One who did is Tracy Reinhold, now the chief security officer at critical event management company Everbridge, which has been described as the most successful security company nobody has heard of.  

The morning was September 11, 2001, probably the first time in world history when a billion human beings alive at the time will be able to say without hesitation what they were doing on a single day. Most of us remember very little but this was an unwanted reminder that there are a few things about which we will remember a lot.  

At the time, Reinhold was working at the FBI, a crime investigator with 11 years of experience behind him chasing criminals after a five-year stint in the Marine Corps. Precisely halfway in a police career that lasted until 2012, the second half was very different from the first as he ascended to the position of an assistant director of national security.  

It was the start of a journey that saw him later work at loans provider Fannie Mae in compliance and ethics, for Walmart as president of global investigations, and finally in 2018 to the role of full-blown cybersecurity CSO at Everbridge.   

Reinhold first encountered Everbridge’s critical event management as a customer while working at Fannie Mae, the first time he’d heard of the Everbridge name, he admits. It was this first-hand experience that set him on the path to joining the company six years later.  

“By using the Everbridge platform I was able to geo-map all of the potential losses for the organisation faster than the core business teams could. That changed the way the organisation looked at the security function and technology.” 

Critical events 

With curious symmetry, the themes of Reinhold’s career’s mirror the journey taken by the cybersecurity industry over the last two decades from being a specialised department to front and centre of everything. 

“9/11 transitioned me to national security, but it also changed the FBI itself, which for perhaps the first time ever suddenly had to be more proactive,” says Reinhold. Being proactive sounds obvious now but the model of policing the world over was based on reacting to wrongdoing rather than anticipating it.  

In 2001, it was clear this approach had failed national security. This realisation had profound consequences for the US Government, for the FBI, and eventually for organisations across the entire economy. This was the moment risk management, and the costs of forgetting to take it seriously, stepped into the mainstream.  

“It was a sea change for the organisation which traditionally had always been reactive. Now the FBI was coordinating investigations across multiple global jurisdictions to make sure citizens were secure.” 

In retrospect, perhaps the biggest discovery of all for Reinhold was the concept of the critical event and how it might be managed and contained using technology. The events of 9/11 were the most extreme example of a critical event with the Coronavirus pandemic a nudge that these can take novel forms. Both events encapsulate the problem of how organisations adapt to sudden, unexpected change that throws up huge numbers of logistical problems at once.  

Threat agnostic 

Everbridge’s platform forms the basis for a range of systems that help companies cope with these situations, both large and small. This includes mass notification of entire populations, crisis management coordination, IT alerting/incident response, and even a mobile app, Safety Connection, that lets organisations know the precise location of employees.  

There’s also a single management system for analysing numerous more general risks using threat intelligence sources, for example weather events, wildfires, terrorism, cyberattacks, travel incidents, and, of course, pandemics.  Some customers use it as part of executive protection, others to ensure their supply chain is resilient against weather or political events.  

“If we had not had the pandemic, the acceptance of new technology would be much slower to take root,” suggests Reinhold.  “It has opened people’s eyes to different ways of doing things. Organisations that can embrace this new way of doing things will be more successful.” 

For example, risk assessment should be threat agnostic, he says. “It doesn’t matter whether it’s a cyberattack, a weather issue, or terrorism – if you have a platform that allows you to recover from it faster, then you are better positioned to protect your organisation.”  

Equally, not all critical events are equal. Even if their timing is unknown, cyberattacks are high likelihood events, which changes their potential impact. “The biggest effect of cyberattacks isn’t the event but the response, or rather the act of a coordinated response.” 

Ransomware, Reinhold says, is a case in point. “If you have a ransomware attack, you must have the ability to communicate with your employees. It sounds simple but too many organisations are not prepared for the unexpected and don’t have critical event management in place.” 

