Sponsored Content

Designing a Proactive Ransomware Playbook for Today’s Threat Landscape

Asset inventories and risk assessments are critical tools in defending against the increasing scourge of ransomware.

By Paul Baird, Chief Technology Security Office, Qualys

Ransomware attacks are among the most significant cyber-threats facing organizations today. According to research by Gartner, ransomware is the highest priority (78 percent) and most important emerging risk to track. Yet, organizations are still at a loss on where and how to start to protecting themselves against bad actors.

CISA, NIST and countless others are sharing high-level guidance on how organizations should defend themselves against ransomware – but it can often be boiled down to “fix everything.” Instead, focus needs to shift to tangible actions that will result in real risk mitigation, and improving understanding around the different methods used by attackers.

Taking the First Step

A proactive approach is essential in today’s rapidly evolving and complex IT environment. So where to start?

An asset inventory is a list of all enterprise IT assets that exist across the network. These all contain software that could, at any point, be vulnerable to an attack. Without the foundation of a list that provides a holistic view of the environment, it is impossible to stay ahead of attackers. After all, you can’t protect what you can’t see.

This process needs to be automated and continuous, rather than relying on manual, ad-hoc scans that could easily fall to the bottom of the pile. Tools such as QualysCyberSecurity Asset Management (CSAM) provide an overview of known and more importantly unknown assets within your environment and whether there are any known risks associated with each asset.

Once the inventory is established, it’s time to assess the current risk level. This involves seeking out live issues. For example, based on recent Qualys research, there are 110 Common Vulnerabilities and Exposure (CVE) entries that have been associated with ransomware over the past five years. With this list, organizations can gain a full picture of these CVEs, if they are present in the environment, and which of the CVEs must be prioritized when patching.

Organizations can enrich their asset and software data with contextual information to help the detection process. For example, they can identify and set alerts for assets that are running unauthorized software, or are not using antivirus or endpoint security tools. These issues can be examined and appropriate action taken to resolve them.

Priorities and the Bigger Picture

With so many potential risks in today’s security landscape, it is important to understand how to prioritize.

In practice, not all risks are equal. There may be thousands of issues discovered – some of which will need to be dealt with immediately, but others may be incredibly niche or hard to exploit. Being able to add business context to assets, organizations can focus on the most critical risks to their business, and allow those lower down on the list to be managed over time.

 Patching itself is often overlooked as an important part of this process, typically because it crosses team and department boundaries – ultimately leading to conflicts or delays. To address this, organizations must implement metrics that can track successful deployments, and make these a business responsibility rather than just IT teams.

Ransomware Isn’t a Security Issue, it’s a Business Issue

The costs and disruption to the business following a ransomware attack has resulted in better support and more budget for security teams. However, increasing the security budget or investing in additional tools is not enough. Gartner predicts that 40 percent of boards will appoint a dedicated cybersecurity committee by 2025 (up from 10 percent). As part of this, business teams will want to see significant improvements in securing company environments.

Some organizations are well into this journey already, but many are still lagging behind despite the increasing threats. Security professionals can enhance their efforts by learning from one another and keeping abreast of industry developments to hear best practices and understand the value of new technological advancements.

At this year’s annual Qualys Security Conference – November 15-18, in Las Vegas and online – attendees will hear from customers, industry practitioners and Qualys experts on how to build up their ransomware playbook to defend against today’s growing attack surface and sophisticated bad actors.

Alongside keynote sessions from Chris Krebs, former director of CISA, and Sumedh Thakar, CEO at Qualys, the event will be dedicated to exploring the role of security in digital projects and how to build in security automation from endpoints to the data center to the cloud.

Key sessions will cover asset inventory, remediation using threat context, detection and response using prevention context, and streamlining compliance management.

To register and learn more about the event, please visit the conference website


Suggested articles