Every quarter, we interview CISOs and ask them what is top of mind and what trends or challenges they are experiencing in the threat landscape. From this, we create the CISO Insider — an actionable report that explores the top three issues that are most relevant in today’s threat landscape. This quarter, we’re exploring rising ransomware rates, the need for increased automation and better tools to empower security teams to do more with limited resources, and the opportunity for extended detection and response (XDR) to help rapidly address emergent threats.
Keep reading to learn what steps CISOs are taking to protect against these threats and how you can apply that guidance to your own operations. For even more information, download the full CISO Insider report.
How extortion is leading to a rise in ransomware
The risk profile of ransomware is changing. In part, because the cybercrime economy has provided average cybercriminals with easier access to improved tools and automation to enable scale and drive down costs. When combined with the economics of successful attacks, it has put ransomware on a rapid growth trajectory. Currently, Microsoft Security is tracking more than 35 unique ransomware families and 250 unique threat actors across observed nation-state, ransomware, and criminal activities.
We’ve seen attackers raise the stakes by adopting new tactics. For example, there is the double-extortion model in which a victim is first extorted for ransom and then for the possible publishing of their stolen data. Additionally, there’s been a rise in attacks that target operational technology assets to disrupt critical infrastructure. Each of these ransomware types can impact organizations in different ways, and they point to threat actors’ creativity when it comes to monetizing cybercrime.
CISOs differ on which is the more catastrophic cost to the business: business disruption or data exposure. But regardless, preparation is key. Beyond mitigation tactics, stronger endpoint security, identity protection, and encryption are essential given attack frequency and severity. The following are some of the top ways that CISOs can build more comprehensive, end-to-end strategies that help put these best practices into action. All insights are taken from the Microsoft CISO Insider report, a public briefing of Microsoft threat intelligence based on feedback we’ve heard from security leaders across industries.
Help protect your organization from ransomware with these three steps
Industry is one key determinant that organizations can use when evaluating their ransomware risk. When we interviewed CISOs for our CISO Insider report, manufacturing leaders cited business disruption as the top concern while retail and financial services CISOs prioritized protecting sensitive personally identifiable information. Healthcare organizations are equally vulnerable on both fronts.
However, there are steps that organizations can take to help reduce their risk profile, regardless of their industry.
1. First, security teams should prepare to defend and recover. By adopting an internal culture of Zero Trust with assumed breach while also deploying a system of data recovery, backup, and secure access, organizations can isolate attacks and make it much harder for threat actors to move laterally across the network. This strategy has the added benefit of minimizing an attack’s impact thanks to backups and encryption, both of which can help defend against data loss and exposure.
2. Next, organizations should use a privileged access strategy to minimize the potential for credential theft and lateral movement. Privileged credentials are foundational to all other security assurances—an attacker in control of your privileged accounts can undermine all other security assurances. We recommend teams focus on building a “closed loop” system for privileged access that ensures only trustworthy “clean” devices, accounts, and intermediary systems can be used for privileged access to business-sensitive systems.
3. Finally, businesses can help defend against threats across all workloads by leveraging comprehensive, integrated threat detection and response capabilities. Siloed point solutions often result in preventative gaps and slow down the detection and response to pre-ransom activities. Microsoft offers integrated security information and event management (SIEM) and XDR to provide a comprehensive threat protection solution that delivers best-in-class prevention, detection, and response across your entire multi-cloud, multi-platform digital estate.
XDR can help accelerate threat detection and response
Beyond prevention, how should enterprises respond in the event of an attack? Many security leaders are turning to XDR for a cross-platform vantage point. XDR helps coordinate signals across the entire ecosystem — not just endpoints — to facilitate faster threat detection and response. It is important to note that many CISOs we talk to have implemented a powerful starting point in endpoint detection and response (EDR). And while EDR is a proven asset, XDR is the next evolution.
XDR’s expansive scope is critical given the sophistication of modern attacks that take advantage of today’s complex, distributed environment. Attacks are increasingly proceeding in a non-linear fashion, moving laterally across different clouds, email, SaaS applications, and more.
XDR helps bring together data from disparate systems, allowing security teams to visualize the entire incident from end to end. Point solutions can make this comprehensive visibility difficult because they only show part of the attack and rely on an often-overwhelmed security team to manually correlate multiple threat signals from different portals. When we think about today’s dynamic threat landscape, XDR is particularly compelling because of its coverage and speed in helping detect and contain threats. However, it’s not the only way for security teams to increase their response speed. As ransomware and other malicious attacks become more common, security leaders are also adopting automation to allow for 24/7 monitoring and near real-time response.
While some CISOs remain skeptical about XDR’s utility, it’s worth exploring how a dedicated XDR platform can deliver out-of-box integration and capabilities centered around the needs of the security analyst, leaving fewer gaps for your team to fill in manually.
Automate to elevate the security team
Security leaders are faced with a security talent shortage. Automation is one way for them to help free up their existing workforce from mundane tasks so they can focus on defending against threats.
Automation covers a range of capabilities, from basic automated administrative tasks to smart machine learning-enabled risk assessment. Most CISOs report adopting event-triggered or rule-based automation, but there’s a greater untapped opportunity to capitalize on built-in artificial intelligence and machine learning capabilities that enable real-time risk-based access decisions. After all, automating routine tasks is beneficial for efficiency. But automation has the most potential to drive impact when used in strategic realms. For example, AI and automation are adept at correlating security signals to help support comprehensive detection and response to a breach, but roughly half of the security practitioners we surveyed in a 2021 Microsoft research study of CISOs and security practitioners are doing this task manually.
CISOs who choose to forgo automation opportunities often do so out of distrust, citing concerns about the automation system making irrecoverable errors while operating without human oversight. Some of the potential scenarios include a system inappropriately deleting user data, inconveniencing an executive who needs access to the system, or worse, creating a loss of control or visibility about a vulnerability that has been exploited.
However, it’s important to remember that security is a balance between daily small inconveniences weighed against the ongoing potential for devastating attacks. Automation has the potential to serve as an early warning system for such an attack, and its inconveniences can be mitigated or eliminated. The most effective automation runs alongside human operators so that its artificial intelligence can both inform and be checked by human intelligence.
Customize cybersecurity to meet your team’s unique needs
Ultimately, while cyber threats continue to grow and evolve alongside the internet, there are still preventative measures that security teams can take to help safeguard their operations. Some are more prescriptive than others, like leveraging Zero Trust, privileged access, and integrated threat detection and response. But it’s also important that organizations leverage their existing toolset to its fullest capacity through automation features and built-in security detections.
Want to learn more about how your business can help guard against emerging cybersecurity threats? Download the full CISO Insider report and get more cyberthreat insights at Microsoft Security Insider.