Ransomware Awareness, Anxiety About Response Running High
Ransomware attackers are vultures, not eagles, said one expert.
![Anxious Surprised Businessman Anxious Surprised Businessman](https://eu-images.contentstack.com/v3/assets/blt10e444bce2d36aa8/blt53c11cb03fd47b5b/65243bcfab64d40ff4cd35c6/Anxious-Surprised-Businessman.jpg?width=700&auto=webp&quality=80&disable=upscale)
Shutterstock
Secureworks‘ Maureen Perrelli said ransomware threat attackers have sophisticated technologies and techniques that help them, but at the end of the day, “they’re vultures, they’re not eagles.”
“They’re going after the lowest resistance,” she said. “So anything that you see in the environment, that’s what they do. If you look at what’s happened in the industry over the past year, you can see everything that’s happening, it’s really bubbled up to being one of the top topics that every company needs to talk about, even governments which don’t normally come out that forceful, you see that as well.”
And ransomware threat actors aren’t targeting any specific industry, Perrelli said. They’re going after “anything that’s low-hanging fruit.”
“When you look at it that way, you really need to make sure you’re partnered with the security provider that can help you through of all of that,” she said. “When you look at SecureWorks and what we do today, our pin testing or our Taegis platform, you also look at the 20-plus years of threat intelligence data that we’ve accumulated, and then you also look at the incident response capabilities that we have. We can put that in one framework for you to control and be able to go after those threat actors quickly and respond quickly before it gets too far is what we’re offering customers. We’re offering it through our partners. We’re inviting our partners to come in and we’re actually teaching them what we do today and turning those partners into MSPs for more secure business for their customers. So that’s how we’re attacking that ransomware space and some of the things I see at high level and what we’re doing.”
TheatProtector’s Carl Katz said the end customer doesn’t understand that ransomware is the end result of a lot of the process that’s been happening in their system, likely more than four months prior to detection.
“So there’s the need for creating that holistic approach,” he said. “But what they don’t understand also is that these are countries with unlimited access to resources, including people, capital and technology, that can affect them. And the bottom line is that, whether it’s SMB or large enterprise, you need to focus on creating that layered approach to cybersecurity. The perception is difficult for a lot of businesses to understand the danger out there and how many times a day organizations are being hit with malware and the effect that it’s having in the world. They’re seeing it on the news with Colonial Pipeline and such, and even companies like Kaseya, they’re being hit. So the messaging is there and they understand the danger. The key is to make sure that we get that layered approach in place because we need to make it more difficult on these countries and these organizations, REvil, whoever it is, to hit your company and move on to somebody else who’s a little bit easier to access.”
Regardless of technology, it all starts with people, so solidifying the human element is critical in preventing intrusion and ultimately ransomware, Katz said.
Check Point’s Frank Rauch said ransomware is no doubt top of mind.
“We’re seeing the ransomware attacks up somewhere around 93% year over year,” he said. “We’re seeing probably about 1,200 organizations a week get hit. So whether it’s phishing or protecting against malware, we try to do it end to end. We have the mobility security. We have the endpoint security, and now with Avanan, that gives us a little edge on emails and responding to emails. We’re educating the partners and we’re educating the consumers. We have ThreatCloud, which is capturing a lot of the things that are happening around here. We’re really focused on Gen 5 and Gen 6 types of attacks, and they are very sophisticated right now. I think the good news, if there is good news, is SolarWinds, Kaseya and Colonial Pipeline have done the advertising for us. We’re not trying to capitalize on anything like that. But obviously when you’re looking for something end to end, that’s kind of where we’re focused.”
Cybereason’s Abigail Maines said double, triple and even quadruple extortion are common tactics.
“What Cybereason is good at is we come from what we call an operational-centric approach, which basically just means if you are there dormant, sort of moving laterally, doing things that double and triple extortion does, we see that,” she said. “And so we’re able to sort of aggregate that information and provide very early indicators. We’re very effective in sort of this concept of the subtle sort of sleuthy sort of behavior. So that’s what we’re doing on the technical side.”
On the marketing side, Cybereason is trying to make sophisticated technology consumable for everyone in the value chain, Maines said.
“If somebody chooses our product, they’re putting their career in our hands, so to speak, and so we try to educate our partners,” she said. “We try to educate the technical resource center partners of our partners. We have those resources and we provide those because I think ultimately it’s getting super noisy from a vendor landscape perspective, even more so than last year. And it’s a different environment with remote selling and big partners aren’t really necessary back in the office.”
Lumen‘s Bryn Norton said it’s important to provide partners with the necessary resources to start that security narrative with their customers.
“I also think there’s a negative there where everybody feels bashed over the head,” he said. “You become desensitized to, ‘I’ve got ransomware or it’s going to happen.’ So it’s about how you begin to have more of a constructive conversation about the challenge. And for me, it’s about data. So it’s about helping customers understand what data is actually important to them. If they’ve got really important data, use that endpoint protection, use that premium service, but understand how and where their data lives, structured and unstructured.”
