RSAC 2024: Sophos Finds More Ransomware Victims Turning to Law Enforcement

New Sophos findings show that 97% of companies hit by ransomware last year engaged with law enforcement.

The Sophos findings, released at RSAC 2024, highlight a promising trend in an industry that so often induces panic and anxiety. The results are from Sophos’ most recent State of Ransomware Report.

We spoke with Chester Wisniewski, Sophos’ global field CTO and director, about the latest findings.

Also at RSAC, Sophos announced it’s signing the Cybersecurity and Infrastructure Security Agency (CISA)’s Secure by Design pledge.

Sophos' Chet Wisniewski

”In talking to victims over the last 10 years, it seemed to me, certainly five years ago anyway, it was 50%, a lot of [ransomware victims] wanted to keep their [victimhood] private; 'We don't want it to become public. We don't trust that it's not going to leak and we don't think they can do anything to help us, so we talked to our attorneys and we're just going to keep this close to the chest,'” Wisniewski said. “That was a general attitude. And then, of course, internationally, regulations started changing to require a lot of reporting, especially in Europe and Australia, and that kind of thing. So there was a little bit of a shift. And so this year, when we were formulating the questions for the survey, I said, let's get a bead on what's happening both in the United States and internationally now.”

Related:RSAC 2024: Secretary Blinken, AI Challenges, Opportunities

According to the latest Sophos findings:

Sophos Findings Show Victims Know Law Enforcement Can Help

“I think that anecdotally, the most important thing is helping through people, through a process of recovering more quickly by getting advice from people who've been through it,” Wisniewski said. “The police have helped other victims, and if nothing else, they may not be able to do anything about encryption keys, and in the end they may not be able to put anybody in jail necessarily, but gosh darn it, they've been through this ... Here are your best tactics for immediately evicting and locking the criminals out of your network to prevent any further damage. They can give expert advice, and when you combine that with the expert advice most of these victims are also getting from their cyber insurance providers and from incident response companies like ourselves, that's changing the amount of time from, 'I detected I have a problem,' to 'My business is now back to at least operating normally.' Every one of those days you take off of that is going to lower the amount of  cost.”

Related:The Gately Report: RSAC 2024 Kicks Off with Debut of AT&T's LevelBlue

As for CISA’s Secure by Design pledge, it shouldn’t require big changes for Sophos, he said.

“Certainly for us, some of these things we've already done because we recognize the same thing that CISA recognizes in the default posture of these products, it needs to be safe by default when you unbox them,” Wisniewski said. “So a lot of these things don't apply to us because we already don't have default passwords in our products. We don't have web portals facing the internet in our network products by default, unless the customer tries to turn them on, and then we warn them against it and tell them you shouldn't.”

If everybody else steps up, even if they hadn't been doing this, it “puts us on a level playing field of secure-by-default,” he said. And the channel has a role in this.

“I think it can be used as a tool by MSPs to compare a little bit better the base security stance of their offerings,” Wisniewski said. “There's no way for them to necessarily sign the pledge. There's no Good Housekeeping Seal of Approval for the channel, unfortunately. But I would be advertising to my prospective clients that compared to others, we implement all of the recommended guidelines from the U.S. Department of Homeland Security and CISA for safe computing on all of our offerings. And as a customer who doesn't know much about security, that's having to trust my partners, that means something to me.”

CrowdStrike’s Latest Offerings

Also during RSAC, Daniel Bernard, CrowdStrike’s chief business officer, was on hand to discuss the significance of AWS dropping other security products in favor of its cyber threat protection and response offerings.

“AWS certainly benefits from it, and all the customers that AWS services,” he said. “So AWS uses CrowdStrike for cloud security. They're dropping a variety of point products, cloud cyber products, and then they're also starting to use our next-gen security information and event management (SIEM) as well. So this is a really exciting announcement for us because there's no better validation than happy customers talking about how much they love technology. And that's exactly what we have with AWS.”

Furthermore at RSAC, CrowdStrike announced innovations to modernize security-operations-center (SOC) operations with a single, unified platform to deliver full visibility and protection across all workloads.

In addition, CrowdStrike announced the launch of Falcon for Defender augmenting Microsoft Defender deployments to stop missed attacks. As part of the AI-native Falcon Extended Detection and Response (XDR) platform, Falcon for Defender deploys alongside Microsoft, elevating the security posture of endpoints running Microsoft Defender.

Bernard said there's always more partners can do with CrowdStrike.

