Top Takeaways From Our Ransomware Detection Webinar

Top Takeaways From Our Ransomware Detection Webinar

by Patrick Bedwell

Ransomware is one of the most pernicious types of attacks we see today. Why do we continue to see so much of it? Because, as the infamous bank robber Willie Sutton said, “That’s where the money is.”

With that, Netography CEO Martin Roesch and CPO David Meltzer kicked off a webinar on the challenges of detecting ransomware activity across multi-cloud and hybrid networks. They also highlighted the unique detection capabilities Netography offers to combat ransomware.

Some key takeaways from the webinar are:

•  Why ransomware attacks continue to persist, despite more than a decade of investing in prevention tools
• The need for post-compromise detection
• How Netography brings the fight to ransomware operators
• The limitations of current cloud-native tools. 

For the complete discussion, watch the replay.

Why ransomware persists despite more than a decade of investing in prevention tools

Most enterprises have evolved to complex hybrid networks with multiple cloud providers as well as diverse IT, OT, and IoT operational environments. They deploy a variety of security technologies in each environment to try to understand what they’ve got, what it is doing, and what is happening to it, to detect and respond to attacks. 

The bulk of these security resources are allocated to discovering, configuring, and hardening the environment to make it difficult for threat actors to compromise the network in the first place, or knocking down threat actors at the point of attack. Unfortunately, the tools and processes to prevent ransomware cannot always stop the threat actors, or they aren’t in the right place to detect ransomware activity and avoid costly attacks.  

For example: 

• New research shows that nearly one-third (32%) of ransomware attacks originate from unpatched vulnerabilities. Attacks that leverage this attack vector result in considerably more severe outcomes, including a greater risk of compromised backups and data encryption, higher ransomware costs, four times higher overall attack recovery costs, and slower recovery times. 
• The poor ransomware detection rate of EPP is exacerbated by the fact that many endpoints remain unprotected because, for one reason or another, they don’t have an agent installed. 

When prevention mechanisms such as patching and configuration management and NGFW, NDR, and EPP fail to detect ransomware attacks, many security teams are left uninformed. 

The need for post-compromise detection

Once a ransomware actor gains access (often through remote access software vulnerabilities), they go through a period of operating in an environment before springing their trap.  At this point in the attack, operations teams need to pivot from relying on pre-compromise approaches like content blocking, hardening, and configuration management to post-compromise detection. As threat actors move laterally, inventory data, establish command and control channels, jump to other cloud platforms via peering, harvest and exfiltrate data, operations teams need immediate visibility into each stage of the attack chain.

Unfortunately, most organizations rely on a disparate collection of technologies spread across different operational environments not engineered to detect post-compromise activity. This mix of products creates silos of data that different operations teams using different languages try to stitch together to figure out what their users, applications, data, and devices are doing and what’s happening to them. 

Network observability gaps are prevalent across modern networks, creating a gray area between the point of initial access and when ransomware turns into a costly attack. In environments that lack instrumentation for holistic network observability, SecOps, CloudOps, and NetOps teams have no practical way to detect ransomware activity before damage is done.

Netography brings the fight to ransomware operators

The Netography Fusion^® platform delivers post-compromise detection by leveraging VPC, VNet, and on-prem flow logs, as well as DNS logs, enriched with dozens of context attributes from applications and services in your tech stack. Fusion has 300+ detections and auto-thresholding capabilities to alert you to activities indicative of a ransomware attack, including remote access compromise, data exfiltration, lateral movement, and command and control activities. 

Our 100% SaaS architecture allows us to do this at scale across a hybrid or multi-cloud environment frictionlessly, with no appliances, agents, taps, or probes to deploy. Teams have a single platform and unified contextualized view to understand what they’ve got, what it’s doing, and what’s happening to it in real-time. They can respond to ransomware before it disrupts operations.

A force multiplier compared to alternative cloud-native tools

When organizations survey the landscape of alternative cloud-native options, they find that Netography is significantly easier to deploy at a significantly lower cost and delivers more than 10X the detection capability. 

• • Cloud platform-native tools all have some capability to detect security events and can ingest the flow logs that they natively provide for their cloud environment. But they don’t provide capabilities that span other clouds, your data center, on-prem networks, traffic between clouds, and even between multi-tenant environments. Additionally, they offer less than 10% of the network detections that Netography provides, and it can be very expensive to use those detection tools. 
  • NDR vendors offer expansive network detection capability but can only detect with full packet capture. Their approach requires virtual appliances and packet mirroring for every VPC in your cloud network, which becomes very costly and complex. Their ability to operate on cloud-native network flow logs is an afterthought and limited, so they only provide a handful of detections. 
  • Cloud security platforms including CSPM, CNAPP, CWPP, and CDR provide important cloud security capability, but they don’t provide network observability, detection, and forensics. For example, in the case of Wiz, detection is application-focused, which is why we are a certified partner and integrate with Wiz to address that gap for a very powerful solution together.

Interested in learning more? Watch the webinar for more details on how Netography detects all stages of a ransomware attack to prevent costly disruptions to your operations.