Norton also said it’s about an individual organization’s needs and not taking a “broad-brush approach” to security policy.
“The next part of a conversation is you understood where your data is, what’s actually really important to you,” he said. “How do you actually want to access or manipulate that data because you need to work that data to get value from it? So how do you move your investment cycles to different areas? When I look at my Forrester report, like 10% of IT budgets are spent on security. Are we spending that 10% in the right place? So again, it’s helping them with that conversation.”
The panelists also were asked whether ransomware victims should pay the ransom. Maines said it’s important to have a plan in advance of whether you’re going to pay or not pay the ransom.
“And then if the answer is yes, how and who is going to procure it because in the moment of attack, it’s not very easy to sort of work through those mechanisms,” she said. “So I think everybody is in their own unique set of circumstances, though, and they have to make their own decision on that.”
Katz said if an organization has cyber insurance, let the insurance company deal with it. However, it’s increasingly difficult to get cyber insurance.
“So you have to go through all these mechanisms and gain all the products, and create that layered solution in order just to even get cyber insurance,” he said. “I don’t think we should reward bad behavior. It’s kind of like hostage taking, right? So paying is probably not a good thing because it motivates them. But from an individual micro perspective, if I’m the business being hit and I know I have a 60% chance of going out of business and I have cyber insurance, I’m going to utilize it.”
Norton said insurance companies don’t always pay because the organization didn’t have the right security and controls, and mechanisms in place that could have prevented the attack.
“I think you need to be pragmatic about whether or not you’re going to pay, Rauch said. “The City of Baltimore, Colonial Pipeline, there was a lot more that was affected than just that organization. And the timing is another thing. If you can survive a week and you can try to figure it out, that’s one thing. If you can only survive three hours without that data or whatever, then you have a different problem on your end. If you’re a hospital, you know you have a really different problem. And so I think it goes case by case. I don’t want to pay. I don’t want to see people pay, but quite honestly, if other people’s lives or quality of life depend on it, maybe you do.”
The panelists also were asked whether ransomware victims should pay the ransom. Maines said it’s important to have a plan in advance of whether you’re going to pay or not pay the ransom.
“And then if the answer is yes, how and who is going to procure it because in the moment of attack, it’s not very easy to sort of work through those mechanisms,” she said. “So I think everybody is in their own unique set of circumstances, though, and they have to make their own decision on that.”
Katz said if an organization has cyber insurance, let the insurance company deal with it. However, it’s increasingly difficult to get cyber insurance.
“So you have to go through all these mechanisms and gain all the products, and create that layered solution in order just to even get cyber insurance,” he said. “I don’t think we should reward bad behavior. It’s kind of like hostage taking, right? So paying is probably not a good thing because it motivates them. But from an individual micro perspective, if I’m the business being hit and I know I have a 60% chance of going out of business and I have cyber insurance, I’m going to utilize it.”
Norton said insurance companies don’t always pay because the organization didn’t have the right security and controls, and mechanisms in place that could have prevented the attack.
“I think you need to be pragmatic about whether or not you’re going to pay, Rauch said. “The City of Baltimore, Colonial Pipeline, there was a lot more that was affected than just that organization. And the timing is another thing. If you can survive a week and you can try to figure it out, that’s one thing. If you can only survive three hours without that data or whatever, then you have a different problem on your end. If you’re a hospital, you know you have a really different problem. And so I think it goes case by case. I don’t want to pay. I don’t want to see people pay, but quite honestly, if other people’s lives or quality of life depend on it, maybe you do.”
Thanks to SolarWinds, Colonial Pipeline, Kaseya and other high-profile attacks, ransomware awareness is at an all-time high. But that leaves the question of how best to address it.
At our recent Channel Partners Conference & Expo, we conducted roundtables with channel experts addressing hot topics in areas such as cybersecurity, cloud and MSPs.
Ransomware awareness and prevention were among hot topics addressed during our roundtable with cybersecurity experts.
Panelists included:
Maureen Perelli, Secureworks‘ senior vice president and chief channel officer.
Carl Katz, ThreatProtector Cybersecurity Advisors‘ senior vice president of worldwide partner sales.
Frank Rauch, Check Point Software Technologies‘ head of worldwide channel sales.
Abigail Maines, Cybereason‘s vice president of commercial and channel sales for North America.
Bryn Norton, Lumen Technologies‘ vice president of platform and IT solutions.
Rauch said ransomware awareness is so high that security vendors no longer need to advertise. That’s because partners and their customers are well aware of the threat and are actively seeking protection.
Katz said educating the end customer is important, while Norton said partners need all the help they can get in initiating a security narrative.
Scroll through our slideshow above for highlights from this roundtable.
Want to contact the author directly about this story? Have ideas for a follow-up article? Email Edward Gately or connect with him on LinkedIn. |
About the Author(s)
You May Also Like