Microsoft recently released a report, Cyber Signals, detailing recent trends in the ransomware sphere, most notably the rise of the ransomware-as-a-service (RaaS) economy. RaaS groups, instead of doing the attacking themselves, are selling the toolkits and information necessary for other criminals to perform successful attacks.
In light of these trends, Microsoft has suggested some preventive measures you can take within your Microsoft 365 toolset to protect your environment against ransomware. However, if you’re like most organizations out there, you have tools outside the Microsoft suite. In this blog, we’ll review the recommendations from the report and how to supplement your ransomware strategy beyond just Microsoft tools using the ReliaQuest security operations platform, GreyMatter.
Microsoft Ransomware Prevention Recommendations
Microsoft’s recommendations focus on three key areas: credential hygiene, visibility, and tool management.
The big recommendation here is multi-factor authentication (MFA). The tech giant advises that organizations implement a zero-trust policy, requiring MFA “on all devices, in all locations, at all times” using Microsoft Authenticator or other tools like FIDO keys. You should also apply this strategy to the cloud in addition to your on-prem resources, Microsoft says, since attackers are increasingly targeting cloud assets.
Network segmentation is key to preventing lateral movement. In its recommendations, Microsoft emphasizes the importance of developing a logical segmentation of your networks, so that if the worst happens, you can efficiently shut down the affected areas and limit spread. Microsoft offers multiple features within Azure to help you do this, including Network Security Groups, Web Application Firewall, and various password and access tools.
In addition to bolstering your protections, Microsoft suggests implementing a regular audit for compromised credentials so security teams can quickly isolate accounts that show evidence of compromise before things get out of hand. There are a number of tools out there to help you do this, including the open-source BloodHound. But be wary—attackers also use it to their advantage.
Increasing Visibility by Eliminating Blind Spots
Blind spots continue to plague security organizations. Recent research by the Ponemon Institute shows that 58% of security leaders cite “lack of visibility and blind spots in coverage” as the number-one difficulty with protecting business assets. And when a potential attacker or RaaS “access broker” gets wind of a blind spot, it can mean big money for them and big losses for their target.
So, it makes sense that Microsoft would list addressing blind spots as a key measure in preventing ransomware, and they cite the proper installation and maintenance of security products as the best way to do that. And, of course, they list several of their own tools to help address blind spots, including Microsoft Defender Antivirus, 365 Defender, Defender for Endpoint, and Defender for Identity.
Most companies employ several security tools to help them protect their assets and optimize their security operations, which broadens the attack surface and introduces more opportunity for error. Microsoft recommends following these steps to help protect your organization from ransomware infections via your tooling:
- Regularly patch all operating systems, applications, browsers, and other software with the latest updates.
- Regularly back up important data to an offsite storage location or another cloud service that is not connected to your network. This includes databases, email servers and other mission-critical applications.
- Configure your firewalls to block all unnecessary incoming connections from outside of your network.
- Limit access to certain commonly exploited programs like remote desktop apps.
Microsoft Defender for Endpoint provides a threat and vulnerability management capability that can help Microsoft users identify and repair vulnerabilities.
Going Beyond Microsoft
The advice provided in Cyber Signals is on-point. However, most organizations have security tools that reside outside the Microsoft 365 E5 ecosystem, including SIEMs, firewalls, and EDRs. Microsoft provides powerful capabilities within its software set—ReliaQuest GreyMatter amplifies those capabilities to cover your non-Microsoft tools, too.
At ReliaQuest, we’ve built our security operations platform, GreyMatter, to integrate with any tool you already have—including but not limited to the Microsoft 365 E5 suite, so you are protected from end to end and can manage all your security tools in one platform.
GreyMatter uses robust automation and innovative technology to extend the protections recommended above to any tool you’re already using. With bi-directional integrations, GreyMatter can communicate to and from your security tools, providing greater visibility across your network and better insights into tool performance. It also allows GreyMatter to ensure your tools are constantly up to date.
And, with our recent acquisition of Digital Shadows (now ReliaQuest), we can search the dark web for any indication that your credentials or other assets have been leaked or otherwise compromised and to help you quickly take action to address threats to your organization.
With ReliaQuest GreyMatter, you can gain true protection across your ecosystem, whether you’re an exclusively Microsoft shop or not.