As with the FBI after 9/11, it’s about being prepared for a critical event rather than waiting for it to happen and then reacting. Having worked in both the public and private sectors, Reinhold makes the interesting observation that while the public sector lags in the use of technology generally thanks to constrained budgets, it’s often ahead of the curve when it comes to understanding this approach to risk management.  

“In the private sector, operational concerns trump risk and vulnerability concerns,” he says. “But in the last decade there’s been a transition. In the last 20 months the corporate world has realised that it can’t rely on what it’s traditionally been doing.”  

What’s changed is technology now connects people to risk events they might have ignored or discounted in the past. “The speed at which information moved was much slower but it didn’t mean it wasn’t happening. We just weren’t situationally aware. But if the flow of information isn’t de-conflicted, it just becomes white noise.” 

From being blissfully unaware of threats because you had no information on them, now it’s a case of almost being overloaded with information. That is why, Reinhold believes, AI and the automation it makes possible, should be viewed as an essential coping tool.  

The 9/12 enterprise 

Over the 20 years of Everbridge’s life, the scope of what counts as a critical event has widened from mass communication at specific moments of crisis to something that can be used every day in many situations. This seems like an important point – critical events are not always critical simply because they’re emergencies. The applications of this in business turn out to be limited only by one’s imagination.  

“If you’re a hammer maker and there’s a steel shortage in China which means you can’t get material, the earlier you know about that the faster you can find an alternative.” Everbridge’s supply chain risk intelligence will tell you about that before a conventional source reports it. “It’s not just about emergency events.” 

Organisations who possess the tools to cope with the unexpected are like cats who fall off a wall but still somehow land on their feet. “With us you’re buying a subscription for a SaaS service that provides you with notice of critical events along with a platform that lets you address them in real time.” 

Behind the scenes, curating these information flows is a complex task, a mix of technology used to sift huge amounts of raw data and a team of 80 analysts to shape and amplify what it uncovers.  

“We take massive volumes of intelligence from which the customer determines what kind of information that are interested in. But before we send it to the customer, we have it reviewed by a human because we find this final check is important. Sometimes it’s not what you say but how you say it, including in different languages.” 

If 9/11 established the idea of critical event management, the pandemic has made it mainstream. People have gone from seeing these events as outliers to understanding that over time they are inevitable.   

“Since the pandemic, we’ve got boards talking about the issue of resilience. The answer is to anticipate problems using good intelligence. It’s about pivoting to address a new reality.” 

For Reinhold, his public service mentality dovetails perfectly with his current role, a rarity in the private sector.  

“My biggest takeaway from the FBI was that mission matters.  Then it becomes more than the individual. At Everbridge I rediscovered a sense of purpose that had been lacking since I left public service. It’s always about what keeps you up at night and how we help you resolve that faster.” 

The post Managing chaos: How 9/11 and the pandemic changed the way organisations understand critical events appeared first on IT Security Guru.

Operational technology (OT) used to be the specialist networks nobody in IT bothered with, or perhaps thought they didn’t need to. For a while, that seemed reasonable; OT networks were usually isolated from IT operations, sat behind air gaps, and ran on obscure operating systems.

Then organisations across every sector of energy and critical infrastructure started connecting to IT networks due to performance efficiencies, production boost and, ultimately, monetary gain. Networking, remote management, and wireless connectivity were all the rage and it made sense for IT and OT to be one from an admin point of view. Pretty soon OT stopped being the safe backwater everybody had assumed it was.

Organisations, and increasingly regulators, must now live with the implications of this for cybersecurity. Although examples of severe compromise remain largely hypothetical, there have been several real-world attacks from energy infrastructure in Ukraine to water plants in Florida  to underline that if things went south, it could happen very suddenly.

At the same time, the number of OT connected systems and devices is surging, covering everything from supervisory control and data acquisition (SCADA), manufacturing execution systems (MES), discrete process control (DPS), programmable logic controllers (PLCs), telematics, robotics, and even personal technologies such as the Internet of Medical Things (IoMT).

