WHITEPAPER

RANSOMWARE HOW A LAYERED APPROACH PROTECTS AGAINST CYBERCRIMINAL EXTORTION Implement an end-to-end strategy to protect your network from these increasingly nefarious threats.

2

WHITEPAPER

RANSOMWARE: HOW A LAYERED APPROACH PROTECTS AGAINST CYBERCRIMINAL EXTORTION

Ransomware is one of the biggest and most nefarious threats to networks today.

Think it can’t happen to you? Then you’ve probably been lucky so far. Ransomware is increasingly prevalent, and it’s not going away anytime soon.

Consider the following recent events:

This trend shows no sign of abating, and the consequences of a successful attack are truly devastating, usually resulting in loss of data, the ensuing liability of that loss, and the extortion of even more financial resources in an attempt to get the data back. While some organizations have recovered data by paying a ransom, usually in Bitcoin, in other cases not even that payoff got the information back.

Even worse for an MSP, a successful ransomware attack against your infrastructure can be a hit to your trust-based reputation, irreparably damage your credibility, and cost you your business.

Moreover, each time a new ransomware attack is unleashed, it is more clever than its predecessor. While each variant essentially does the same thing — encrypt drives — it does so in ways that are different and more difficult to detect than the prior versions. That is because hackers simply take the previous code, rework it to wreak more havoc, and (re)release it oftentimes exploiting another vulnerability.

Despite all of the evidence, many IT pros still think it cannot happen to their shop since they have an antivirus/antimalware (AV/AM) solution in place and regularly perform data backups. They are wrong.

While critical, AV/AM and backup are only part of the solution. They are mainly about blocking ransomware on the machine, reacting only after it has entered the network.

Most layered security models take a network diagram approach, thinking from the endpoint to the core. But a better framework for cyber-defense is based on a layered model that begins with preventing ransomware from entering the network in the first place, then using automated ways to keep the network hardened, while topping the model with advanced features to facilitate a quick recovery should an attack occur.

• Between 2016 and 2017 over 2.5 million users were affected by ransomware.

• In the summer of 2017, an e-mail campaign spreading a new strain of Locky ransomware spread 23 million malicious messages in only 24 hours.

• In May 2017, WannaCry infected hundreds of thousands of systems in a matter of days.

• Petya followed WannaCry within a month and infected pharmaceutical giant Merck and a number of Russian banks; then variants like NotPetya and GoldenEye emerged, demonstrating the global scale and speed of current ransomware exploits.Despite all of the evidence,

many IT pros still think it cannot

happen to their shop since they have

an antivirus/antimalware (AV/AM)

solution in place and regularly perform

data backups. They are wrong.

3

WHITEPAPER

The old adage rings true today, “you cannot secure what you cannot see.” For a variety of reasons, IT organizations have tough challenges with confidently knowing which machines are on the network and under their management in the first place.

In addition, even if the inventory of machines under management seems complete today, the network landscape is dynamic and can change quickly. Machines can be quickly and easily provisioned or deprovisioned and endpoints accessing the network can change on the fly. Visibility remains a fundamental challenge for administrators.

Petya is a unique form of ransomware because it needs to infect only one machine and can then spread maliciously to others on the network. Hence, a machine that you are unaware exists can expose your entire network to an attack.

Network discovery is essential to a healthy network. It allows the IT organization to understand all of its assets and know which ones are actively being managed. Thus, the first part to building a preventative layered security model lies with your ability to clearly identify the components and machines on your network that are either under your control or that could affect your responsibility.

In addition to having a deep knowledge of your IT assets, you must be in a position to assess the risk for vulnerability at any point in time. Constant network changes mean Discovery must be done on a scheduled, automated, and ongoing basis.

Further, many management systems use a LAN-based architecture, and they lose visibility when the machine goes off-network. The right system must be elastic and have both on- and off-network visibility for the machines it manages. Additionally, the system must auto-discover in scenarios where the environment changes quickly, like on- and off-boarding employees or if the company acquires another organization.

The key to Layer 1 is creating full 360-degree visibility. You need a solution that easily and continually discovers all devices on your network and your customers’ networks, including servers, laptops, kiosks, mobile devices, scanners, and peripherals. It also must constantly collect real-time status on all operating details for these devices to keep systems up to date and have consistent protection in place. Once all devices are visible, you can devise an effective approach to guard against threats of all kinds.

