing Salesforce. Learn More

Varonis announces strategic partnership with Microsoft to acclerate the secure adoption of Copilot.

Learn more

Why UBA Will Catch the Zero-Day Ransomware Attacks (That Endpoint Protection Can’t)

2 min read
Last updated May 26, 2023

Ransomware attacks have become a major security threat. It feels like each week a new variant is announced –Ransom32, 7ev3n. This malware may even be involved in the next big breach. New variants such as Chimera threaten to not just ransom your data, but also leak it online if you don’t pay up.

These cyber extortionists are not exactly the most scrupulous people, and so who’s to say they won’t sell your data online even if you pay the ransom? They don’t have to offer a Terms of Service agreement!

Want to learn ransomware basics and earn a CPE credit? Try our free course.

 
“In just one hour, I’ll teach you the fundamentals of Ransomware and what you can do to protect and prepare for it.”

Let’s face it: they have a really good business model.

What’s the Signature?

Some have turned to endpoint security solutions in the hope that it will detect and stop crypto-malware. However, the industry is catching on to the fact that, as one observer put it, “signature-based antivirus software that most organizations still rely on to defend them can’t cope with modern attacks.”

A recent CIO article described the drawback best:

 “… while a signature-based approach reduces the performance hit to the systems on which it runs, it also means somebody has to be the sacrificial sheep. Somebody has to get infected by a piece of malware so that it can be identified, analyzed and other folks protected against it. And in the meantime the malefactors can create new malware that signature-based defenses can’t defend against.”

Bottom line: endpoint security solutions can’t block unknown ransomware variants by, for example, blacklisting connections to a current (but outdated) list of C&C servers. They’re also bound to a device/user/process, and so don’t provide any anti-heuristics or debugging techniques.

Ransomware Prevention that Works

If endpoint security tools won’t help prevent ransomware, what will?

Northeastern University’s latest ransomware research paperCutting the Gordian Knot: A Look Under the Hood of Ransomware Attacks, analyzed 1,359 ransomware samples and found that a “close examination on the file system activities of multiple ransomware samples suggests that by… protecting Master File Table (MFT) in the NTFS file system, it is possible to detect and prevent a significant number of zero-day ransomware attacks.”

Is there a technology that will protect your file systems based on this idea?

Answer: User Behavior Analytics (UBA). It’s an essential ransomware prevention measure.

UBA compares what users on a system are normally doing — their activities and file access patterns – against the non-normal activities of an attacker who’s stolen internal credentials. First, the UBA engine monitors normal user behavior, by logging each individual user’s actions – file access, logins, and network activities. And then over time, UBA derives a profile that describes what it means to be that user.

Identifying Ransomware with Varonis Automated UBA Threat Models

Without any configuration, Varonis UBA threat models spot the signs of ransomware activity — when files are being encrypted — and therefore can stop these attacks without having to rely on a static list of signatures.

Once detected, a combination of automated steps can be triggered to prevent the infection from spreading: for example, disabling the infected user, the infected computer, network drives on the infected machine, or the NIC.

Interested in seeing UBA in action? Let’s talk.

Further reading:

What you should do now

Below are three ways we can help you begin your journey to reducing data risk at your company:

  1. Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
  2. Download our free report and learn the risks associated with SaaS data exposure.
  3. Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.
Try Varonis free.
Get a detailed data risk report based on your company’s data.
Deploys in minutes.
Keep reading
6-prompts-you-don't-want-employees-putting-in-copilot
6 Prompts You Don't Want Employees Putting in Copilot
Discover what simple prompts could expose your company’s sensitive data in Microsoft Copilot.
generative-ai-security:-preparing-for-salesforce-einstein-copilot
Generative AI Security: Preparing for Salesforce Einstein Copilot
See how Salesforce Einstein Copilot’s security model works and the risks you must mitigate to ensure a safe and secure rollout.
dspm-buyer's-guide
DSPM Buyer's Guide
Understand the different types of DSPM solutions, avoid common pitfalls, and ask questions to ensure you purchase a data security solution that meets your unique requirements.
speed-data:-preparing-for-the-unknown-in-cybersecurity-with-ian-hill
Speed Data: Preparing for the Unknown in Cybersecurity With Ian Hill
Ian Hill, the Director of Information and Cybersecurity for Upp Telecommunications, offers his take on AI and the future of tech, shares his tricks for a good cyber defense, and explains why the best-laid plans of mice and security professionals often go astray.