The massive data breach of US retailer Target was a wakeup call for senior business executives too often disengaged with cybersecurity issues, but surging ransomware attacks are honing CxOs' attention on the need for automated analytics tools to detect security breaches as they happen – rather than months later, or not at all.
Forensic examinations of major data breaches invariably show a string of telltale signs that might have triggered alarms, and the suspicions of security specialists, had they not been buried in an avalanche of security logging information that is overwhelming even the most determined security staff.
One large US customer, for example, relies on security vendor LogRhythm to collect and sift through what amounts to around 4 billion security logs and other information every day. Even with aggressive filtering of information in near real-time, however, this volume of information still produces 10,000 to 20,000 action items that need investigation.
For even moderately sized businesses, this is the reality of security monitoring tools that have gotten better at collecting data but are still struggling to reduce it to manageable size. This has fueled a stubborn gap between the time a security incident occurs and the time it is detected – often many months later, after mountains of sensitive data has been surreptitiously stolen.
It is in filtering this 10,000 to 20,000 items down to a manageable size that threat-analytics firms like LogRhythm have emerged as lifesavers for corporate IT-security teams that have been struggling to keep up. By applying intelligent algorithms that cross-correlate collected data logs, the company's tools help filter that volume of alerts down to a manageable number.
“By corroborating those alarms with additional algorithms that take multiple dimensions into consideration and risk-score them, we produce about 50 actionable alerts every day,” explains Bill Smith, senior vice president of worldwide field operations with LogRhythm.
“Because we're able to bounce it against more things, we can bring it down to a reasonable level. Fifty alerts a day is no problem to handle when you're a Fortune 500 company.”
Breaking the ransomware attack chain
Such detection mechanisms have become a front-line defence in the right against advanced persistent threats (APTs) – which quietly infiltrate a company network and may download the actual malware threat later, once they have run extensive reconnaissance on the network established a beachhead from which to exploit it.
Yet with the right processes, real-time analysis is also proving promising against the malware threat that has emerged as the most insidious problem facing corporate networks today: ransomware.
Due both to the success its purveyors have enjoyed and the availability of increasingly-effective ransomware kits, this type of attack – which encrypts a victim's files until a fee is paid to unlock them – has become far and away the most common threat facing businesses this year.
A recent analysis from email-filtering vendor PhishMe found that by the end of March 93 percent of all phishing emails contained ransomware payloads, up from 56 percent in December and just 10 percent during the rest of 2015. Vendors like FireEye and Symantec have joined the chorus of security specialists that have noted an explosion in ransomware this year, making Australia the top ransomware target in the APAC region and, indeed, among the top targets in the world.
While there's no guarantee that a specific company will be targeted with a specific APT, the sheer volume of ransomware – and its tendency to be spread via social-engineering strategies that continue to be frighteningly effective at tricking employees to running malicious attachments – make it inevitable that businesses will eventually face this threat. Business and IT executives must be prepared with a policy about how they would deal with a ransomware attack, which can sometimes be circumvented using fastidious backup procedures that many businesses still lack.
However, says Smith, the right monitoring infrastructure can pick out the telltale signs of ransomware as it's executed for the first time – and stop it dead in its tracks. This becomes possible when a security-analytics tool has had a chance to establish itself long enough to determine a range of baseline characteristics over time.
When the baselining is done correctly, the telltale signs of new ransomware executing stand out like a sore thumb: new system processes will be launched; a surge in disk activity will be obvious as the ransomware looks for files to encrypt; the ransomware may 'phone home' to get an encryption key for its work; new libraries will be run to handle the actual encryption of the files.
Each of these activities has telltale signs that can be easily picked out of a stream of network activity traffic by a security-analytics platform with sensitive enough algorithms. By combining detection with policies to control what is and isn't allowable, it's possible to pick up on the activity of even previously unknown ransomware.
“There are many places along the chain of activities – some at the network level, some at the server level, some at the user end – where ransomware can be interrupted,” says Smith. “It's really important to look at all the attack surfaces. And we find more bad things happening by looking at network behaviour anomalies than anything else.”
Network anomalies are only one of several telltale signs of ransomware activity, however: even user behaviour can become a key indicator of attack if monitoring systems detect activity that doesn't fit in with previously observed behaviour – for example, if a user's account is suddenly trying repeatedly to access a server that the user is not authorised to access.
Similar monitoring of cloud applications can provide additional insight if, for example, a user account is seen to be rapidly creating new users or downloading large volumes of data. The more and varied types of data that can be fed into a security-analytics system, the better the potential results because the system can more effectively cross-correlate suspicious activities to prioritise the most potentially problematic issues.
By prioritising the collection and analysis of such data – along with the improvement of backup regimes that can help recover from ransomware and other attacks – CEOs can leverage innovation in security analytics solutions to build the kind of security defence that gives them a fighting chance to avoid becoming the next Target.
“We're a big-data solution so we can track many different dimensions of a person's behaviour,” Smith explains, noting that the business world is “in a transitional state” as growing executive concern promotes the adoption of new, more-effective technologies.
“We can pull together lots of not-normal things and correlate them with other potentially-risky things,” he says. “It's not that detecting this stuff is impossible; we see it every day where ransomware and other malware gets stopped. It just takes a slightly different thought process.”