COMBATTING RANSOMWARE
CONTINUED
investigating the blast radius, identifying persistence, determining whether you are dealing with an isolated incident or a broader campaign. Automation handles the first seconds. Analysts handle the next hours. Get that layering wrong and you are rebuilding an entire estate instead of reimaging one endpoint.” Phil adds that customers need help around how to harden their systems and prevent attacks against their hardware, software and IT assets. “Continuous Threat Exposure Management (CTEM) can provide that insight and keep customers up to date with potential gaps in their security,” he says. “Selling CTEM should be about providing that proactive approach to preventing attacks, letting customers get on and run their businesses successfully.” But Phil warns that CTEM on its own is not enough. “For smaller companies, running their own security operations can be cost- prohibitive, so they may want to outsource that to a service provider,” he explains. “MSPs can either build their own SOC to offer these processes, or partner with a SOC provider to deliver that level of coverage. This is particularly important when you consider how fast threat actors move today: our Threat Research Unit’s analysis of the Tycoon2FA threat actor revealed an average of just 14 minutes between user credentials being captured and active exploitation on that company’s network. Many firms can’t run their own SOC, but they need that fast response in case something does go wrong. Putting it into business terms can help in that decision process.” Stemming the breach If ransomware does breach defences, there are ways MSPs can minimise the effect of an attack. “Impact is determined by spread,” says Charlotte Pickering, EMEA channel director at Zero Networks. “If an attacker can only access a small number of systems, recovery is fast and disruption
Contributors
is limited. If they can move freely, you’re looking at outages, missed SLAs and potentially existential business impact. “MSPs should focus on reducing the blast radius in advance. That means segmenting critical systems, isolating high-value assets and ensuring that access paths are tightly controlled. When containment is built into the environment, response becomes faster and far less dependent on human intervention during a crisis.” Richard Francis, SE director EMEA at CTERA, says that when an attack bypasses preventative measures, the speed of recovery determines the outcome. “Waiting days to restore from traditional cloud or tape backups can be a death sentence for a modern business,” he says. “This is where the conversation must pivot to recovery time objectives. With an immutable snapshotting system, the recovery process is transformed. Instead of a painstaking, multi-day restoration project, an MSP can roll back an entire file system to its pre-attack state in a matter of minutes.” Security discussions When discussing ransomware with customers, MSPs and resellers should take various things into consideration. Charlotte says resellers should reframe the conversation. “Most customers are still being sold detection and response, but those approaches assume everything works perfectly under pressure,” she says. “In real world scenarios, security is a chain
Charlotte Pickering
zeronetworks.com
Richard Francis
ctera.com
Danny Hemminga
tanium.com
34
Powered by FlippingBook