How to Manage Ransomware Risk: (NIST Framework Part 3: DETECT)


July 2, 2021

Welcome to part three in a series of five blogs created to help you manage ransomware risk with the NIST framework.
NIST is short for National Institute of Standards and Technology. In a world of infinite hardware, software, and cloud options (and opinions), this non-regulatory agency and their Information Technology Laboratory (ITL) produce a never-ending and iterative catalog of compliance-friendly publications (blueprints) to guide your IT journey.
NIST’s technical leadership fuels the U.S. economy and public welfare with measurement and standards recommendations (based on extensive testing and analysis) to advance the development and productive use of information technology.
Why should this matter to you? NIST continuously develops management, administrative, technical, and physical standards, along with guidelines to inform and prioritize cost-effective security and privacy initiatives for your business.
They’re doing most of the heavy lifting, so you don’t have to! And your burden will be even lighter if you allow your MSP (and their vCIOs) to play a commanding role in guiding your journey.

The Ransomware Problem

As per NIST, “Ransomware is a type of malicious attack where attackers encrypt an organization’s data and demand payment to restore access. In some instances, attackers may also steal an organization’s information and demand additional payment in return for not disclosing the information to authorities, competitors, or the public.”
Learn More: NISTIR 8374 Draft
While managing risk always involves new budgetary considerations, your costs will be offset if your organization harnesses thoughtfully planned and architected technology to grow your business AND to avoid being torpedoed by ransomware attacks and legal episodes.
The outcomes you wish to avoid are almost always much more expensive than preventative measures!
Learn More: Ransomware Costs Besides the Ransom

NIST Framework Part 3: DETECT

Your vCIO can illuminate the business impact each of the following has on your organization.
Repetition alert: some of the processes and solutions mentioned below also appear in the two related predecessor articles.
Learn More: NIST Framework Part One and NIST Framework Part Two
There are two reasons for this: the NIST framework is part of a body of academic documents with excessive formality and legalese, and protective technology solutions typically serve multiple functions.

1 – Anomalies and Events

Does it take forever to send emails? Is your computer taking longer to boot up, then automatically shutting down out of the blue? Have you seen any random pop-up ads or new security warnings?
These are obvious signs of anomalous network activity triggered by malware.
Best-in-class security tools will catch and neutralize known threats before obvious symptoms appear, but new ones will slip under the radar.
Does your IT Steering Committee (with the help of your MSP) understand the potential impact of various ransomware events in order to prioritize the correct response and recovery steps?

2 – Security Continuous Monitoring

In 2021, monitoring solutions are light years ahead of their firewall predecessors. Firewalls are still an important part of the mix.
However, these devices are increasingly being combined with Security Information Event Management (SIEM) tools that employ more sophisticated advanced threat detection, forensics, and incident response capabilities.
While most small and mid-size businesses (SMBs) will not be a fit for Splunk (because it’s primarily focused on large enterprises), they have a concise overview that will get most non-technical types up to speed in rapid order.
Learn More: Splunk Recognized by Gartner Again
Continuous monitoring allows your MSP to help you by:

  • Verifying the effectiveness of protective measures
  • Detecting and preventing the introduction of malicious code into your network
  • Blocking the encryption and exfiltration of data
  • Identifying insider threats, risky employee practices on the network, and leaked credentials
  • Monitoring unusual activity from vendors and other service providers who regularly access your network
  • Taking actions based on internal and external system generated warnings BEFORE ransomware is executed

3 – Detection Processes

Maintaining and testing your detection program practices is an ongoing, evolving discipline. The same is true of consistently reporting new anomalies and communicating corrective measures in a timely fashion.
Nothing is static with today’s Internet of Things (IoT) infrastructure. Everything is connected and changing so your detection rating is likely to occupy a sliding scale of effectiveness.
Ransomware “professionals” continuously innovate their technology, strategy, and tactics which puts perpetual pressure on law-abiding businesses to evolve.
Most SMBs don’t have this expertise in-house nor do a majority of the MSPs. Choose your IT provider wisely.
Experienced MSPs can bring another advantage to the table beside consulting expertise and advanced technology: they can keep everyone accountable with a lot less political fallout.
On one hand, in-house IT may ruffle feathers with overly assertive enforcement efforts. On the other hand, they may be less forthcoming (and effective) if they feel intimidated approaching leadership.
Your MSP knows what they are contracted to do and will proceed without hesitation.

What’s Next?

Like I mentioned in my first and second installments, I hope you get more comfortable with the NIST ransomware management basics.
(If you read the other two blogs, I applaud your stamina. Some of this material is a little dry. Good news: I’m working diligently to change that!)
Related blogs covering the two other pillars of the NIST Framework (Respond and Recover) are on the way.

Jed is a Solution Advisor at Integris who has specialized in MSP solution development, sales, and marketing communications since 2003.

Keep reading

The Three Social Engineering Hacks your Company Should Prevent Now

The Three Social Engineering Hacks your Company Should Prevent Now

Since 2020, Google has identified and delisted 2 million websites for launching phishing attacks—an army of nefarious websites that CISCO says have hit 86 percent of all global companies. But it’s the social engineering behind those attacks that’s the scary part,...

5 Ways Cloud Communications Improve Corporate Culture

5 Ways Cloud Communications Improve Corporate Culture

There are five ways cloud communication tools improve your corporate culture. QVALON defines corporate culture as “…the values, behaviors, and habits reflected in interactions between management, employees, and customers. And it’s seen in how people act, dress, and...