“All of our partners know they only need to deploy once, and that's the beauty of our single platform approach versus a platformization approach that requires manual stitching and manual integrating, and all sorts of consoles and agents, and confusion,” he said. “Our approach is to deploy once, have one console and produce a number of outcomes. Now which modules the partners are comfortable with and understand, and know how to sell, that's always the journey that we're helping take them on. So in our innovation areas like cloud security, where the product portfolio has evolved substantially over the last 12 months, these are areas where we put a lot of resources on the table to ensure that they're properly enabled. There's also scaled training. So our major focus is the quicker and the more efficient, and the better we're able to enable these partners to understand our technology and know how to sell it, and know how to demonstrate the value: The more they sell, the better the result for everyone.”

NinjaOne

Also during RSAC, CrowdStrike and NinjaOne announced a strategic partnership to provide full-spectrum endpoint protection against cyberattacks. By unifying endpoint management from the NinjaOne platform with endpoint protection from the AI-native CrowdStrike Falcon XDR platform, organizations can detect, investigate and stop attacks targeting endpoints while bridging gaps between IT and security teams.

Mike Arrowsmith, NinjaOne’s chief trust officer, said his company is “bridging the gap between two teams that need to work very closely together with respect to cybersecurity events.”

NinjaOne's Mike Arrowsmith

“So when we think about our product, we typically have been traditionally in that MSP IT- enterprise-endpoint device space,” he said. “With this integration, it allows a single view within a single console of all of the things that may be triggered within CrowdStrike. We also do it for

SentinelOne and Bitdefender. It allows our single pane of glass, the same console that everybody loves and respects, and wants more of, to be able to now have security incidents come through the dashboard. And through that dashboard and that integration, we're allowing those technicians that maybe need to go pursue cybersecurity events a one-button click integration. So as that event hits against the systems-specific endpoint, they can see the alert, click on the alert and immediately will pop up within CrowdStrike.”

In addition, NinjaOne announced it has expanded its platform offerings with endpoint management, patch management and backup capabilities. Now, organizations can access the visibility and control needed to ensure confidence in the face of mounting security concerns.

“When we think about the channel, we really are trying to enable that group to grow closer to their customer base,” Arrowsmith said. “We really want to be able to offer a plethora of solutions. And so the more that we can continue to expand within traditional IT and continue to expand within the cybersecurity space, like our partnership with CrowdStrike today, we're really setting up those partners with ... a buffet of items that they can better cater to their specific customers to increase that collaboration, increase that partnership. What we hear within our signals and customer channels the most is being able to enable these channel partners to offer very tailored solutions that can meet the needs of their myriad different types of customers very effectively, very quickly, but also cost-effectively.”

Salt Security

Also during RSAC, Salt Security announced the debut of its AI-infused API Security Protection Platform powered by Pepper, the company’s large language model (LLM) AI. The launch of the platform marks the next generation of API security, leveraging AI throughout every aspect of the API life cycle, to streamline and bolster API discovery, posture assurance and threat detection, to mitigate risks faster.

Michael Callahan, Salt Security’s chief marketing officer, said AI is being heavily leveraged in the application development process, which helps increase productivity and deliver customer experiences.

“The other side of that is it creates chaos on the app security side because you're creating apps and APIs at a speed and volume that you've never seen before,” he said. “So our belief is in order to benefit from what you get out of AI, you need to use AI to reduce the risks. And we've looked at the application area and said there are really these three parts of the journey. There's a discovery phase, which says, what do I have? Then there's a piece where once they have a sense of what they have, they want to put some sort of governance in place that says are we documenting this? And then the last bucket is threat protection. So there are these APIs that are maybe coming in, are they malicious and how do you figure out if they're malicious or not? What we've done is we took our LLM called Pepper and we infused it in that whole process. So when you're doing discovery, we use AI to make sure that not only are you discovering what's out there, but as these new ones get created, that you're constantly updated. It's impossible to keep up with it unless you're using something like AI to keep up with what's happening. It’s the same thing on the posture side where you're able to say, 'We have all these new APIs coming in; sometimes they're being updated daily or weekly, or I guess in some cases, even hourly. How do you know that they're under policy? You've got to use AI to do that. And the same thing on the threat side. You have to look at billions and billions of API transactions to make sure that you're finding the ones that are malicious.”

No one else has infused AI through its whole system like Salt Security has, Callahan said.

“There are some solutions that will find pieces of it,” he said. “Maybe they do the discovery and leverage some AI, or maybe they do some threat protection. They're trying to catch up really where we originated in the market, but no one does it for the whole life cycle. For partners, it's particularly advantageous because in all of that volume of APIs and the speed it creates a little bit of chaos, and customers will often say, 'I just can't do it, help me,' which is perfect for partners. So partners can come in and say, 'We'll offer you this; we'll leverage all this technology and we'll provide it for you as a service.' We've talked with our partners about it, they're very high on it.”

Palo Alto Networks, More at RSAC

Other announcements at RSAC include: