Q&A
Beware the Ransomware You Don't Know
Don't underestimate the impact of "double extortion," warns a top Microsoft cloud security architect.
Ransomware attacks are way up; Microsoft's latest Digital Defense Report clocked a 300 percent increase in ransomware attempts since last year. Far from all are successful, but with attackers getting more sophisticated and brazen, IT security teams simply can't afford to let down their guards.
There are plenty tools on the market to help them, of course, with Microsoft's Defender-branded family of products being among them. The problem is knowing which security solutions and strategies are best for countering which threats.
For Microsoft shops, principal cloud security solution architect Bi Yue Xu addresses precisely this challenge in her upcoming Live! 360 session titled "Protecting Against Ransomware with Microsoft Defender Solutions." As a preview of her presentation, Xu let Redmondmag grill her about the biggest hidden ransomware threats that IT needs to prepare for, and how Microsoft Defender can help them do that.
Redmondmag: What's the biggest mistake you see IT teams making today when it comes to protecting their organizations from ransomware?
Xu: One of mistakes that IT teams make is underestimating the threat of double extortion tactics. In these attacks, ransomware threat actors not only encrypt an organization's data but also steal it and threaten to release it publicly if the ransom is not paid. Many organizations focus on data backup and recovery, neglecting the need to protect against data theft.
To counter this, IT teams should implement strong data protection measures, using a defense-in-depth approach, and ensure comprehensive incident response plans are in place.
There are multiple products in Microsoft's Defender umbrella, right? What are the ones that IT pros absolutely need to be familiar with?
The Microsoft's Defender suite includes multiple products that collectively offer a more integrated and efficient approach to threat detection and response. This comprehensive solution, known as Defender XDR, correlates data from endpoints, e-mail, identities, cloud resources and more to deliver a unified view of threats across the entire organization.
The ones that IT pros absolutely need to be familiar with could be Microsoft Defender for Endpoint, Microsoft Defender for Office 365 and Microsoft Defender Threat Intelligence.
Most often, the malicious activities from attackers can be identified through endpoints. Microsoft Defender for Endpoint (MDE) provides in-depth visibility into endpoint activities and behaviors, enabling rapid detection and response to potential threats.
For attackers, the most common initial access is through phishing emails. Microsoft Defender for Office 365 (MDO) provides advanced protection by detecting and blocking malicious e-mails, thereby preventing threats from reaching users and enabling quick response to email-based attacks.
Microsoft Defender Threat Intelligence (MDTI) is vital for threat detection, incident response and threat hunting. It provides actionable insights into threats and attack trends, helping security teams to quickly identify and recognize potential attacks. MDTI supports proactive threat hunting by providing indicators of compromise (IOCs), which serve as clues to potential malicious activity. Security teams can use these IOCs to identify and address new or hidden threats before they escalate.
What does Defender bring to the table that IT teams can't do themselves? How can Defender fit into their overall existing anti-ransomware strategy?
Microsoft Defender enhances IT teams' anti-ransomware strategies by delivering comprehensive detection and protection across endpoints, e-mail, identities, cloud resources and more. It provides advanced threat intelligence and automated response capabilities to effectively address sophisticated threats. By gathering extensive cyber telemetry data from MDE, MDO, MDI and other sources, Defender accelerates investigations, enhances visibility, supports proactive threat hunting and improves overall threat detection and response.
Can Defender help organizations consolidate the number of security solutions they use?
Definitely. Microsoft Defender XDR helps organizations consolidate their security solutions by integrating various functions -- such as endpoint protection, e-mail security, identity management and cloud security -- into a single platform. This centralization simplifies management, enhances visibility and improves threat detection and response. Defender XDR also offers unified advanced hunting capabilities, allowing security teams to proactively search for threats across all integrated solutions from a single interface.
Are there specific ransomware attacks that you think IT teams need to be especially wary of today? And what kinds of ransomware trends do think IT needs to start preparing for now?
IT teams should be especially wary of ransomware-as-a-Service (RaaS), which increases attack volume and variety; and double extortion tactics, where attackers not only encrypt but also steal and threaten to release sensitive data. They should also be cautious of targeted attacks on critical infrastructure, which can cause widespread disruption.
IT teams need to prepare for increasing sophistication in ransomware, including advanced evasion techniques and fileless malware. Supply chain attacks are on the rise, so strong vendor management is essential. Additionally, attackers are using more complex encryption methods, making robust backup and recovery solutions vital. Social engineering tactics, such as phishing, are becoming more prevalent, necessitating improved user training and e-mail security. Lastly, regulatory and compliance pressures require organizations to be ready for legal and data protection challenges.