Accelerate ransomware detection and response with AlienVault Unified Security Management (USM)—an all-in-one security essentials solution with integrated threat intelligence that helps you to detect ransomware sooner to minimize the spread of infection.
Ransomware is a top security concern for organizations today. Malicious actors continue to develop new techniques and strategies to trick victims into downloading and installing ransomware on their systems, and many IT teams are ill-equipped to respond.
Ransomware is a type of malware that encrypts files on a system, making them inaccessible until you pay a ransom (usually in the form of a cryptocurrency like bitcoin or prepaid cash cards) in exchange for the decryption key. Given the complexity and variety of new ransomware threats emerging daily, it can be difficult for IT teams of any size to figure out how to detect ransomware and respond to it while managing the rest of their cybersecurity needs.
AlienVault® can help. Unlike alternatives, AlienVault Unified Security Management® (USM) simplifies and accelerates threat detection so that IT teams can quickly respond to ransomware threats and contain outbreaks with targeted, automated, and orchestrated defense. AlienVault USM empowers IT teams with complete visibility into their entire risk surface by unifying security monitoring across cloud, on-premises, and hybrid environments.
As ransomware activity patterns evolve, the AlienVault Labs Security Research Team and the Open Threat Exchange™ (OTX™) keep the USM platform up to date with continuous and automatic threat intelligence updates. This threat intelligence includes the latest threat indicators, vulnerabilities, and response guidance. It is fully operational and ready to use, so organizations of all sizes can quickly detect and contain ransomware activity without having to spend time researching emerging threats or writing correlation rules.
In addition, AlienVault USM delivers advanced security orchestration and automation capabilities, as well as out-of-the-box integration with leading third-party security tools like Palo Alto Networks, Carbon Black, and Cisco Umbrella. So, you can plan and execute your ransomware response activities directly from AlienVault USM, saving you precious time and effort.
AlienVault USM delivers the essential security capabilities needed for ransomware detection:
Threat detection or threat monitoring tools provide a critical layer of defense against ransomware attacks. Real-time detection and rapid response are crucial to your ability to contain a ransomware outbreak and to limit its impact. This extends to everywhere you’ve deployed assets, whether in on-premises physical or virtualized infrastructure, in public clouds such as Microsoft Azure or Amazon Web Services, as well as cloud applications like Microsoft Office 365 and Google G Suite.
AlienVault USM centralizes threat detection of your critical environments and cloud apps, making ransomware detection and response both fast and easy. AlienVault USM delivers multiple layers of ransomware detection and correlates events from across your data sources, giving you complete visibility of your security posture at all times. Once a threat has been detected, AlienVault USM alerts you and gives detailed information about the threat, attack method, and affected asset(s), as well as guidance about how to respond, so you can react quickly and effectively.
Monitors your on-premises and cloud environments for new assets, identifying new systems and devices that need to be monitored and assessed for vulnerabilities that ransomware could exploit. Because ransomware downloaded by a single user can easily spread across your entire environment, it’s important to have visibility into all of the assets in your critical infrastructure.
AlienVault USM continually scans your environments to detect vulnerabilities that attackers could exploit in a ransomware attack. The USM platform ranks vulnerabilities by severity so that you can prioritize your remediation efforts.
Analyzes the network traffic to detect signatures of known ransomware and communications with known malicious servers. Using field-proven IDS technologies, AlienVault USM identifies attacks, malware, policy violations, and port scans that could be indicators of malicious activity throughout your environments.
Analyzes system behavior and configuration status to identify suspicious activity and potential exposure. This includes the ability to identify changes to critical system and application files, as well as modifications to the Windows Registry, that could be made to initiate the ransomware’s encryption engine.
Using machine learning and state-based correlation, the USM platform analyzes a large number of seemingly unrelated events across disparate systems to pinpoint the few events that are truly important. The AlienVault Labs Security Research Team regularly updates the USM platform with ransomware-specific correlation rules that identify a range of behaviors indicative of a ransomware infection, including downloading the ransomware file, systems attempting to connect with a C&C server and post data, multiple failed connections from a system attempting to connect to a domain (or multiple domains) within a narrow time window, and more.
