Endpoint Detection and Response: The Best Way to Prevent Ransomware Attacks
Long-time colleagues Vinny Sakore, chief technology officer of NetDiligence, and Jim Jaeger, president of Arete Advisors, recently talked about endpoint detection and response systems and how they have become the most potent weapon in the cybersecurity arsenal to fight ransomware, both pre-and-post attack.
Starting with 25 years of experience with the National Security Agency where Jaegers laughs he learned to hack, now Jaeger (and Arete) are all about preventing hacks, which are happening at a greater rate than ever before. In fact, 65% of Arete’s cases last year were ransomware, and a recent NetDiligence claims study shows the exploding rise of ransomware attacks and costs over the years.
Ransomware in The News
Last year’s SolarWinds attack continues to receive attention as perhaps the most impactful cyber event affecting the U.S. government in recent times. It is a prime example of attackers corrupting a patch update or a “supply chain attack.” But, as Jaeger reminded Sakore, these types of attacks are not new and “that we should have had a wake-up call after the similar supply chain NotPetya attack in Ukraine in 2016.”
For those affected by SolarWinds, it may be years before the attackers use the information they’ve gathered. While over 18,000 patch updates were downloaded with a “backdoor” that beaconed out to the attackers to let them know where it is, the threat actors have only connected back in about 1,700 cases so far. As of this time, it seems they are mostly concentrating on intelligence gathering because they haven’t yet implanted destruction malware. But, everyone will have to be hyper-vigilant monitoring activity and impacts for years to come.
Going forward, says Jaeger, “We have to do a better job of verifying the patches we are deploying into our network. But even then, will we always be able to stay ahead of threat actors?”
Yes. These attacks and others can be avoided and the threat minimized or eliminated. Jaeger explains how.
EDR Systems Are The Key to Avoiding Ransomware Before—and Mitigatigating After—The Fact
Endpoints are the actual physical endpoints of a network such as laptops, mobile phones, tablets, servers, and virtual environments. An Endpoint Detection and Response system (EDR) or EDR software, monitors those endpoints for suspicious activity and alerts users when a threat occurs so they can respond more quickly.
Jaeger sees a subcategory of EDR called Behavioral-based EDR as the most successful deterrent to ransomware and the majority of other cybercrimes.
He explains why. “In the past, many security infrastructures relied on a signature-based antivirus looking for malicious strings of code that already exist,” says Jaeger. “The problem with that approach is that all a threat actor has to do is change one character, one period, and the typical signature-based systems won’t detect it. Behavioral-based EDR systems have a completely different approach.”
Behavioral-based EDR systems aren’t looking for code that matches stored lists of known threats the way antivirus does. Instead, they’re looking for behavior and the activity triggered by the code—an activity that is out of the ordinary for the user.
“If you think of EDR vs. antivirus, all ransomware cases I’ve seen had an antivirus as part of their defenses,” says Jaeger, “and the antivirus didn’t give an overwhelming alert that something needed to be done. But, EDR does. And it costs less than antivirus.”
Jaeger notes that to keep an EDR system from conflict with other security and network tools, they put in exclusions to say: This is a safe tool—and to let it run—let it operate. “We basically use the EDR system in an alerting mode that says as soon as you detect the behavior, let us know and we’ll take a look at it and stop it. Once an EDR system is really tuned to the client’s unique network, then it can go into an automatic blocking and detection mode,” he says.
Is An Organization Out Of Luck If They Are Caught Unprepared?
Fortunately, no. There is a growing recognition that behavioral-based EDR is just as valuable afterward.
“The first thing we do is deploy a behavioral-based EDR system across every endpoint, every desktop server device in the network. We do that for a couple of reasons. Obviously, we want to kill the spread within the network if it hasn’t already been killed,” says Jaeger. “But more importantly, it’s to help the victim recover from the attack by installing backup files or using a decryption key supplied after ransom is paid. But, you need a clean environment to restore files into. Otherwise, it’s going to happen all over again. We essentially lock-down the client’s network with the system and avert threats.”
Sakore and Jaeger stressed that the more behavioral-based EDR systems that could be put in place, the fewer incidents will happen. They are committed to getting the word out that ransomware is preventable with EDR Tools, and added that neither NetDiligence nor Arete are involved in an EDR system. It’s just that important to them. They agree it’s one of the quickest and easiest ways to implement something that will make a significant change in a company’s security position and that an EDR system’s results speak for themselves.
Watch the full discussion for more information about ransomware, cyber breaches, and find out what Sakore and Jaeger strongly believe is a wake-up call to the cyber insurance industry that companies will need to know. We thank Jim for his time and for sharing his thoughts on this game-changing cybersecurity endpoint detection and response architecture and operations practices.