LAYER 1: PREVENT USING CONTINUOUS DISCOVERY

4

WHITEPAPER

1 John Madden, Principal Analyst, Ovum IT Services; Avoiding Security Risks with Regular Patching and Support Services2 Ibid

“

Ransomware should be a wakeup call for those who have not taken a thorough and automated approach to patching. Recent exploits have targeted very old and often forgotten vulnerabilities. Machines that failed to patch remain ever exposed. Ovum, an independent analyst and consultancy firm specializing in global coverage of IT, has been sounding the patch alarm for some time. Ovum analyst John Madden notes in a recent report:

Most IT professionals inherently understand the importance of patching. However, there are some pragmatic realities of patching that often result in administrators having to “cut-their-losses” and leave things undone or in a less-than-ideal state. Much work goes into understanding the latest updates that are available for the machines you manage, then making the decision whether to accept and apply the update to some or all of the machines, and then into creating reports that explain the current state of the network. The complexity of this work only goes up further if the admin is managing multiple operating systems using multiple tools or has non-integrated solutions to manage third-party applications.

There are myriad moving parts and competing priorities, and in the middle of this, sometimes mistakes get made and not everything gets done, leaving the organization more exposed than it should be.

Unfortunately, as cybersecurity threats continue to rise, so too does the pressure to have a thorough, well-thought-out, and automated system.

The solution is to unify and automate patch and software management. Ovum’s John Madden said he believes automation is the way customers want to go. “Once a customer has made a decision to initiate a regular software patching and maintenance program, what they want most is automated tools and support from their vendors to make such a program run as seamless as possible,” he writes.2

Hence, you want an endpoint management solution that can help you install, deploy, and update all software including Windows, Mac, and third-party applications. Better yet, you need the solution to use one unified approach. By providing the administrator the capability to comprehensively see all vulnerabilities in real time, decisions and insights will improve instantly. Additionally, by grouping together the treatment of software patches and governing by policy, the administrator will have confidence knowing that the network is consistently updated.

Now, the administrator can routinely schedule patch scans and updates to automate the entire process. In the end, the workload reduces considerably, and less wasted effort means the administrator can focus his time where it matters most — on the exceptions.

It is also important to not overlook the other way ransomware finds its way to your network: users. Users can be at times naïve or gullible, or do silly or unpredictable things and fall prey to bait set by a hacker, for example through careless storage of

Customers may shy away from addressing regular patching or overdue software upgrades because they have concerns

about price, time, or complexity. However, based on our conversations with customers, an ‘only as-needed’ approach to software support is short-sighted, and could expose

customers to security and compliance risks, not to mention losses in employee productivity and business revenue.1

LAYER 2: SECURE BY COMPREHENSIVELY UPDATING SOFTWARE

“

5

WHITEPAPER

passwords. A strong endpoint management system must integrate a mechanism to prevent users from becoming their own worst enemy with features like multifactor authentication and single sign-on. Interestingly, the very use of two-factor authentication (2FA) makes users more aware and conscious of their password usage and less prone to falling victim to ransomware schemes or clicking on malicious links.

“Too much to do” is simply the nature of the IT beast. Administrators constantly struggle to do more with less, which means efficiency is constantly top of mind. The benefits of automating discovery, audit, software deployment, patching and update, antivirus, and backups should be apparent. But when it comes to cybersecurity, failure to intelligently automate actually puts your IT operation at risk. Why?

Alert fatigue. The more sophisticated your environment, the less linear the rules become and alarms start firing. When alarms become noisy, they are no longer useful. IT administrators assume the alarm is a false positive and ignore, or a false negative and not bother to determine if it is actually a threat.

The right automation includes the ability to govern by policies and set auto-remediation rules so only meaningful alarms get through.

MSPs and IT pros should look for solutions that enable multiple sets of policies to be applied based on any set of groupings you want ― by customer, device type, user role, or even location type ― and that can check that each device complies with its assigned policies. This deep capability gives the administrator ultimate flexibility to apply automation settings in a way that make sense.

Further, the best solutions are also highly capable with respect to custom, scripted procedures that can be used to intelligently remediate the alarms. For example, if a patch fails to install, an auto-remediation procedure could be written to instruct the system “if the patch fails, then reboot the target machine, re-install the patch, and only if it fails sound the alarm.”

Once the IT organization is operating efficiently and the network is hardened, intelligent monitoring becomes useful. When it comes to ransomware, unfortunately, there is always a risk. So even if you do all you can to prevent ransomware from impacting your network, you must also do all you can to know when the layers have been penetrated. Sophisticated network monitoring solutions that have the capability to monitor network traffic and use a heuristic approach to identify unusual activity can become the alarm that matters in your organization, giving you the needed advantage to stop an attack. Even better is a solution that can help you understand the business impact because it can illuminate the entire service delivery model needed for mission-critical business applications.

