Perimeter vs Containment – why you need to be proactive in the fight against ransomware  


Business transformation and agile ways of working create more openings for malicious activity to assault your company. Ransomware attacks are getting smarter; it’s time to take the upper hand.

For years, the defence against cyber-attacks has been to enclose all your data and devices within an impenetrable wall. When all your online activity took place in one central location, this was an effective practice.

However, the digital estate of the modern business is no longer centralised. Your employees and partners expect to be able to access your organisation from anywhere, without affecting productivity. While your customers expect personalised experiences that show you understand them.

Companies that are adapting and embracing this new market are thriving. But, if there is no longer an ‘outside’ and an ‘inside’ to your business, how can you remain protected by one line of defence?

In this article, we learn how to take the fight to your would-be attackers. 

ransomware

What is a perimeter-based defence?

Businesses traditionally enclose all of their data and devices within a perimeter, comprised of a combination of firewall, email scanners, web filtering solutions and endpoint security agents. This attempts to screen everything that comes into the network then blocks or removes anything that is flagged as malicious. The business should then be able to trust that it will keep out invaders and that all activity within it is safe.

But following digital transformation, this is no longer the case.

Why is it no longer enough?

Despite UK businesses spending £4bn on cybersecurity last year, 63% of disruptive breaches were reported by staff – not technology.

2019 Cyber Security Breach Survey

Digital transformation, for all its fantastic benefits, requires a major shift in multiple areas of an organisation’s infrastructure. Not least security.

A modern business consists of multiple endpoints, often managed by public cloud providers, and employees accessing their organisation off-site. It also incorporates countless new devices and technologies that were never taken into consideration when perimeter-based defences were first designed.

This means that malicious activity has more chances than ever to break in. If something fools your firewall, or finds a way to escape detection on the endpoints, then it has breached your defences and infiltrated your system. And, with many leading antivirus software solutions unable to detect new variants of ransomware for sometimes as long as 4 weeks – with attacks corrupting up to 7000 files per minute – the consequences could be disastrous.

What is a ransomware attack?

Financially motivated criminals use ransomware to attack your data.

If they successfully infiltrate your system, the ransomware begins to encrypt files so you can no longer access them. This process doesn’t alter the file names, so it is hard to see which files have been corrupted and which haven’t.

They then hold this information hostage, demanding payment for its return.

What are the potential consequences?

Typically, it can take hours or even days for an organisation to realise it has been subject to a ransomware attack – by which time much of the network may have been compromised. Criminals also often choose to attack on weekends when staff are not around to react.

The attackers would also have had enough time to access your datacentre and steal private intellectual property. And this is exactly what they would use to negotiate payment for release.

The attack will cause massive disruption to your services and people’s productivity, as necessary files become lost. You also may become subject to legal difficulties if the attacks access your customer’s personal data, as well as suffering a loss of revenue and reputational damage.

However, submitting to the attackers is an unwise end. This encourages them and funds future attacks.

Can you cite any examples?

There have been a few high-profile cases in recent years:

NHS.

2017 saw an attack on a governmental scale, including 40 UK NHS hospitals. Yet, despite this happening almost 3 years ago, the ransomware strain is still at large, with traditional defences unable to prevent or patch against it.

Eurofins.
Eurofins Scientific – the UK’s biggest forensic services provider – was also hit by an attack in 2019. This highly-sophisticated strain of malicious software-led British police to suspend work within the company, as a massive backlog of 20,000 samples was built up.

Travelex.
More recently was the cyber-attack on Travelex. The attack is now estimated to have cost over $200 million and shut the entire network down for over 30 days before they could get their systems back online. They further went on to lose over $85 million in revenue, took a huge hit to their reputation and in turn affected their global partners such as HSBC.

The solution? Containment.

If your system is infiltrated, you need a proactive solution to defend it. Our human immune system is a great metaphor for this: if we’re unlucky enough to fall ill, our white blood cells rush to the rescue and fight off the infection. 

This, broadly speaking, is how a containment-based defence system works for your business. It supplements your firewall, network and endpoint security by quickly identifying and containing ransomware outbreaks that have passed all other security tools undetected, stopping it from spreading and highlighting affected files for easy recovery.

With ransomware attacks increasing by 195% year on year, it’s getting ever more important for public and private organisations to prepare themselves for tomorrow, not for yesterday.

How Containment works.

Containment solutions are designed to put you on the front foot, stopping any ransomware that manages to break through your perimeter and endpoint defence head-on, before they take a hold in your system. 

Using built-in scripts, they shut down compromised devices and disable the user in the Active directory to contain any intrusion, locking down any devices that have been infected.

The most effective products currently on the market are militarily graded – such as Ricoh’s Cyber Security Practice, currently used by both the US and UK governments – which offer both managers and IT teams the very highest level of confidence against ransomware and cybercrime.

Taking the proactive approach.

Not only is taking the proactive approach the best way to defend against ransomware attacks, it’s easy to implement too. Containment solutions can take as little as four hours to be installed, and it can be done either on-site or remotely in a non-intrusive fashion – meaning minimal disruption to your teams and business.

Protect your business and your people from ransomware attacks.

Current responses by perimeter and endpoint-based solutions are confused and limited. Victimised businesses can’t trace the source of the damage, and infection is most often eventually identified by an employee, but far too late.

 A containment solution provides an automated technology that reacts instantly, as soon as a ransomware outbreak is activated in your environment, so only a single device and as few as 10–15 files are affected before the outbreak is fully contained.

Ensure continuity. 

When perimeter or endpoint-based protections fail, containment won’t. They enable your IT team to offer an immediate, fully-automated response to any attack.

Not only does this give your perimeter and endpoint defences the support they need, it means that uptime on your network can be maintained, with all business processes working as usual.

And you can also rest assured that you won’t get caught up in the media storm caused by the negative press that surrounds these attacks.

Can you answer these questions?

How do you see which files are encrypted and where they reside?

How do you identify which user and which device initiated the attack?

How do you stop the ongoing encryption immediately before significant damage occurs?

How long will it take to restore files and at what cost?

Can you accurately do GDPR reporting if thousands of files have been lost to illegitimate encryption, but you don’t know which ones?

If you have any questions or would like to know more about proactive ransomware, get in touch with Steve Timothy.


Morton Gammelgard
Morton Gammelgard
morton@ricoh.co.uk

Cyber Security Expert

Read all articles by Morton