Ransomware: visibility is the best defence

Matt Lock, technical director at data security company Varonis, outlines the crucial importance of data visibility in protecting organisations from an increasingly sophisticated threat landscape

How have the techniques and workings of cybercriminals evolved in recent years?

We’ve seen cybercrime groups adopt cyber tactics developed and used by nation states to discover vulnerabilities in organisations and run attacks. Ransomware has grown massively. A lot of people still think about the WannaCry ransomware attack in 2017, but it’s evolved enormously since then. With the rise of ransomware-as-a-service, you don’t even have to be a sophisticated hacker yourself as you can just use tools developed by someone else to conduct ransomware attacks.

And cryptocurrency has incentivised criminals with the promise of a big payout while remaining anonymous. It’s matured and become weaponised – we now have what we call ‘big game’ ransomware, where attackers infiltrate a company very subtly, such as via a phishing campaign or malicious website, and then look to locate valuable, sensitive information. They go under the radar by using credentials for authorised users to look for critical information before stealing and encrypting it and demanding a ransom, often in the hundreds of thousands or millions.

Cybercrime groups are like the heads on the mythical Hydra - when one is taken down by authorities, through collaboration with other criminals, they very quickly reform, reorganise and start attacking again.

What risks do organisations face when they lack visibility across their data?

The biggest risk is overexposed data. It presents a massive challenge to nearly every organisation. On average, an employee has access to about 17 million files. That sounds enormous, and it is. As a result, when organisations are subject to a breach or attack, they’re caught off guard. The sheer volume of data means their attack surface is way bigger than it should be, and they’re unprepared for that. Lacking visibility - and therefore knowledge - of where the most important and sensitive data resides, as well as who has access to it and who has changed, copied, deleted, or stolen it, amplifies the challenges of dealing with an attack.

How challenging is this, specifically to enterprise data, on-premises and in the cloud?

The challenge is huge. Data is stored in many different places and continues to grow on a daily basis, bringing more complexity which, in turn, opens organisations to more risk and overexposure. Most companies are blind when it comes to their most sensitive data. 

If you don’t know if a user has copied sensitive GDPR-protected data to their own computer, or opened sensitive HR files that they shouldn’t have access to, you won’t know when your organisation is attacked. All organisations should be able to understand their blast radius - the potential damage an attacker could do once they land on their network - but many can only guess.

On average, an employee has access to about 17 million files. That sounds enormous - and it is

Unless you’re watching who can and who does access data, and what they’re doing with it, you will inevitably miss any signs that a cyber attack is underway. Without visibility into your data, you can’t spot suspicious or unusual activity early, which is the key. If you’ve ever received a ransomware notification, you know the sinking feeling in the pit of your stomach. If you understand your blast radius you can reduce it and ultimately minimise the effects of an attack.

How does Varonis help organisations to increase data visibility and improve their cyber defences?

We have worked with many companies that have been hit by ransomware before and know far too well the effort and the costs required to recover. The most successful companies proactively reduce their blast radius by mitigating data that’s overexposed. They archive and delete information they shouldn’t store anymore. Prevention is key to reducing the attack surface, so that’s where we start with all our customers. You have to understand what your landscape looks like and then go through as many prevention activities as you can to reduce that attack surface.

We also help organisations defend against insider threats. It’s really difficult to determine when a valued employee, with access to sensitive data, suddenly starts behaving in a way they shouldn’t. One of our customers spotted and stopped an employee stealing sensitive pricing information they were going to give to a competitor, because they had visibility into what was going on with their most sensitive data.

Aside from technology, what else do companies need to do to ensure employees have the appropriate access to data?

This really should fall into what is typically known as the joiners, leavers and movers (JLM) process. When people are onboarding with a company, a decision should be made at that stage about what access they should have. That should come through consultation with the joiner’s manager, who ultimately knows what data their team should be working with. It’s a matter of involving the business owners in that onboarding process, and making sure they make that incredibly important determination. 

We typically find about 50% of user accounts in an organisation are either stale or inactive. They’re just not being used, and if they’re not being used they’re typically not owned by anybody anymore. When these accounts are then used for malicious purposes, it’s unlikely that anybody’s going to spot it. It’s about good housekeeping.

How do you see the cyber risk landscape continuing to change?

I think it’s fair to say that the tactics are going to continue to filter down, from experienced attackers to opportunists. It’s a very open environment out there and once these vulnerabilities are discovered, even amateur cybercriminals can make use of them. We’re also going to see a lot more exploitation of cloud infrastructures or resources, which are available 24/7. Continued remote and hybrid working is replacing traditional on-premise networks with perimeter-less networks in which every laptop or mobile phone becomes a gateway to your critical and sensitive data. All of this just makes it even more crucial to gain visibility of enterprise data.

For more information, visit varonis.com

Promoted by Varonis