With isolation disappearing as these systems are connected to mainstream IT networks, the question is how organisations should approach the security problem anew when doing nothing is not an option. Established security vendors have added extra layers to their platforms to fill the gap but there has also been a smattering of specialists entering the market, including Armis.

So how should organisations break down the OT security problem in order to better manage it? The Guru decided to ask Armis’ European cyber risk officer, Andy Norton for his thoughts.

Vulnerabilities, especially in IT

If attackers want to exploit software vulnerabilities in OT, they now have plenty to aim at. This class of weaknesses has grown rapidly in the last decade from almost nothing to a list that’s no longer compact enough to reel off from memory. Armis’ own white paper on the topic mentions these for starters:

• July 2019: URGENT/11 affects billions of industrial and medical devices
• June 2020: Ripple20 TCP/IP vulnerabilities affect more industrial devices
• July 2020: NSA and CISA warn of the OT/ICS “Perfect Storm”
• January 2021: Westrock core OT systems attacked
• February 2021: Oldsmar Water Treatment facility control systems breached
• April 2021: NAME:WRECK vulnerabilities discovered affecting OT devices
• April 2021: MSFT discloses Bad:Alloc vulnerabilities affecting OT devices
• May 2021: Colonial Pipeline infrastructure shutdown

In July 2021, Armis disclosed a new vulnerability the company discovered in Schneider Electric Modicon PLCs, which could allow an authentication bypass leading to a remote code execution on unpatched equipment. So far, the most significant real-world attacks on SCADA and ICS OT have all been reliably connected to nation state espionage; for example, Stuxnet and Triton.

However, the last on this list, Colonial Pipeline, is revealing because what disrupted the company’s operation was an everyday ransomware attack on the IT system that affected its billing capability, not the OT network itself.

So, there are really two problems here, the biggest of which is the interconnectedness of IT and OT – to the latter’s detriment. Vulnerabilities in OT equipment are a second layer of weakness which can only be exploited in specific circumstances.

The risks of common IT problems such as theft of credentials varies a lot depending on the OT environment. Norton gives the example of oil and gas.

“A compromised credential or RDP will not be a risk to the ICS environment because they’ve implemented so many layers of segmentation – just because you get into the IT environment, doesn’t mean you are necessarily going to get into ICS. But just by visualising someone’s network, we can see who’s thought about this issue and who hasn’t.”

Equally, he admits in the few cases segmentation has not been implemented properly, “programmable logic controllers (PLC) can talk to printers and there is no role-based access control. If someone compromised a VPN, they could basically go anywhere on that network.”

What are the top routes to infection from IT to OT? Norton cites “Infected laptops belonging to maintenance engineers, USB sticks, an unauthorised wireless device, or even a malicious insider.”

OT devices don’t run antivirus

It sounds like an obvious point, but for a variety of reasons to do with their design and history, OT devices can’t run a conventional security client. Consequently, gathering visibility on what is happening on an OT device must be done by alternative means using an agentless approach. Armis’ approach sounds simple enough – monitor network traffic passively without affecting production.

“In OT environments, it’s basically a network TAP. It passively listens to all the traffic on that network and builds an inventory based on that. Not only do we have the assets, but we look at the activity of those assets as well to build a profile of behaviours,” says Norton.

Ironically, where malware is discovered running on an OT device, the OT team might not let the IT department clean it up because they’re worried about a service outage. “We routinely see old infections in OT environments.”

Asset blindness

This agentless approach has the added benefit that it gives organisations full visibility on what devices are connected to their networks, often for the first time.  It’s an extraordinary discovery; despite the controlled nature of OT environments, some organisations have no way of knowing with any certainty that rogue devices aren’t out there.

“Once this asset database has been created, organisations can ask important questions, such as why have we got two of these devices when we have no record of purchasing them? Or why are these devices trying to talk to a website?” said Norton.

