One of the biggest security threats all organizations face today is ransomware, and based on how successful and lucrative certain ransomware attacks have been, all signs point to these attacks continuing and growing.
For small businesses, staying ahead of these attacks is challenging, which is why many SMBs leverage managed service providers (MSPs) to protect them from external threats. Ransomware creators know this and have also targeted MSPs to find a perfect avenue into their entire client base, drastically expanding their reach and impact. Small businesses must do their due diligence to ensure they choose an MSP that not only has the best-in-breed protection for their own systems but has a set of solutions in place to protect clients. PEI has taken this approach to our managed services packages, and I’ve summarized some of the ways we and other MSPs can provide better protection against Ransomware.
Endpoint Protection & DNS Protection
Having an enterprise-grade antivirus software installed on all machines is the bare minimum all MSPs should mandate for their customers. As ransomware is a form of malware, having antivirus installed on all workstations and servers is a must, and the first line of defense.
A second line of defense is having a DNS filtering solution to prevent users from accessing a dangerous web page. DNS filtering redirects users’ web traffic through a cloud-based, DNS security solution that MSPs can fine tune and enforce policies to stop threats at the network’s edge before a user gets to the malicious site. PEI leverages a combination of Webroot Endpoint and DNS protection solutions for our MSP clients to ensure adequate protections are in place to minimize the risk up front of infection.
Advanced Email Security Solution
One primary avenue through which ransomware attacks begin is targeted email campaigns, so having a solution for organizations to minimize the risk of malicious content hitting the user’s inbox—and stopping them from accessing it should it get through—is essential. Having a spam filter is no longer sufficient, so implementing a solution offering multi-layered inspection of emails for threats is crucial. PEI leverages several solutions from Microsoft, Mimecast, and Barracuda to provide advanced protection that includes safe link protection, safe attachment protection, and anti-spoofing. In the event that a malicious attachment is sent to a user, PEI’s policies will block the user from accessing the document.
Critical Patching & Updates
Keeping systems up to date and patched is a cornerstone of minimizing risk of ransomware. In one of the biggest ransomware attacks globally in history called NotPetya, one key avenue the malware took hold was through unpatched Windows systems. For PEI’s managed service clients, we establish and adhere to a strict patching schedule to ensure all users and systems are up to date, without exception. We work with our clients to establish the update window to ensure business is not impacted by the updates, but do not allow organizations to delay patches at the risk of the organization.
End User Security Training
We can do everything possible to put protection in place for the IT environment, but still one of the biggest security risks in every company simply walks into the office each morning. Most employees are not cybersecurity experts and are just trying to use their devices and applications to do their job to the best of their ability.
With that, users tend to use whatever means necessary to accomplish their job quickly and easily, whether that’s sending a large file to a client using their personal email, or using a zip drive they found to download a presentation they need for a meeting. End users can have the impression that it’s the IT team’s job to protect them from all threats, so they don’t need to be conscious of their actions and how they can put the organization at risk.
For PEI’s Managed Service Clients under our Advanced Plan, we work to provide ongoing education to end users to bring awareness to the type of threats out there, increase knowledge on how to identify attacks, and provide ongoing testing to ensure users are learning. The ongoing testing is done through attack simulations, where carefully crafted attack emails are sent to users. Users can then be tracked on whether or not they opened the email or clicked the link/attachment, as well as if the user entered credentials in a false login page. We use this information to help reward and congratulate users that are identifying threats correctly and drive additional training to the users that need more help.
Ensure Good Backups are Occurring
Even with all of the protections above in place, there is still the possibility of being infected by ransomware. With that, there are still ways that a good MSP minimizes the impact of the infection. An enterprise-class backup solution is paramount to ensuring that critical data can be restored in the event of a ransomware attack. PEI’s managed service clients all have access to both local and cloud-based backup for local systems as a part of our packages.
Additionally, an often-overlooked piece of the equation is providing backups for cloud applications, such as Office 365. Despite the protections Microsoft takes to protect their environment, should a user upload a malicious file into OneDrive or SharePoint, the ransomware could encrypt all files it has access to. It has now become a necessity for clients that leverage these workloads to have a cloud-to-cloud backup solution in place to be able to restore from in the case of an infection. PEI’s managed services clients have access to cloud to cloud backup solutions provided by Veeam and/or DropSuite for backing up their Office 365 and local systems.
Monitoring & Automated Response
As an MSP is external to their client environments, their ability to monitor activity remotely and put procedures in place to automatically respond to threats is fundamental in protecting clients from ransomware outbreak. For PEI’s managed services clients under our Standard and Advanced Plan, we install an agent with policies setup specifically to react to ransomware attacks. The three primary policies we use are as follows:
- Alerting for any event that clears the Event Log. This is a large red flag often performed by ransomware that buries itself so it can attack later
- Policy enforced to disable EXE running from %AppData%. This prevents the ransomware from launching within the AppData folder, stopping it in its tracks
- Enabled our Monitor for Ransomware Attacks policy. If an attack does occur, this policy will open a ticket in our system for us to isolate that machine, run an AV Scan, and even protect shadow copies by disconnecting the infected machine from them, in a matter of seconds
As you can see, there’s no perfect solution in place to prevent ransomware, so it’s the responsibilities of SMBs to choose the right provider that will provide protection across all the attack vectors. If you feel your current managed services provider is not adequately addressing these areas above, please reach out to PEI and we’d be happy to discuss how our packages can provide your organization with the proper protection and support. Give us a call at (303) 786-7474 or email firstname.lastname@example.org and someone will reach out to you shortly.
Martin Feehan, Director of Client Relations
Webroot: A Modern Threat to Public Safety