Endpoint Detection and Response is a Key Weapon in the Battle Against Ransomware

motherboard circuit background virus detected over circuit board worm picture id1206098096 2

It’s well known by now that the consequences of a successful ransomware attack go well beyond the financial loss of paying ransom. Damage to brand and reputation, lost productivity, and compromised data—even if ransom is paid—are common results. Current news of the gasoline shortage on the U.S. East Coast after a ransomware attack reminds us that consequences can be far-reaching. And the first death known to be associated with a ransomware attack in 2020, proved they can be deadly.

Behind the Ransomware Explosion

It does not bode well that ransomware activity increased sevenfold just during the second half of 2020 (compared to the first half). Ransomware was already popular with cyber criminals, given its low barrier to entry and the high potential for financial gain. But massive growth ensued when it evolved in three main ways.

  • Ransomware-as-a-Service (RaaS) continued to expand rapidly.
  • The art of targeting organizations based on their ability to pay (“Big Game Hunting”) was perfected.
  • Threats to disclose compromised data if demands weren’t met found great success.

Given the rapidly increasing volume and sophistication of ransomware attacks, it’s generally accepted that being the target of an attack is just a matter of time. While the healthcare industry tends to be most attacked by ransomware, it targets every industry and every size organization around the globe.

Further, the sudden widespread shift to telework means enterprise security controls established to protect employees in the corporate office offer less protection. At the same time, home offices do not have the same level of security, and bad actors are aggressively exploiting that.

Can Ransomware Be Stopped?

As ransomware continues to enjoy great success, employees struggle to recognize malicious emails and the cyber skills gap persists, it may seem like ransomware is unstoppable.

But the good news is that you don’t have to be a victim. You may not be able to avoid becoming a target, but you don’t have to let ransomware succeed. With the right preparation and technology, these attacks can be stopped from achieving their goals.

A comprehensive overall security strategy that includes processes and security controls at each stage of the kill chain is recommended. But arguably, the most important technology to preventing ransomware damage is advanced endpoint security that unifies the prevention, detection and response function in order to operate in real-time. Especially modern approaches- built on behavioral analysis rather than matching to known threat intelligence- that can cover target endpoint devices old and new have been proven very effective.

What is Endpoint Security?

The purpose of an endpoint protection platform (EPP), is to stop threats before can install on your devices and start to run. The purpose of an EDR, on the other hand, is to detect threats that have installed and started to run on a device in your network and automatically respond to them. It can analyze the nature of the threat and give your team information regarding how it was initiated, which parts of your network it has attacked, what it is currently doing, and how to stop the attack altogether. An EDR solution further protects your network by containing the threat and keeping it from spreading.

Ideally, an EDR solution not only detects potentially malicious processes, but also defuses them in real time by blocking the potential malicious action automatically. This effectively pauses the attack and stops ransomware encryption, lateral movement, credential theft, and data exfiltration, buying time for security professionals to thoroughly investigate and remediate.

Both EPP and EDR are required, and ideally are integrated into one solution for unified protection. Some advanced threats will most likely get through the EPP, which is why EDR is so important.

What to Look for in Modern Endpoint Security

Endpoint Security solutions vary widely so it’s important to make sure the solution is effective in stopping ransomware. Some started out as EPP and added EDR later.  Others started as EDR and added EPP after the fact.  To effectively thwart modern cyberattacks, a modern endpoint security solution must take a behavior-based approach from start to finish.  In this way it can prevent many new campaigns even before they become known and threat intelligence is available.  Further, even if an attack does slip through, it can protect systems and files even after an endpoint has been compromised will be able to reliably protect against ransomware attacks. It’s also important for the solution to be able to restore encrypted files in real time across Windows, Mac, and Linux systems.

Finally, the solution should include automation features to speed containment and remediation. These actions include terminating processes, removing malicious or infected files, cleaning up persistency, notifying users, opening tickets and more. With a combined, behavior-based EPP/EDR solution, endpoints can be secured in real time, both pre- and post-infection to reduce cyber risk, standardizes incident response procedures and optimize security and operations resources.

A Unified, Automated Approach is Key

As the threat landscape continues to become more sophisticated, a real-time approach is critical to address the advanced threats targeting endpoints and address the cyber skills shortage. The ability to not only prevent, but also detect and defuse threats in real time with customizable automated response to contain breaches ensures high availability even in the midst of a ransomware attack.

Learn more about Fortinet’s FortiEDR solution and how it has the unique ability to defuse and disarm a threat in real time, even after an endpoint is already infected.


Copyright © 2021 IDG Communications, Inc.