The catch is that identifying devices is not as easy as it sounds. “Often it takes multiple types of traffic to build a decision about what a device is. Because we’re continuously listening when that device sends out a beacon of some sort, we will capture it at that point.”

One complication with this is that some PLCs are less ‘chatty’ than others, which makes identification harder. For example, Rockwell PLCs communicate more frequently than Siemens PLCs, says Norton. “Making sure you’re listening 24×7 is a good way of finding those.”

A particular challenge are ‘sporadic’ devices which only activate at specific times and might be missed by a periodic asset inventory. That is why the Armis network TAP must remain turned on around the clock, he adds.

SoC team, what SoC team?

“There is a governance requirement to make sure that the adequacy of security is equivalent to that of IT, but you have to do that without the same resources,” he says citing the growing influence of NIST’s Cybersecurity Framework as well as the UK National Cyber Security Centre’s Cyber Assessment Framework (CAF).

Then we reach the punchline: “In IT, there is always a tier one security team, SoC analysts who look at all the alerts. That doesn’t exist in OT. Very often, it is the IT people who contact the OT people.”

This has led to a convergence in which IT operations take over OT security because that outcome seems logical. The problem is that IT people don’t understand OT security issues. Underlying this is the issue of what a security event looks like in OT networks which are connected to IT but not to the Internet itself.

Nobody listens to OT people

The issue of not being listened to is one you hear across almost every technology specialism. OT is no different, although the consequences might be more serious, according to Norton.

Often, the OT people will only know which devices are on their network because their Excel spreadsheet tells them this much. However, what they do have a better understanding of is how to keep these networks running, and the operational risks that come with other departments poking around. Ultimately, ignoring their expertise isn’t going to be the best security policy.

“The OT team is not typically part of what the overall IT governance looks like, so it is likely to be viewed as an outlier in terms of risk management and framework adoption. If you are an OT person, the issue is less about convergence with IT than being completely consumed by it. Communication can help a lot in these instances. IT and OT teams need to work together – and technology can help bridge this gap,” he concluded.

The post The top 5 cybersecurity threats to OT security appeared first on IT Security Guru.

Overall, the data presented in the report demonstrates growth in open source, cloud and container security efforts. More specifically, it indicates a 61% increase in software security groups’ identification and management of open source over the past two years, which can almost certainly be attributed to the prevalence of open-source components in modern software and the rise of attacks using popular open source projects as vectors. In addition, the rise in activities related to cloud platforms and container technologies show the dramatic impact these technologies have had on how organisations use and secure software. For example, observations of “use orchestration for containers and virtualised environments” increased 560% over the past two years.

Mike Ware, Information Security Principal at Navy Federal Credit Union and a member of the BSIMM community points out that “over the last 18 months, organisations experienced a massive acceleration of digital transformation initiatives. This has resulted in increased adoption of software-defined approaches for deploying and managing software environments and cloud technology stacks.” He continues, “given the complexity and pace of these changes, it’s never been more important for security teams to have the tools which allow them to understand where they stand and have a reference for where they should pivot next. The BSIMM is a management tool for serving such a purpose. The BSIMM provides a unique lens into how organisations are shifting strategies for implementing software-defined security features like policy as code to align with modern software development principles and practices.”

Mathieu Chevalier, Lead Security Architect, Genetec Inc., a member organisation of the BSIMM community  elaborates on how “the BSIMM study allows organisations to benchmark their current security practices so that they may establish priorities and maintain perspective in response to the emerging trends in the security landscape. The descriptive model of the BSIMM helps organisations to determine how to get started building a software security initiative and to mature it effectively. BSIMM12’s observations concerning shared responsibility models in particular should encourage security leaders to consider how they’re evolving to meet and mitigate any potential gaps in their security strategy.”

What trends have emerged in BSIM12?