The USM platform provides the ability to automate the centralized collection and normalization of events and logs from devices, servers, applications and more from across your on-premises and cloud environments, as well as from your cloud applications like Office 365. This data is centrally retained for at least one year, helping support compliance requirements and forensic investigations into attacks recently discovered, and yet require investigation of more historic data. Centralized collection also fuels automatic attack analysis by enabling analysts to perform search queries on collected data. Analysts can also run any of the built-in and customizable reports, such as to demonstrate compliance with standards like PCI DSS, or for regular review of security events and activities.
Early ransomware, like Reveton and Citadel, simply locked you out of a system and displayed a page demanding payment. In contrast, today’s sophisticated strands of ransomware quietly encrypt your sensitive data without interrupting your normal computer usage, so you’re less likely to notice a problem until after your files have been affected. While it’s difficult to identify and halt an encryption process in progress, the sooner you detect ransomware in your environment, the better chance you have at isolating the compromised system from your environment and protecting your data (all without paying out ransoms to cyber-criminals
If your users are accessing corporate data in SaaS-delivered cloud apps like Office 365 and G Suite, it’s essential to monitor these environments to catch ransomware threats early on (e.g. phishing emails). AlienVault USM provides multi-layered intrusion detection capabilities so that you can quickly detect ransomware across your cloud and on-premises environments. In addition to security monitoring for commonly used SaaS apps, AlienVault USM delivers cloud intrusion detection for your public AWS and Azure cloud environments, as well as built-in network intrusion detection (NIDS), and host-based intrusion detection (HIDS) for your critical on-premises infrastructure. You can even integrate data from your existing IDS/IPS into AlienVault USM, allowing you to collect, correlate, and track events from a single place.
AlienVault collects, analyzes, and centralizes event data from every app, system, and environment that’s critical to your business. Because users commonly access corporate data through SaaS apps like Office 365, it becomes essential to monitor these apps to detect the early warning signs of ransomware attacks, such as a phishing email attempt. Continuous threat intelligence updates from the AlienVault Labs Security Research Team arm your defenses with advanced warning of the latest ransomware indicators.
AlienVault offers native cloud IDS capabilities to keep your AWS and Azure environments secure. USM Anywhere uses purpose-built sensors to monitor your cloud environments from the management plane, giving you visibility into your organization’s cloud-based activities.
On premises, network IDS sensors are deployed on the network using a tap or network span and use signature-based detection to identify ransomware and other threats to your critical systems.
With File Integrity Monitoring (FIM) built into the Host-based IDS (HIDS), AlienVault USM keeps a close watch on the files and registries of your sensitive assets and critical systems to detect when anomalous activities and file or registry changes occur.
A ransomware attack can spread rapidly across your systems and quickly render them unusable. Time is of the essence. As soon as ransomware is detected in your environment, you must move swiftly to contain the threat and to prevent it from proliferating across your environment. If done manually or done across many disparate systems, or if the attack happens outside of typical working hours, your response effort may be delayed or too slow to contain the attack.
AlienVault USM has advanced security orchestration and automation capabilities that help you respond quickly and efficiently to threats affecting your environments, including response actions that work in alignment with third-party security tools like Cisco Umbrella, Palo Alto Networks, and Carbon Black. For example, if the USM platform detects evidence of ransomware on one of your assets, you can easily orchestrate the isolation of that system from your network through the built-in integration with Carbon Black, helping to prevent further spread of the ransomware.
The security orchestration responses available within AlienVault USM can also be automated, making your response faster and more efficient. For example, if AlienVault USM detects communication with a DGA-generated domain known to be malicious, such as ransomware communicating with its ‘Command & Control’ server, you can orchestrate a response action that passes the malicious domain details to Cisco Umbrella, which then blocks traffic between that domain and your employees and assets.