Tanium expert on how organisations can build an effective defence against ransomware

Tanium expert on how organisations can build an effective defence against ransomware

As instances of ransomware increase across EMEA, organisations must adopt a robust approach to cyber defence by prioritising prevention measures. Zac Warren, Chief Security Advisor, EMEA at Tanium, tells Jess Abell, Director of Strategic Content at Lynchpin Media, how organisations can strengthen their defences by enhancing endpoint visibility and reinventing their approach to patching.

Zac Warren, Chief Security Advisor, EMEA, Tanium

Despite increased investment in cyber defence, why is the problem of ransomware only getting worse?

Simply, ransomware is quite easy to do. In the past few years, attackers have realised that they no longer have to code malware themselves; they can rent it as a service. As a result, many criminal organisations have found it easy to launch these types of attacks. There have also been several big ransomware payouts which encourage attackers to carry out more attacks.

What does a typical ransomware attack look like and how does it progress?

Typically, an attack starts with the reconnaissance of an environment. The bad actor will scan environments to look for vulnerabilities while simultaneously looking at individuals. Then, they often start doing social engineering and gathering data on individuals. Once they’ve gathered the necessary information, they begin weaponising it, which usually involves launching a phishing attack via email. If people click on these links and enter their credentials or other sensitive information, such as a username and password, then the attacker has an opportunity to compromise the network.

They’ll also look for vulnerabilities in the Internet-facing software and devices or unpatched systems. Attackers use these potential entry points to gain access and typically find an existing piece of malware in the environment, so they can re-enter the environment anytime they want.

Sometimes we see organisations that have had a bad actor in their environment for over 300 days and didn’t know about it, clearly depicting a lack of visibility. Ultimately, once the attackers understand which servers hold data critical to the business, they begin encrypting the data so that it is no longer accessible. However, before they encrypt it, they will likely steal the data and look for connections to any backup systems before destroying them. This can be a challenging situation to get out of because I have seen multiple organisations pay the ransom and get the keys to decrypt the data but it didn’t lead to them restoring access quickly and easily. Despite getting their data decrypted, there were still problems getting it to work.

What tactics should an organisation use to resolve ransomware without paying hefty amounts?

It is all about preparation; I constantly speak about preventative cybersecurity. For me, good cybersecurity is cyber hygiene done well, which means understanding your vulnerabilities, finding the updates or patches for those vulnerabilities, and making sure that they’re rolled out. I always recommend two main things – patching and multi-factor authentication; if organisations followed these two things, close to 80% of all attacks would be prevented.

Backups are also vital but organisations must treat them as critical infrastructure and build security policies and procedures around them. The FBI, Interpol and Europol all suggest informing the authorities for help and not paying the ransom straightaway.

If you choose not to pay the ransom, as advised, you need to have access to secure and off-the-grid backups so they cannot be attacked. It is all about the preventative work because once you’ve been hit by ransomware, all you can do is clean up.

How can organisations build an effective defence against ransomware?

The first thing is education, which I push for as we need to ensure employees are up to speed on what these attacks look like and what ransomware really means. It is essential to be cautious – we need to be testing and measuring our organisations. At Tanium, we regularly test the security awareness of our employees. Recently, I got a suspicious-looking email and flagged it to our internal security team. They assured me that it was a phishing test and was a way for the organisation to assess how many employees were falling for such attacks. Organisations should do something similar to this and ensure that devices are up to date with patching and vulnerability management.

Tanium asserts that converged platforms that unite tools and data into one unified solution are the way to go in terms of combating ransomware. Why is that?

The problem is the visibility of your ecosystem; it is a significant issue in every organisation I visit. Through Tanium’s Converged Endpoint Management (XEM), a single platform that can identify where all your data is, patch every device you own in seconds and implement critical security control tools, all within a single pane of glass, we can help obtain that much sought after visibility.

Some organisations have over a million endpoints, but we can still get the info from all of them within 15 seconds. This knowledge of your environment provides the tools needed to obtain business insights quickly, reduce time to incident resolution and lower IT cost and complexity.

Regarding cyber hygiene, organisations have many issues allowing actors to access their environments easily. With the visibility that Tanium provides, on top of the fact that we enable you to use the same single agent to enforce things, we help gain visibility and identify problems with vulnerabilities and issues with different patches that aren’t up to date. Tanium can then enforce and push those updates, patches and policies up to the endpoints, thus being able to not only find the problem but also solve the problem. This converged endpoint management is crucial as we also reduce the number of agents and overheads you need to support all those devices.

How does Tanium address ransomware at every different stage of the attack?

At the different stages, Tanium provides visibility to make decisions and break the kill chain before the cyberattack. There are six steps in the cyberattack chain with opportunities in every single step to disrupt a bad actor. However, if you have no visibility of your environment, you’re flying blind. As an organisation, if you have vulnerabilities, bad patching, no multi-factor authentication and no visibility, anyone can come in and walk out and you wouldn’t be able to ascertain whether they are still there.

Another area that Tanium addresses is that many organisations don’t know where their important information is stored. Furthermore, Tanium shows you your vulnerabilities and how you can fix them to the point where they are no longer a weakness. Hence, you can make better decisions on where and how to protect your valuable information.

How can organisations select appropriate security tools to defend against ransomware?

My two recommendations again would be cyber hygiene and prevention. We need to ensure that our basics are taken care of first. If you’re looking at new tool sets, EDR, firewalls or security tool sets, first look inward before purchasing anything new. Look at your existing tools, patches, patching cycles and processes. Evaluate how long it takes to roll out a new patch in the environment. Every time a new patch is rolled out, does it work 100%? Look at these basics before you go out and look to buy anything new.

I worked with a CISO that had 72 security tools, but as we analysed them, we realised that 50% were being utilised and some were even overlapping in capabilities and not being fully utilised. By getting rid of half of the overlapping tools and using the tools in place to their full potential, the organisation is now in a much better place today. Tanium simplifies what they have and gets rid of a bunch of agents on the endpoint to start looking at how the CISO can integrate more tools and eliminate the excess. Once this is done, it is all about visibility. Understand what your environment looks like, your inventory and the assets you have on your devices, such as the software and the applications running and then you can better protect your organisation.

Browse our latest issue

Intelligent CISO

View Magazine Archive