The study reveals how the following trends have emerged in the past year:

High-profile ransomware and software supply chain disruptions are driving increased attention on software security: Over the past two years, BSIMM data shows a 61% increase in the “identify open source” activity and a 57% increase in the “create SLA boilerplates” activity among participant organizations.

Businesses are learning how to translate risk into numbers: Organisations are exerting more effort to collect and publish their software security initiative data, demonstrated by a 30% increase of the “publish data about software security internally” activity over the past 24 months.

Increased capabilities for cloud security: Increased executive attention, likely combined with engineering-driven efforts, has also resulted in organisations developing their own capabilities for managing cloud security and evaluating their shared responsibility models. There was an average of 36 new observations over the past two years across activities typically related to cloud security.

Security teams are lending resources, staff, and knowledge to DevOps practices: BSIMM data shows a shift by software security groups away from mandating software security behaviours and toward a partnership role—providing resources, staff, and knowledge to DevOps practices with an objective to include security efforts in the critical path for software delivery.

Software Bill of Materials activities increased by 367%: BSIMM data shows an increase in capabilities focused on inventorying software; creating a software Bill of Materials (BOM); understanding how the software was built, configured, and deployed; and increasing the organization’s ability to re-deploy based on security telemetry. Demonstrating that many organisations have taken to heart the need for a comprehensive, up-to-date software BOM, the BSIMM activity related to those capabilities (“enhance application inventory with operations Bill of Materials”) grew from 3 to 14 observations over the past two years—a 367% increase.

“Shift left” progresses to “shift everywhere.”: The concept of “shift left” focuses on moving security testing earlier in the development process. “Shift everywhere” extends the idea to making security testing continuous throughout the software lifecycle, including smaller, faster, pipeline-driven security tests conducted at the earliest opportunity, which might be during design or even all the way over in production.

This move away from maintaining traditional operational inventories and toward automated asset discovery and creating Bills of Material includes adding “shift everywhere” activities such as using containers to enforce security controls, orchestration, and scanning infrastructure as code. Additionally, increased BSIMM observation rates of activities such as “enhance application inventory with operations Bill of Materials,” “use orchestration for containers and virtualised environments,” and “monitor automated asset creation” all demonstrate this trend.

“Since 2008, BSIMM consulting, research, and data experts have been gathering data on the different paths that organisations take to address the challenges of securing software,” commented Jason Schmitt, general manager of the Synopsys Software Integrity Group. “With an average age of 4.4 years, BSIMM participating organisations’ software security initiatives reflect how organisations are adapting their approaches to address the new dynamics of modern development and deployment practices. With this information, organisations can then adapt their own strategies to protect their organisation and customers without dampening innovation.”

“The BSIMM study is very aligned in terms of accessing industry best practices. It can be used to understand the level of maturity in a variety of development security activities as observed across multiple development teams,” said Todd Wiedman, CISO at Landis+Gyr, a member organisation of the BSIMM community. “With rapidly accelerating software development practices, BSIMM12 data illustrates the actual shifts taking place in security development programs. With this information, organizations can adapt their own strategies to protect their organisation and customers without dampening innovation.”

Vinod Raghavan, Director, Product & Data Security Program at Finastra, a member organisation of the BSIMM community mentions how Finastra has been using the BSIMM framework to “as part of [their] Product and Data Security Program to help [them] in advancing [their] security strategy.” He adds that “it has been instrumental in helping us to benchmark against other organisations in both financial services and other industries, supporting security maturity.”

The post Synopsys’ BSIMM12 reveals 61% Increase in Open Source Identification and Management appeared first on IT Security Guru.

Why use a SaaS-based Security Operations platform?

