I can probably tell you right now whether or not you’re very likely to suffer a ransomware attack this year, just by taking a peek at the current tools in your stack. You know what I’m looking for? The same thing as the baddies – blind spots. It’s a premium, and always has been, so why are we making such a big deal about visibility now? Because for the first time in a long time, there is a wide discrepancy between what most tools can see and where most ransomware is now able to hide.

An unprecedented number of hiding spots

Today’s networks are complex, perimeter-less and often a challenge to us as practitioners. Do you trust your third-party cloud provider to protect your hosted data? Do you go with another cloud security provider on top of that? Do you make an in-house strategy and hire out a SOC – do you build your own? What tools are everyone using – and how can I get those for my small business, but within budget? I have EDR, and antivirus, but what’s the equivalent of a fancy SIEM? And how can I scan for all my IoT devices, remote connections, cloud applications (and Shadow IT that I know is out there)? Any blind spot of ours can be green light for attackers, a hole in the net where they can slip through.

Security in today’s network environment is just harder than it used to be. The modern network is complex, and often hybrid; you have containers, VMs, cloud software, public clouds, and remote workers (with all their BYODs). You have APIs, more VPNs than ever before, and a constant barrage of the same old email phishing threats and the like. There are all the old, and all the new, problems. Security is at a point right now where we’re trying to catch up.

Most organizations have at least some presence in the cloud, and containers and VMs are becoming the norm. Oh, and don’t forget all those devices you probably can’t control: IoT and mobile, for example.

And the uptick in dangerous ransomware trends isn’t making it any easier. Over half of the organizations out there have been touched by ransomware, and it’s now considered one of the top business … an amazing feat considering security was still largely fighting for C-level recognition, much less buy-in, just a few years ago. Times have changed, as ransomware solutions outpace interest in other critical pieces of the puzzle like data recovery solutions, cyber insurance, or even a formal incident response plan. So why are the tools we have not enough?

For one reason or another, they each come down to a lack of visibility.

Why the tools we have fall short

As we build up new avenues or take down old walls, we build compensating security tools to bear the load. However, with so many data streams coming in from so many disparate tools, I find a lot of organizations are creating even more blind spots for themselves by giving themselves more alerts than they can handle – meaning they have to just prioritize some, triage others, and ignore the rest. Here’s a general sampling of the most common tools in our stacks today, and where they’re coming short:

• EDR. Endpoint Detection and Response is a must – for your endpoints. Unfortunately, the modern network, as we’ve seen above, is now made up of much, much more than that. You have legacy equipment that doesn’t fall under EDR influence – VOIP phones, for example (you’d be surprised how many companies still have those), printers, 3rd party devices like security cameras, and more – and then there is all the space between the gaps. So much goes on internally that is not an “endpoint” issue, and that’s where a lot of lateral movement that leads to ransomware attacks takes place.
• SIEM. If you’re lucky enough to have one of these, then you’re familiar with the cost, complexity and effectiveness problems. SIEMs can be effective tools for threat detection, investigation and hunting, but can run into issues when there’s too much log information, as there often is. That can render the security teams (assuming you have a security team) overwhelmed and ineffective, and the complexity of the tool alone makes it better suited for experts. Plus, logs lack context like threat intelligence so they’re unable to catch never-before-seen exploits, which is what more and more ransomware attacks are these days. Lastly, if an attacker wanted to, they could disable log collection during an attack and your expensive SIEM would be rendered useless.
• Cloud service provider tools. CSP security tools are good at offering threat detection, response and compliance within their own platform, but they often don’t integrate beyond that to other CSPs or on-premises environments. This siloes your work, creating more of it and contributing to the overall security overwhelm that comes from too many data streams, too much tooling, and not enough integration. If you can’t make sense of the puzzle, 1000 more pieces aren’t necessarily going to help.

And that’s where I see traditional tooling falling short. We need to look ahead to technologies that can handle massive amounts of data, sift through them and provide clues in context, and catch signs of bad behavior, not just dredge up flat logs that don’t always tell us much. We need technology that can tell us the whole story, and full visibility is the key.

Look for bad behavior, not bad guys

In a recent post I noted how a lot of these advancements can be found in Network Detection and Response (NDR). And it’s true. What NDR does is it looks for indicators of behavior (IOBs), which is a buzzword for suspicious activity without a threat-ID. It’s the activity of never-before-seen threats, which is what so much of ransomware today is. They’re getting sneakier. They’re evading normal detections. They’re literally morphing to hide their previous identifying pieces of code, or what an antivirus or EDR solution will typically search out, so they can slip by undetected and still wreak the same amount of havoc. With this one move alone, they can bring our current security solutions to their knees as they no longer know what to look for.

However, every criminal leaves a trace, and we just need to find the technology that can track it – even without a calling card. For this, it takes automation and machine learning to scrutinize every piece of telemetry from across disparate tools, bring them all together, piece together anomalies, and find out what’s really going on. Because visibility doesn’t mean just more data; it means more data that makes sense. As one security expert noted in Forbes, ” The time has come to instead look for behaviors that are independent of the specific tools or artifacts from old crime scenes and to look for the real indications of malice: what the bad guys really do.”