Recently I’ve been reading numerous articles and hearing about Ransomware attacks from my technical colleagues. Ransomware basically locks users out of their devices until companies pay a given amount of money, which is a serious problem. While it is not a new attack, the methods continue to change. The common question I’m asked from the companies I talk with is, “What’s the best practices for dealing with ransomware, and how can we stop it from hitting our company?”
In order to find a solution for stopping ransomware, we first have to understand the methods used to gain access to your company computers/users. The most popular ones are:
Best practice security principles
Now that you understand a bit more on how ransomware is initiated, let’s look at how we can stop it from hitting our companies, and the best practices for doing so.
This is not something where you buy a given solution off the shelf and all your worries are over. This is about adopting a true defense-in-depth methodology and using solutions that work in tandem with one another. I believe that you should never put all your eggs in one basket. The best practice should be building a network of products that work together to offer automated intelligence and are able to react quickly to whatever is playing out on the company networks. You need a combination of EDR, IDS/IPS, SIEM, SOAR, and our ASMS to have a well-defined solution. They all have a unique role in helping security engineers to make the right choice at the right time with the right information. This really allows your SOC team to have visibility and react accordingly.
When you utilize multiple solutions, you gain the benefits of knowing that you are covered from multiple angles and have more confidence that the data is accurate, and you can act upon it. Without this approach you are basically watching the front door of your house believing it to be the only way anybody can get into your house, forgetting to check windows and the backdoor. So why would you do so on the company network?
This is all relevant for overall security, but when people are asking me about best practices, they are usually referring to their firewalls. So, how do you setup your firewalls to protect your environment? It really comes down to the basics.
Firewalls are designed to block all traffic except for traffic that has been explicitly allowed by the firewall rules. But over time, they get bloated with extra “stuff” that has been placed in there over years. So, here are my recommendations for managing your firewalls:
I have to say, though, there is one phrase that I learned long ago that has stuck with me. That is, “more than half the time, attackers are insiders” and this seems to still hold true today.
The basic recommendations I’ve shared are a minimum of what needs to happen in an organization. Is this a complete list? Absolutely not. But it is at the core of what every company should adopt and add their business practices to.
Once you have the basic principles in place, you can further tighten your security posture by introducing micro-segmentation. This allows you to reduce the attack surface and stop lateral movement across your network to minimize any damage caused by ransomware attacks and insider threats. Read more about the benefits of thinking small in network security here.
Receive notifications of new posts by email.