RadarFirst Blog

Building a Ransomware Response Machine

Highlights:

  • When threats occur, when is it too late for an organization to identify risk as ransomware?
  • The importance of building a ransomware response machine
  • Privacy efficiency checklist: how does your program stack up?

Read more below.

ransomware identification | radarfirst

A Discussion of Ransomware Identification, Response Automation, and Recovery Planning.

This month, security and privacy experts from RadarFirst, ServiceNow, Rubrik, ConfigureTek, and CrowdStrike met in part of an ongoing series to discuss the vital organizational components to timely crisis response. View the full series here.

In the face of increasing risks associated with ransomware, responding to threats with machine speed may spell the difference between costly downtime and ransom payments or a manageable recovery. Expertise in this area comes from a combination of precise, continuous, and purpose-built process automation tools, and a thoroughly practiced crisis management plan.

“Whether you get hit with ransomware or a tornado, you have to be able to recover as quickly as possible. This is where business continuity plans come into play. If we can make the decision fast enough we can take action to stop the propagation of ransomware across the organization.” -Shannon Lake, President ConfigureTek

To best equip your organization for mitigating risk through human error, your crisis playbook has to be prescriptive and tested so teams are ready to respond when security events occur.

Machine-Speed to Crisis Decisioning

When a threat occurs, when is it too late for an organization to identify risk as ransomware?

Per panel experts, the timeline to identify the risks of specific ransomware may be as high as 12-24 hours post-attack in order to avoid risk.

In that short window, your organization must have the tools and automation processes in place to assess the scope of the attack and to signal the necessary responses. So, before disaster strikes, organizations need to secure stakeholder buy-in to ensure all necessary parties know who is responsible to take action when the clock is ticking.

Executive Keys and Privacy Ignition

As reported earlier this year, ransomware events are executive-level issues that are commonly included in investor 10K annual reports. When attacks occur, employees, customers, and even supply chains are affected and each creates a compounding force of legal requirements surrounding disclosure.

Of course, it’s easy to see once you get hit by a ransomware threat that investment into incident response prevention is cheaper than the resulting damage. So before such events occur, ask what conversations are happening in the boardroom?

“There’s not a CEO or board you’re going to go to today who aren’t incredibly concerned about data being breached and what the ramifications are. This is board-level, no one wants to suffer a data breach from a ransomware attack. Reputation risk is extremely hard to quantify and really hits the bottom line.” -Doug Kruger, Vice President of Business Development at RadarFirst

With executive sponsorship paired with prepared Security and Privacy teams, you can kick off your threat mitigation and data recovery workflow. With various systems operating, the importance of bilateral communication between tools is paramount.

Your goal is for your platform to communicate a single source of truth. The sooner your tools align, the faster your time to resolution and recovery.

Building a Ransomware Response Machine

Crisis response doesn’t exist in a vacuum. In addition to executive sponsorship, all integral aspects of your operations need to take action to mitigate risk. When building your plan, make sure to include your integrations and partner portfolio.

Tight partnerships include practicing crisis plans together, identifying key data through continuous monitoring, documenting policies that are prioritized within the plan, and tying IT operations to data backups and recoveries so you have a complete picture of how everything relates to your most important information – bringing everything together into a single source of truth.

A privacy incident can occur anywhere, so collaboration between partners is crucial. Taking the integration with ServiceNow, RadarFirst serves as the triage point surrounding the investigation.

“When I look at things through a Privacy or legal lens, the first question you have to determine is if the event involved the disclosure of PII or even the loss of availability and access to that data.” -Doug Kruger, Vice President of Business Development at RadarFirst

At some point during the investigation, it may be determined a ransomware event involved the disclosure of personal data, and at that point, the incident will automatically open up in Radar, and in a matter of seconds, Radar generates a heatmap about the sensitivity of the data, the risk factors, and the jurisdictions involved and exchanges information between ServiceNow or other integrations so breach notification decisions can be made quickly, giving the organization faster time to recovery.

Through ServiceNow, Radar process automation of incident risk assessment occurs at the press of a button.

Ransomware the Catalyst

While ransomware continues to drive headlines the opportunity presented to organizations isn’t just to solve ransomware but to solve automation deficiencies. After all, if the time it takes to recover is too long organizations may payout to attackers just to be safe.

From stakeholder support to actionable plans and practices teams, crisis response is an organizational sport. Ransomware attacks that make the news aren’t driven by single bad actors operating alone, they’re operationalized by nation-states and organized crime with full commitment to getting your data. They know how corporate data architecture is structured and will stop at nothing to reach their goal.

Regardless of the attack’s success, resources devoted to mitigating risk cause serious downtime for organizations and the value in getting back up to speed is paramount.

How do you prepare for ransomware attacks?

  1. Have a strong security incident response plan in place to identify when you’re being hit
  2. Establish and practice a ransomware response plan to operationalize business continuity
  3. Understand that during a privacy breach it is of the utmost importance to leverage analytic capability to automate risk assessment and determine breach notification obligations. Tie all these pieces together so you have an organizational response that operates at machine-speed.

Privacy Efficiency Checklist

When the clock’s ticking, having a streamlined and consistent privacy incident response plan can mean the difference between timely resolution and costly fines or ransom payouts. Download our interactive checklist to see how your program stacks up today.

You may also be interested in:

Topics: Incident Response Management