Out of all the potential ransomware variants currently infiltrating the market, they can all be blocked with one simple technique: whitelisting.
The trick that some organisations may be missing, is to minimise the admin overhead of setting up a whitelist, and ensuring the vetting of software and privileges are maintained.
This Ransomware-As-A-Service trend also highlights common weaknesses of traditional (signature-based) defences such as anti-virus, that can never realistically keep up with the number of ransomware variants.
Artificial Intelligence and/or Machine-Learning-based techniques are much more viable and effective methods of response, but it’s still a cat-and-mouse game as the algorithms used by them try to outpace the ransomware creators.
IT would love to put a “magic agent” on every endpoint that somehow detected and prevented malicious activity without actually having to limit the user in any way – there was a floor of vendors promising that at RSA this year. The technology has definitely improved, but there is no still no clear silver bullet unless you are willing to restrict your users.
The only full proof solution is to explicitly list what a user can do, and where it can come from – whitelisting. It may sound draconian, but there are self-service and service desk tools to manage exceptions, and limit user impact and resistance. We have seen this deployed throughout enterprise customers, and where users are working with any corporate equipment they are accepting that there are limitations for security and compliance purposes – as long as the IT team responds quickly when an application is needed for a legitimate business purpose.
By Jon Rolls, Vice President of Product Management at Ivanti