Prevent Ransomware with Cybersecurity Monitoring
Misconfigured cloud and IT assets open the door to a wide range of cyber risks. Automated, continuous cybersecurity monitoring lets organisations watch accounts and systems for exposures in real time and maintain strong attack surface risk management.
Continue reading the Ransomware Spotlight series:
- Ransomware Recovery Plan for 2023
- Fight Ransomware with a Cybersecurity Audit
- Security Patch Management Strengthens Ransomware Defence
- To Fight Cyber Extortion and Ransomware, Shift Left
Ransomware and other cyberattacks routinely take advantage of misconfigurations in cloud and IT systems and accounts. Tools that enable continuous, automated cybersecurity monitoring help close those gaps and strengthen overall attack surface risk management
With authorities cracking down on cybercriminals, organisations refusing to pay cyber ransoms, and media stories touting ransomware’s decline, it could seem like the threat of ransomware is diminished. But the truth is these changing dynamics are simply driving bad actors to adopt new extortion models and lock onto new targets such as data and systems in the cloud.
As they do, they will continue to seek out and exploit misconfigurations in cloud and IT assets, making it ‘cyber essential’ for enterprises to ensure their systems are configured properly. Given the sheer number of configurations that need to be set and maintained across the average enterprise—both on-premises and off, in physical and virtual devices alike— organisations need automated, continuous cybersecurity monitoring tools to assess the status of their IT ecosystems in real time.
What requires cybersecurity monitoring?
Misconfigured cloud and IT assets are already a major source of enterprise cybersecurity risks—especially in the complex multivendor cloud environment, where misconfigurations account for up to 70% of all security challenges. Servers, operating systems, user devices, and applications all need to be configured carefully at setup and monitored over time to ensure their configurations don’t change as the technology environment evolves.
Account credentials also need proper configuration and monitoring, especially those that provide admin access, which could potentially give bad actors free rein. The LastPass hack in late 2022 was a stark example of the risks that compromised credentials can pose. As reported in The New York Times: “The company said intruders had gained access to its cloud database and obtained a copy of the data vaults of tens of millions of customers by using credentials and keys stolen from a LastPass employee.”
How organisations can protect themselves with cybersecurity monitoring
Proper configuration and monitoring of cloud and IT assets is part of an overall approach to attack surface risk management based on a never-ending cycle of discovery, assessment, and mitigation.
Discovery and assessment demand a rigorous cybersecurity audit process that can map the entire IT environment and everything in it—all devices, services, ports, and accounts. Cybersecurity monitoring moves more into the mitigation stage of the cycle (along with diligent security patch management), by ensuring IT systems are configured to maximise defences against ransomware and other cyber threats at all times.
At the root, cloud and IT configurations should reflect zero-trust principles that treat every device, application, and user as potentially vulnerable and restrict their access to other resources accordingly. This prevents free roaming behaviours inside the enterprise environment and provides a foundation for monitoring legitimate use—that data, software, and account privileges are being used appropriately for a given task.
Many organisations also maintain lists of approved and prohibited software to limit the applications used by the enterprise. This can be effective where critical business systems are concerned: big, monolithic corporate enterprise resource planning or human resources applications, for example, that can be hardened without impacting other software.
Often, however, going too far with a ‘lockdown mentality’ can lead to Shadow IT. As well, new software or new versions of existing permitted software can get blocked by a list-based approach, creating issues IT teams then have to resolve.
While there is much that organisations’ internal IT teams can do themselves to shore up their cyber defences, they’re not in it alone. Working collaboratively with security solution vendors can provide extra reassurance that the environment is configured correctly and fully up to date.
Keep in touch with your security vendor
Security vendors are continually improving their solutions, but sometimes those enhancements don’t get enabled by organisations—often because they’re unaware of them, or because they are behind on software and operating system updates. At a minimum, this can leave a security-strengthening feature unused. In the worst case, it could actually lead to a misconfiguration that creates an opening for cyberattacks.
Establishing a regular practise of meeting with vendors to learn how they have improved their security controls can be valuable and help deepen internal understanding of security solutions and their capabilities. Enterprise IT teams can also use their in-house cybersecurity audit and cybersecurity monitoring tools to run attack surface discovery processes on vendors’ security solutions as well to identify any weak points that may need to be addressed.
Adopting software-as-a-service (SaaS) consumption models and managed security services both further help ensure solutions are configured properly. With SaaS, new features and all the associated settings are implemented automatically. In the case of managed services, providers themselves perform the continuous monitoring needed to keep the environment up to date.
Cybersecurity monitoring is part of good security posture management
To protect against IT misconfigurations, cybersecurity monitoring has to be continuous. Security posture management techniques such as endpoint detection and response (EDR) and extended detection and response (XDR) provide the necessary capabilities and can be incorporated into an overall attack surface risk management platform.
Depending on in-house resources, these kinds of tools can be self-deployed and managed or can be outsourced to third-party security providers. Smaller organisations that have limited IT teams may opt to invest in a managed service relationship. In that case, it is important to choose a provider who can offer managed EDR/XDR.
While misconfigurations—especially in the cloud—are a significant point of risk, the good news is they don’t have to be. With the right tools and processes in place, organisations can keep real-time watch over their IT environments and optimise their defences against ransomware and other cyberattacks.