LAYER 2: SECURE BY COMPREHENSIVELY UPDATING SOFTWARE

LAYER 3: HARDEN THROUGH AUTOMATING THE MANAGEMENT SYSTEM

Many IT organizations spend numerous cycles working to comply with HIPAA, FERPA, and PCI. In many cases there are significant fines and penalties that come with failure to clearly demonstrate IT’s actions. Inaction or neglect can result in hefty fines and penalties. Starting in 2018, service providers and businesses must adhere to additional general compliance rules if they have customers in the European Union. The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679), which takes effect in May 2018, says that any company or individual that processes data is responsible for its safety. This same rule applies across multiple countries.

If your organization or a client’s organization falls under one of the many compliance requirements, there are additional benefits to the ability to demonstrate the specific approach and actions you have taken to secure the machines.

HOW REGULATORY COMPLIANCE DRIVES SECURITY

6

WHITEPAPER

Interestingly, most IT pros begin their cybersecurity plan with a discussion of antivirus, antimalware, and backup solutions. To be sure, these are the weapons of choice for doing battle should a ransomware attack actually happen. However, unlike the prior three layers outlined in this paper, they are not preventative.

Rather, they are curative and do not come into play until after you have fallen prey to an attack. That said, even the most proactive layered security model can serve to only reduce the threat. There are no guarantees.

If a hacker is strong enough to find a vulnerability and manages to get ransomware on your very secure network, wouldn’t logic suggest that you actually need to supercharge your mechanisms to contain, cure, and recover? But to recover, you must back up, and you must do so in a way that your data can be accessed and restored.

This final layer in the security model is integration of your ransomware arsenal of antivirus, antimalware, and backup solutions. Antivirus, antimalware, and backup providers are all specialists with deep experience. Only the best endpoint management solutions actually partner and integrate best-of-breed antivirus, antimalware, and backup tools into a single pane of glass.

The advantages of integration are tremendous. First, all the automation discussed above becomes accessible so you can synchronize your routines and create a holistic methodology for your operation. Further, you can govern by policy or fuse with scripts as you believe is helpful. These may be critical for your response time in the event of an infection and provide copious restore capabilities.

The world is not about guarantees, but those who layer their approach are well ahead of the game! Most IT professionals make antivirus and backup the backbone of their cybersecurity model. As exhibited here, these important elements are only part of the solution. Other layered security models work from the end user to the network infrastructure, but often miss critical components, like automation, that are needed to keep the network hardened. It turns out your grandmother was right — “an ounce of prevention is worth a pound of cure!” The best methodology for building your security model is to think from discovery to prevention to automated hardening to cure to recovery.

Contact Kaseya to discover how we can help every step of the way!

LAYER 4: CURE THROUGH INTEGRATION OF AV, AM, AND BACKUP

CONCLUSION – THERE IS NO GUARANTEE

FINALLY, BY INTEGRATING ALL COMPONENTS OF THE LAYERED MODEL, YOU CAN SEAMLESSLY AND COLLECTIVELY AUDIT AND REPORT IN REAL TIME.

Kaseya is the leading provider of cloud-based IT management software. Kaseya solutions allow Managed Service Providers (MSPs) and IT organizations to efficiently manage IT in order to drive IT service and business success. Offered as both an industry-leading cloud solution and on-premise software, Kaseya solutions empower MSPs and mid-sized enterprises to command all of IT centrally, manage remote anddistributed environments with ease, and automate across IT management functions. Kaseya solutions are in use by more than 10,000 customers worldwide in a wide variety of industries, including retail, manufacturing, healthcare, education, government, media, technology, finance, and more.Kaseya is privately held with a presence in over 20 countries. To learn more, please visit www.kaseya.com

©2017 Kaseya Limited. All rights reserved. Kaseya and the Kaseya logo are among the trademarks or registered trademarks owned by or licensed to Kaseya Limited. All other marks are the property of their respective owners.

11172017

ABOUT KASEYAKaseya is the leading provider of cloud-based IT management software. Kaseya solutions allow Managed Service Providers (MSPs) and IT organizations to efficiently manage IT in order to drive IT service and business success. Offered as both an industry-leading cloud solution and on-premise software, Kaseya solutions empower MSPs and mid-sized enterprises to command all of IT centrally, manage remote anddistributed environments with ease, and automate across IT management functions. Kaseya solutions are in use by more than 10,000 customers worldwide in a wide variety of industries, including retail, manufacturing, healthcare, education, government, media, technology, finance, and more.Kaseya is privately held with a presence in over 20 countries. To learn more, please visit www.kaseya.com