With the surge in attacks and potential threats, security teams find themselves stretched thin, failing to keep up with the number of alerts coming in. MDR provides more than just security alert notifications, but also supports companies in their response and remediation process. This solution goes beyond solely pointing out a security issue and works toward creating a fix. Put simply: “Don’t you want someone who will solve the problem instead of just telling you there is one? It’s a more mature approach…”

In fact, the latest version of Red Canary’s new Security Operations Platform provides customers with:

• Vendor-neutral for MDR endpoints: Customers will receive Managed Detection and Response across all leading EDR products. This includes Microsoft Defender for Endpoint.
• EDR Migration tools: The new solution includes tools to ensure successful migrations, without impacting security operations or causing downtime.
• Platform-neutral MDR for infrastructure: This will offer a new threat detection service optimised for Linux production systems, regardless of where they are deployed. It allows customers who cannot deploy third-party EDR Linux agents, to use an MDR service without any issues, while also providing a higher standard of security when moving to the cloud.
• Account compromise detection: Red Canary’s platform includes new capabilities for account compromise detection. These use data from a customer’s Defender for Identity instance and applies behavioural analytics to detect suspicious or unusual patterns in account access.
• Integrated alert management and triage: Built-in workflow automations playbooks will help customers respond consistently and efficiently to potential threats.
• Risk reporting and benchmarking: Customers will be able to perform regular analyses and reports, relative to earlier periods, other companies in the same industry and organisations of similar size. As such, security leaders can report to their executive teams and boards on the effectiveness of their security controls and their impact on business risk.
• Managed remediation of incidents: With this, trained response engineers will provide customers with guidance, set up workflows, and perform response tasks to contain any lurking threats.

Chris Rothe, CPO and co-founder of Red Canary is proud to say that “[their] platform protected [their] customers from the biggest attacks in recent months,” especially “while organizations [were] increasingly under attack from ransomware and other threats. [Red Canary’s] people have extracted and curated new behaviour and attack patterns from thousands of engagements, and [have] embedded those in the expanded platform to better protect customers from harm.”

In addition, Red Canary announced the release of new packages for consulting firms and service providers. As a result of suffering a breach, companies have a tendency to seek out the help of Incident response consulting firms, who now struggle to support the growing number of clients. The new consulting solution is designed to consult firms during the incident response process instead of after it Is complete, taking the pressure off consulting firms and creating a smoother overall flow of process.

Mandana Javaheri, global head of security, compliance, and identity business development at Microsoft believes that: “Red Canary’s platform, providing MDR for endpoints and infrastructure, aligns to Microsoft’s security strategy. Customers who are investing in Microsoft 365 Defender and XDR platform can benefit from Red Canary’s MDR platform to increase effectiveness of their security operations.”

Using this type of solution will allow companies to feel safer in their security operations and take the pressure off their security teams. It will help scale down alerts and response-time and provide sufficient and efficient security to prevent data breaches and other large-scale attacks.

The post Red Canary Releases New Security Operations Platform appeared first on IT Security Guru.

It’s a moment of unexpected trauma which many organisations find paralysing, something attackers plan for. This makes the attack’s effects even worse. Eventually a growing number call for help, valuing the experience of a service provider that’s seen others go through the same mill many times before.

One company on the end of some of those calls is AT&T and its Managed Security Services business unit. Director Bindu Sundaresan has first-hand experience of helping victims through the difficult day one. What advice would she give to anyone worried about this threat?

1. You tested the incident response plan, right?

“When a customer engages with us during a ransomware attack, it’s always a chaotic situation where the client’s ability to conduct business has completely stopped. This is typically the first time they’ve ever suffered an outage of such magnitude,” she says.

The first hit is to the IT team itself as a functioning unit. “Many times, the IT team feels it’s at fault for having had this happen to them, and that fear propagates across the team.” In her experience, the most important oversight is not that there is no incident response plan, but it’s not been properly stress tested, starting with the communication and decision-making chain of command. So, you need to regularly test your cybersecurity incident response plan, along with the humans and technology that will carry it out. You could get a false sense of security if your only testing comes from conversations in a meeting room with no pressure bearing down as your organization goes dark.

“Who is the ultimate decision maker for this incident? Often you see a bunch of people raise their hands, which is not ideal. My advice is that you can only have one person in charge of decision making.”

