Using AI to deal with ransomware attacks [Q&A]
Ransomware is a particularly heartless -- though undeniably lucrative -- endeavor. Criminals target schools, vital infrastructure, and even patient records in attempts to cash in. As a result, many security professionals put defensive ransomware strategies at the top of their to-do list.
Understandably, most of these strategies start with measures that minimize the footholds attackers can find. Checking inbound emails for ransomware payloads, giving users training on safe internet usage, and monitoring the network for suspicious activity are essential elements of an effective anti-ransomware strategy.
But they go only so far. Emerging AI-based data governance solutions offer an additional weapon in the battle against ransomware with situational awareness informed by deep insights into content, including one launched by Concentric recently. Concentric CEO Karthik Krishnan tells us more about how they work.
BN: We see a lot of talk about malware defenses and protecting against ransomware. Where are the gaps, and what aspects of security would you say are being overlooked?
KK: Security pros use defense-in-depth strategies to think about every cyber threat, and ransomware is no exception. The ransomware depth chart has good malware prevention and data recovery options, but least-privilege access governance -- especially at the data level -- isn't as mature. Access governance programs aren't, for example, nearly as ubiquitous as anti-malware tools. That's because legacy access governance approaches rely heavily on rules and policies, and many organizations who go down that path end up with a maintenance nightmare. Better content awareness and access governance tools would help keep ransomware damage to a minimum.
BN: Why is content awareness so important as a step in combating ransomware?
KK: Understanding where business-critical data is and who can access it is essential if you want to protect it. Multi-layered defense strategies need to consider not just prevention and recovery, but damage mitigation and assessment as well. What will happen if an attacker successfully infiltrates the network? How much access will they have, and will you know what's been compromised?
Knowing what you have, where it's stored, and who has access to it helps answer these questions. Content awareness prepares you for an eventual attack in two ways. First, you'll be able to lock down file access to limit what an attacker can see and modify. That can prevent an attack’s spread and protect data from unnecessary risk exposure. Second, content awareness makes forensics analysis more straightforward and accurate during and after the attack. Knowing what's been compromised provides critical situational awareness that helps you make better decisions in the heat of the attack. It can also speed your recovery and give you a better negotiating position should you decide to consider a ransom payment.
BN: Why is it so hard to protect today's data heavy structured and unstructured data environments?
KK: We're witnessing a long-term trend towards user empowerment across a broad front in information technology. Cloud services make file sharing simple, which puts end-users in charge of data access decisions that would have been under much tighter control just a few years ago.
As you might imagine, that creates problems. Even though the IT organization owns data security, they aren’t content experts. You can't expect them to understand the business criticality of a random contract or business plan (much less who should or shouldn’t have access to it). We’ve tried asking end-users to classify their own documents, but success has been spotty at best. We've tried using rules and pattern matching to automate data discovery, but that turned out to be far more complicated than anyone thought.
That’s where we find ourselves today. Typical organizations have tens of millions of documents in play. Roughly 12 percent of those documents are sensitive or strategic, but finding and protecting them is effectively impossible. Structured data, while a bit easier for an IT team to understand, also suffers from a discoverability problem, especially when finding which databases contain private or regulated data. There’s also the problem of structured-to-unstructured data 'leakage' when users extract data into spreadsheets or hand it over to third parties for analysis.
BN: What makes Concentric's ransomware solution different?
KK: Concentric uses artificial intelligence to autonomously and accurately find and assess business-critical data. That means security professionals don't need to create and maintain complex rules and policies, and there’s no need to lean on end-users for help. And that means data discovery, risk assessment, and least-privileges access control are finally within reach -- even for small, staff-constrained IT teams.
BN: How can this help to ensure organizations are able to quickly detect and defend against ransomware?
KK: Content awareness brings two capabilities to the table for ransomware defenders. With Concentric, you can implement and maintain a comprehensive, accurate least-privileges access control program. Essentially, we help you lock your interior doors, making data exfiltration and lateral movement much harder for an attacker. Content awareness also provides critical situational awareness when you need it most. You can act more quickly to protect existing data and assess the damage after the attack. It can even help you decide how much -- or if -- you'll pay in ransom.