Tackling ransomware with a data-centric cyber resilience approach

DATA has never been more valuable or vulnerable in today’s landscape. It is the lifeblood of many organisations today – powering operations, fuelling innovation and creating exceptional experiences.

However, as organisations’ dependency on data grows, so does ransomware’s debilitating impact. A Sophos survey revealed that nine in 10 attacks undermined an organisation’s ability to operate.

On average, it takes a month to recover from a ransomware attack while the organisation only recovers 61% of its data even if the ransom was paid.

What’s equally worrying is that ransomware and extortion cases in Malaysia increased by 37.5% in 2022 as threat actors start to utilise more aggressive tactics to pressure organisations.

Ransomware’s rise as the most “fashionable” form of cybercrime coincides with the growth of digital transformation and innovation – when data infrastructures often span both on-premises and multiple cloud environments, complicating data protection, security and compliance.

In a move to bolster Malaysia’s resilience and response to cyber threats, Prime Minister Datuk Seri Anwar Ibrahim announced back in June 2023 that there is a Cyber Security Bill being drafted, signifying Malaysia’s proactive approach in fortifying its cyber landscape.

This strategic move is imperative, given the mounting prevalence of ransomware attacks as Malaysia and the world continues to digitalise.

However, as the frequency and sophistication of ransomware attacks continue to escalate, organisations need a coordinated, multi-layered strategy to protect their most valuable asset – data – before it’s too late.

You Qinghong

Cyber resilience

Cyber resilience combines data protection with data security so organisations can swiftly respond and recover from ransomware or other data security threats. It aims not to prevent intrusions but to prevent intrusions from disrupting business operations by protecting data.

Cyber resilience starts with a solid foundation of data protection that includes high-availability architecture with redundant components and mirrored data sets, focusing on disaster recovery and business continuity. It also includes data recovery capabilities with granular restore, efficient backup and long-term archiving.

Data protection is augmented with intelligent threat detection to identify anomalies across the organisation, including data access pattern and user behaviour anomalies.

This is centered on sound data management where organisations have the visibility to know where their sensitive data is, who is accessing it and how it interoperates across and beyond organisational boundaries.

The ability to monitor data continuously for anomalies is an integral part of a zero trust security framework (ie. data access is denied by default). This approach reinforces cyber resilience by requiring every access request to be verified and validated.

It also offers another layer of protection by segmenting data and enforcing the principle of least privilege to reduce risks.

The final aspect of cyber resilience lies in organisations’ recovery capabilities. Often, complexity is a key culprit in driving up the cost and time involved in backup and disaster recovery.

If an attack breaks through an organisation’s first line of defense, the ability to restore recent point-in-time copies of data at a granular level is the key to quickly remediating threats and bringing data and applications back online with minimal disruption.

A five-step cyber resilience strategy

Here is a five-step approach that organisations can consider when developing their cyber resilience strategy.

  • Identify: Take stock of the IT environment and assess current data protection and security processes. This includes classifying all data sets into different categories based on their business values, determining where and how the data sets are stored (according to their value), and evaluating data access permissions.

Without the right tools, this can be a time-consuming task. If not done right, it can also create confusion down the road in the protection and recovery process.

Furthermore, organisations can identify and map out the flow of sensitive data and transactions to create a baseline of interactions among users, resources, applications, services and workloads. This is fundamental in building a zero trust architecture.

  • Protect: This encompasses data encryption, conducting regular backups, ensuring proper infrastructure management and access control, implementing perimeter defences, updating vulnerable operating systems and applications, and training users about cybersecurity best practices.

This exercise typically starts with defining recovery time objectives (RTOs) and recovery point objectives (RPOs) for the different data sets categorised in the previous step.

Organisations should also put each critical digital element into an individual protect surface with its own micro-perimeter controls and filters in a zero trust environment. These measures will enable organisations to block malicious users, thwart infection and prevent data deletion.

  • Detect: Detection is vital to staying ahead of malicious agents and other threats. Organisations can leverage modern AI (artificial intelligence) and ML (machine learning) technologies to help identify suspicious activity before it becomes a real threat.

These solutions allow organisations to track user behaviour analytics as well as storage and file system anomalies to uncover the source of an attack in real time.

Organisations adopting a zero trust architecture should also consider centralised monitoring and management. Continuous monitoring with a single-pane view of their data estate across on-premise and cloud environments makes it easier for organisations to identify and act on anomalies in user behaviour.

  • Respond: Organisations will need to proactively implement solutions that can help them automatically block malicious user accounts and create immutable recovery points when a threat is detected. This can minimise further damage and help prevent data theft.
  • Recover: Downtime can be reduced by applying intelligent forensics to identify the source of the threat, and targeting which data to restore first. By rapidly restoring data, companies can help accelerate operational recovery and bring critical applications back online.

Organisations need to recognise that ransomware attacks will eventually hit everyone – it’s essentially inevitable.

When ransomware comes knocking, every second counts. As such, what matters most is how organisations can proactively protect, continuously monitor and automatically take action to protect data in real time. For instance, with NetApp ONTAP, attacks can be detected, additional snapshots are taken immediately and recovery can occur in a matter of minutes.

Relying on recovery alone in today’s growing sophistication of cyber threats may prove inadequate. Therefore, it’s critical for organisations to re-think their strategy and consider a data-centric cyber resilience approach.

With the right approach, a company can avoid downtime – not only preventing an attack from happening – but also recovering data almost instantly and keep the business running. – Oct 20, 2023


You Qinghong is NetApp Solutions Engineering lead (Greater China, ASEAN, South Korea).

The views expressed are solely of the author and do not necessarily reflect those of Focus Malaysia.

Main pic credit: Allianz Global Investor


Subscribe and get top news delivered to your Inbox everyday for FREE