News/Trends, Tech/Engineering, Product

Getting Ahead of Ransomware with Anomaly Detection

Anant Mahajan

More organizations are now seeking proactive approaches to solving major issues involving data loss and intrusion, in order to get ahead of the damage that can be caused. Chief information officers (CIOs) continue to be challenged by intellectual property (IP) and revenue losses resulting from departing staff members with malicious intent, employees going rogue, and ransomware attacks. Traditional security solutions like firewalls, intrusion detection/prevention systems (IDS/IPS), and data loss prevention (DLP) solutions are constrained by their inability to fully prevent and recover from these threats.

The Challenges

Organizations need to be empowered with a solution that can identify data points, events, and actions that are outside of the expected data behavior patterns of a given set of users. These early insights into abnormal activities could be significant indicators of cyber intrusions, employee fraud, or rogue behavior. Such a solution—commonly referred to as an anomaly detection system that serves as an early, proactive indicator into infrequent but anomalous activities—can successfully complement legacy security products to address these issues.  

Our customers today are faced with these key challenges:

  1. Poor insights into departing/departed employee activity to uncover malicious patterns
  2. Unreliable ransomware detection and ineffective automated recovery capabilities
  3. No mass deletion options for files across data sources by rogue end-users
  4. Complex methods to ingest and evaluate anomalous activities into a centralized security event and information management (SIEM) platform

As per a study by Symantec and the Ponemon Institute, more than half of employees who left a company took corporate data with them and planned to use it at their new job. Think of a software engineer deleting crucial source code or a sales executive copying and deleting account history, and the security horror such incidents pose. Enterprise IT and information security teams do not have full visibility into activities that a departing or departed employee was engaged in during their last three months of employment. Gaining access to these insights can help security teams better manage their access policies and take preventive steps before crucial data is lost or leaked.

Ransomware attacks continue to be a leading threat in organizations, contributing to revenue loss, end-user downtime, and intellectual property (IP) risk. Ransomware prevents users from accessing their data and demands payment to regain access to affected data. There are enough horror stories out there on ransomware attacks such as the one uncovered by Apple which affected 7,000 Mac endpoints or this one that used a cloud app like Google Drive as its launch platform for the command-and-control behavior. Gartner’s June 2016 ransomware research emphasized the importance of a data protection platform to backup end-user data to securely and efficiently recover from such an event. User data is most vulnerable to security risks, with the primary sources of ransomware attacks infiltrating endpoints and cloud applications. Our prospects and customers have traditionally used incumbent anti-virus solutions, or have developed scripts manually, to detect ransomware attacks. However, the recovery workflows in such cases are fraught with error-prone and tedious steps of copying data from network shares onto a patched endpoint, thus leading to significant end-user downtime. IT teams can benefit from a product that can clearly pinpoint the safest dataset that can be used to recover from an attack and do so at scale while increasing end-user productivity.

Enterprise IT teams also do not have any automated capabilities to identify data growth and reduction patterns across endpoints and cloud apps, which in turn makes it harder to manage the lifecycle of data in an organization. IT administrators often collaborate with their peers on information security teams to ingest such information within a centralized SIEM platform, derive unique insights, and proactively take remediation measures to prevent security breaches and data loss. These insights also help IT departments evaluate the potential business impact of such problems and adjust their recovery time objectives (RTOs) and recovery point objectives (RPOs) to better protect end-user data on endpoints and cloud applications.

Anomaly Detection in Action

Druva has added advanced anomaly detection capabilities to enable enterprises to gain an edge on ransomware threats and addresses the challenges highlighted above. In doing so, Druva inSync is the only solution in its space that will help customers easily detect, understand, and act on any suspicious data activity.  

inSync is able to monitor activity anomalies for the following:

    • File deletions
    • File modifications
    • File encryptions and header changes

Druva inSync also provides access to an unusual-data-activity log file for every user and every device, in a format that can be easily ingested by a SIEM tool for further processing and review. An anomalous data activity report, alerts and an intuitive visual representation of the affected data will empower enterprise IT and end-users to take immediate remediation actions to recover from a ransomware attack by restoring from the last, uninfected snapshot. Coupled with the underlying reason for the unusual activities that are described in the report, enterprise IT teams can use the visual indicators on affected snapshots to navigate to the Unusual Data Activities dashboard that provides complete visibility of unusual activities across the last hundred snapshots by default. The granular activities and insights on the dashboard can be used to address the pain points highlighted above.

inSync’s anomaly detection capabilities are just one of the many steps we are taking to make Druva’s product offerings more valuable for information security teams. Along with proactive compliance, anomaly detection will further enhance visibility into end-user data and provide an automated system to proactively track, monitor, and notify IT administrators of potential data risks.

Recommendations to Move Forward:

Register for our webinar How to Protect and Recover from Ransomware

Visit the Anomaly Detection Solutions Page