Hey Ling, we are currently re-evaluating our security posture and making updates/upgrades. I agree with others in this thread that no one tool covers everything. The way we're thinking about ransomware breaks down into a few categories: device protection (antivirus/antimalware), data backup, endpoint detection and response (EDR), network IDS & IPS, patch management, email/phishing monitoring/filtering, asset identification, and SaaS management.
Currently, we're using Trend Micro WFS for device protection and email/phishing monitoring.
We don't have any critical data on-prem, so no servers to back up (though I know many people using VEEAM for local backup). For the cloud, we primarily relied on Google Vault for our workspace and backup policies in Google Cloud for our cloud assets. We're currently evaluating SpinAI as a backup service for Google Workspace and Slack. We're evaluating their additional data leak protection, SaaS management, and ransomware protection (which my impression was that they don't claim it can protect against ALL ransomware attacks... mostly SaaS based attacks like using elevated permissions given to an app to start doing things like rewriting your workspace or mass moving/deleting files) separately. The thing that I actually find the most useful so far in our trial is the ability to scan and lock down loose permissions on things like shared files or PII that's leaked into people's storage.
We have basic EDR through Trend Micro for observing and blocking web-based attacks (though it's really basic and doesn't account for local/network-based attacks. I recently installed Wazuh, which is an open-source SIEM & XDR platform. It's been great in terms of observability over our configurations, device compliance, vulnerabilities, and security events. Where it's less than ideal is the fact that it generates A TON of information that's not manageable by just me. As a long term solution, I would also need to invest more time into configuring its active responses (which mostly would be blocking and adding attackers IP addresses to device firewall rules though there are other options to disable accounts/devices, block from the entire network if you have your network configured with Wazuh, etc.). Personally, I believe we should invest in a managed EDR service, price is just a big concern. Currently, we're reaching out to Huntress and Sophos, which I've heard good things about and appear to be on the more affordable side.
For our network, we're currently relying on our firewall to manage IDS & IPS, which is built into our controller. As a project next year, I might look into adding Snort or Surricata to our network for better logging of packets and events, both open source.
For patch management, we use Jumpcloud for all our MDM (we only cover faculty/school devices... students are BYOD) which also covers patches and has pretty good policy management for enforcing updates/secure configurations on devices. In Google Cloud, I'm working on using the built-in patch management service to keep our VMs up to date.
For asset identification and SaaS management, this is honestly where I feel like there's not a lot of clarity over what's actually useful to us. I believe that this is perhaps the least understood part of everyone's attack surface. Hence, that's why we're evaluating Spin AI for this functionality. I think anything that can also discover things like custom apps built off of API keys at your school or unfederated logins/accounts that don't use SSO or MFA are also worth looking into. I was particularly interested in a company called Resmo at the beginning of the year, but I found out recently that they've been acquired by Jumpcloud (so I'm hoping we get some of this built into our account soon!).
Finally, I think the human side of things is just as important. Training for things like phishing and MFA use are essential, but also things like incident response training and tabletop exercises (both things we're working on right now at my school) are necessary. Also, documentation, redundancy in admin accounts/permissions, secure password sharing (and rotation), etc. are things that help with both ransomware protection and response.
Sorry for the long response! But I think it's important we actually hear/see what people are doing so we can be better informed about how we strategize and implement different cyber security tools (something I think we need more of). Also, if anyone reads this and thinks I'm wrong or has better suggestions on anything, let me know! Pride shouldn't have a place when it comes to protecting our constituents, and we should always be trying to learn how we can do things better.
------------------------------
Hudson Harper
The Downtown School
Seattle WA
------------------------------
Original Message:
Sent: 05-06-2024 03:22 PM
From: Ling Lam
Subject: Ransomeware Protection
Happy Monday, everyone!
I am wondering what do you use for ransomeware protection. I think it's a much needed item but our subscription has been tripled in the last two years. I am wonder if it's time to switch to a different vendor. If anyone can share their vendor or can share what they are currently doing, I would great appreciate it. Thanks!
#CybersafetyandDataSecurity
------------------------------
Ling Lam
Helios School
Sunnyvale CA
------------------------------