Just getting together some people from a third party MSSP doesn’t cut it. That company can’t make decisions for you – a company official must be in charge, ideally someone who’s seen a ransomware attack from the inside.  Communication isn’t just about the internal chain of command but who talks to external providers, partners, and law enforcement.

2. Thirty days of logging isn’t enough

The first question every victim wants answered when an attack happens is whether the attackers are still on the network and, if so, where they’ve hidden themselves. The first thing the IT team will reach for are logs which hopefully betray the fragments of their movement and tools techniques and procedures (TTPs).

The flaw in this is that logging doesn’t always capture enough data on default settings; for example, the last 30 days on an Active Directory (AD) controller. Sundaresan’s advice is to go beyond what is required for basic compliance and extend logging to several months at least on important servers. Only then will it be possible to discover the root of a compromise, essential to avoid a repeat incident.

“Attackers can be on your network for 230 days in some cases and the company’s logs only go back 30 days. That doesn’t work anymore.”

3. Where are the assets?

The next remediation task is patching, which turns out to be harder than it sounds. “More often than not, people don’t have an accurate asset inventory. If you don’t know what’s on your network there’s only so much we can do in terms of stopping propagation,” she says. “The moment you ask them whether it’s up to date, there’s often a silence.”

For attack recovery, the only meaningful asset inventory is one that functions in real time, adding an asset every time it is seen. Organisations can’t secure what they can’t see or don’t know about, including not only physical devices but cloud repositories, storage, applications, and every kind of servers.

Real-time asset discovery has been possible for years with online asset inventory engines offered as a service just one example of how this doesn’t have to be an onerous undertaking. This will sync with the organisation’s ServiceNow configuration management database (CMDB).

4. Backup is great – if it’s been tested

Every organisation mandates backups but not all backups are as useful should ransomware strike. According to Sundaresan, the first problem is that organisations don’t always test them. That means making pessimistic assumptions about the state of the network itself.

“Backup is a no-brainer, but you have to test it from the point of view of being able to bring the systems back up without access to certain resources.”

The traditional core of backup is the 3-2-1 format, where organisations make backups on different types of media in different locations, including offline and off-site. But if one of more of those is in some way disrupted – a connectivity issue caused by the attack, say – that strategy starts to show its frailty.

“Time and again organisations think they have tested the backup, but they haven’t tested it often enough under realistic conditions. Additionally, practicing recovery leads to discoveries of other weaknesses in your preparations.  Usually these are discovered in the quality of the backups, which in turn will lead to better backups for when you really need them” The simplest way to embed more thorough testing is, Sundaresan says, to make it someone’s responsibility.

5. Paying up isn’t an easy way out

Whether to pay a ransom has been a contentious issue from the earliest attacks a decade ago, and the issue seems no nearer being settled. Could paying a ransom simply invite future trouble?

“Our recommendation is not to pay because your chances of getting your data back are partial at best. More importantly, you’re giving them more ammunition to go after you.” Sundaresan’s other concern is that making payment part of the cybersecurity strategy risks undermining the sort of controls which might make this unnecessary in the first place.

“You might as well take that money and invest it in cybersecurity and reduce your risk exposure.”

6. DIY defence is obsolete

A major block for many smaller organisations has been marshalling the necessary investment and skills to defend themselves. But the DIY approach isn’t necessary in an era of MSSP services, argues Sundaresan. “When you need surgery, you go to a surgeon. You are doing yourself harm by thinking you have to do it all by yourself.”

Equally, she concedes, choosing an MSSP isn’t easy in a crowded market. Her advice is to look for a partner which can not only tell you what the problem is but fix it, too. But because that is changing quite rapidly as new attacks appear, that demands a provider able to show that it can invest and innovate over time.

The post Beating ransomware – 6 issues to solve before it strikes appeared first on IT Security Guru.