The RSA Conference 2022 was in full gear in June. It was back to an in-person event, and it was packed. For me, I was a first-time attendee. I’ve been to other major events, such as Microsoft Ignite, so I thought I knew what to expect. In a way I was both right and wrong.
RSAC had a true community feel to it. Competition existed heavily in the Expo, but all the sessions were completely vendor agnostic. The presenters truly just wanted to educate about cybersecurity, latest trends, and best practices to better understand the threats that we all face regardless of organization you work for or security platform you utilize.
Now that I have had a few weeks to digest the massive amount of information shared and obtained, I wanted to share several lessons and trends I felt were important to emphasize. I am presenting this in three parts so you can have a better opportunity to digest this information, just as I needed after a week-load of information dumps.
Let’s start with the elephant in the room.
Ransomware was probably the subject that came up in almost every session. It surely is top of mind for almost every cybersecurity professional. Ransomware has significantly increased year over year. Some say upwards of over 1000%. Several factors that contribute to this include malicious app imitation (TikTok?) and malicious emails. Phishing incidents were around 250K last year. Oh, and backups are more vulnerable than ever since they have received increased targeting. How do we stop this?
First off, ransomware is fully preventable. Moving from a flat network to a zero-trust model will greatly help with that. The first two priorities for zero trust should be devices and identity. Organizations need to ensure a healthy device and identity before allowing access to their assets. A healthy device includes OS up-to-date, threat/risk free, encrypted drives, application control, and device integrity attestation. A healthy identity includes two-factor authentication, access and session controls, and risk-free state.
Another vector that is also becoming more challenging is unmanaged devices. These are a high-risk entry point for attackers, but also a necessity for organizations that have a BYOD policy. While you cannot achieve the same level of attestation for these types of devices, additional policies can be implemented to reduce the overall risk. These can include session controls to limit the authenticated sessions, force the use of supported apps configured for proper data loss prevention (DLP) and encryption, and network segmentation to limit the extent to which these devices can roam your networks.
Ultimately, in a zero-trust model, we assume we will be breached at some point regardless of environmental hygiene. We should not solely rely on backups (What happens when they get encrypted?). Supply chain attacks are nearly impossible to prevent since they typically start many hops before the attack gets to your organization and it’s not something you can easily prevent. This requires organizations to have an incident response plan. Assuming you have an incident response plan, do not panic. Enact your plan as practiced (you have practiced it, right? Tabletop exercises anyone?). However, these are a few additional tips to consider in an active situation:
- Verify your backups as quickly as possible.
- Do not shut down affected systems. This can impact the incident response process.
- Do not think once backups have restored systems you are complete. There are many other things to consider before the breach is fixed
- Do not restore on the same hardware, if possible
- Do consider consulting with professional services to aid in the incident response process
- Do consult with legal, law enforcement, and your insurance provider. This is not just an IT impact
- Continue monitoring heavily post-breach to discover any additional back doors or entry points.
Microsoft has both the strategies and the tools to help you protect your environment from ransomware attacks as well as detect and respond when they do occur.
However, it’s not a single solution or one-size fits all design. We need multiple layers of protection and best practices configurations. However, we need to still be considerate of user productivity. Enabling Technologies Threat Hunter solution can help you plan and deploy your Microsoft 365 E5 Security suite along with Microsoft Sentinel to customize the protection, detection, and response you need for your specific organization.
In the next part, I will provide a few newer trends that should be considered when developing a cybersecurity strategy.
Enabling Technologies can help you properly prepare for moving to the cloud based on Microsoft Best Practices and utilizing a secure and productive environment. You can check out more in the Security section of our website.