Getting Ahead of Ransomware With Anomaly Detection

By Swapna Jayachandran

Using inSync to identify unusual data activities

More organizations are now seeking proactive approaches to solving major issues involving data loss and intrusion, in order to get ahead of the damage that can be caused. Chief information officers (CIOs) continue to be challenged from intellectual property (IP) and revenue losses resulting from departing staff members with malicious intent, employees going rogue, and ransomware attacks. Traditional security solutions like firewalls, intrusion detection/prevention systems (IDS/IPS), and data loss prevention (DLP) solutions are constrained by their inability to prevent and recover from these threats.

The Challenges

CIOs need to be empowered with a solution that can identify data points, events, and actions that do not conform to an ideally-expected pattern for a given set of users. These early insights into abnormal activities could be significant indicators of cyber intrusions, employee fraud, or rogue behavior. Such a solution—commonly referred to as an anomaly detection system, that serves as an early, proactive indicator into infrequent but anomalous activities— can successfully complement legacy security products to address the use cases mentioned above.

Our customers today are challenged with these key problems:

  1. Lack of insights into departing/departed employee activity to uncover malicious patterns
  2. Unreliable ransomware detection and effective, automated recovery capabilities
  3. No mass deletion options for files across data sources by rogue end-users
  4. Complex methods to ingest anomalous activities into a centralized security event and information management (SIEM) platform

As per a study by Symantec and the Ponemon Institute, more than half of employees who left a company took corporate data with them and planned to use it at their new job. Think of a software engineer deleting crucial source code or a sales executive copying and deleting account history, and the security horror such incidents pose. Enterprise IT and information security teams do not have full visibility into activities that a departing or departed employee was engaged in during their last three months of employment. Gaining access to these insights can help security teams better manage their access policies and take preventive steps before crucial data is lost or leaked.

Ransomware attacks continue to be a leading threat vector in organizations, contributing to revenue loss, end-user downtime, and threats to intellectual property (IP). Ransomware prevents users from accessing their data and demanding payment to regain access to affected data. There are enough horror stories out there on Ransomware attacks such as the one uncovered by Apple which affected 7,000 Mac endpoints or this one that used a Cloud app like Google Drive as its launch platform for the command-and-control behavior. Gartner’s June 2016 article, Use these five backup and recovery best policies to protect against Ransomware emphasized the importance of a data protection platform to backup end-user data to securely and efficiently recover from such an event. User data is most at risk and endpoints and cloud applications are the primary sources of attacks by ransomware. There are enough best practices publicly available that guide you on ransomware protection and recovery. Our prospects and customers have traditionally used incumbent anti-virus solutions, or have developed scripts manually, to detect ransomware attacks. The recovery workflows in such cases are fraught with error-prone and tedious steps of copying data from network shares onto a patched endpoint, thus leading to significant end-user downtime. IT teams can benefit from a product that can clearly pinpoint the safest dataset that can be used to recover from, and do so at scale, while increasing end-user productivity.

Enterprise IT teams also do not have any automated capabilities to identify data growth and reduction patterns across endpoints and cloud apps, which in turn makes it harder to manage the lifecycle of data in an organization. IT administrators often collaborate with their peers in information security teams to ingest such information within a centralized SIEM platform, derive unique insights, and proactively take remediation measures to prevent security breaches and data loss. These insights also help IT departments evaluate the potential business impact of such problems and adjust their recovery time objectives (RTOs) and recovery point objectives (RPOs) to more frequently protect end-user data on endpoints and cloud applications.

Anomaly Detection in Action

Today, Druva announced advanced anomaly detection capabilities for enterprises to gain an edge on ransomware, and addresses the challenges highlighted above. In doing so, Druva inSync is the only solution in its space that will help customers easily detect, understand, and act on any suspicious data activity.

With the new capabilities, inSync will monitor and provide visibility on anomalists of:

    • File deletes
    • File modifications
    • File encryptions and header changes

Druva’s inSync will also provide access to a per device/user unusual-data-activity log file in a format that can be ingested within a SIEM tool for further processing and review. An unusual data activity report, alert, and an intuitive icon on the affected snapshot will empower enterprise IT and end-users to take immediate remediation actions to recover from a ransomware attack by restoring from the last, safest snapshot. Coupled with the underlying reason for the unusual activities that are described in the report, enterprise IT teams can use the visual indicators on affected snapshots to navigate to the Unusual Data Activities dashboard that provides complete visibility of unusual activities across the last hundred snapshots by default. The granular activities and insights on the dashboard can be used to address the pain-points highlighted above.

inSync’s unusual data activities capabilities are just one of the many steps we are taking to make Druva’s features compelling for information security teams in an organization. Along with proactive compliance, unusual data activities will further enhance the visibility into end-user data and provide an automated system to proactively track, monitor, and notify of potential data risks.

Recommendations to Move Forward:

Register for our webinar How to Protect and Recover from Ransomware

Visit the Anomaly Detection Solutions Page

The post Getting Ahead of Ransomware With Anomaly Detection appeared first on Druva.

Source:: Druva.com