I live in a city center and the lunch hour certainly isn’t like it once was. While some people have returned to working in an office, it seems that the majority have not. Looking back, the pandemic will have been a turning point for many things around the world, and the rhythms of office-centered worklife will be something that will never return to the old ways.

With this increased flexibility employees are not just working from home behind consumer-grade Wi-Fi routers; they are also spending part of the day at the park or coffee shop, or perhaps even having a “working holiday.” Those in charge of protecting enterprise assets have to assume these endpoints are always in hostile territory.

Even before the pandemic, organizations working toward improving their security maturity were often trying to “push left.”  What is pushing left? At its most basic level it means moving things closer to the start. It originates from software development where the stages of the development process are conceptualized from left to right, left being the beginning. In applied security we also use the term “pushing left,” but rather than referring to the software development process we are referring to the attack chain, which moves from reconnaissance on the left through action (exfiltration or other attacker goal) on the right.

For many years, the most comprehensive security strategies have involved defense in depth. The idea is that not all technologies are suitable for detecting a given threat type, so it is best to deploy them in layers. These layers often directly correspond to how far “left” something is in the attack chain. If you can detect something at the network border through your firewall, email, or web filters, you have contained the threat before it has any negative impact on operations.

Ideally you want to detect and block an attacker as far left as possible, i.e., as early as possible. Pushing detections left also alerts security analysts that an intrusion may be underway, initiating more focused threat hunting to anticipate gaps in defenses your attacker may be attempting to exploit.

For employees at the office, you can centralize control of these defenses and provide optimum protection. The question is, are you able to provide the same protection for remote workers regardless of their location? Can you monitor and respond to threats being detected on those assets when they are out of the office? As many have observed, this did not work as well as we would have liked when we all went into lockdown, many of us without a plan.

While there are still many benefits to monitoring the network when you have control of it, including reduced endpoint overhead and the ability to keep threats at a distance from sensitive assets, we need to ensure we can take as much of this protection as possible with us when we are out and about.

We must ensure not only that protection is optimized, but also that we don’t lose our ability to monitor, detect, and respond to attacks targeting these remote assets. Most organizations have moved to utilizing EDR/XDR solutions (or plan to in the very near future) , which is a great start, but not all solutions are comprehensive.

In the remote-work era, insufficiently protected remote users can encounter plenty of issues – malicious URLs and downloads, and networks attacks, to name only the most mundane – that in the Before Times would have been handled by machines guarding the corporate “fort.” The biggest missing components when users are “outside the fort” are HTTPS filtering and web content inspection of the sort that is typically implemented within next-generation firewalls. When you add these technologies to pre-execution protection, behavioral detection, machine learning models, client firewalls, DLP, application control, and XDR, you are starting to look at a comprehensive stack of defenses for attackers to overcome – even if the endpoints themselves are now free-range.

For initiatives like zero trust network access (ZTNA) to be effective, we must not only wrap the applications we interact with, but we must also wrap the endpoints that connect to them. Simple checks like whether the OS up-to-date and whether it has security software installed may be a good start, but not all protection is created equal.

With most devices being connected to the internet whenever they’re in use, we can leverage the power of the cloud to help provide ubiquitous protection and monitoring. Modern security solutions must assume the endpoint device or phone is in a hostile environment at all times. The old idea of inside and outside is not only outdated, it’s downright dangerous.

The writer Chester Wizniewski is a Field CTO Applied Research at Sophos

• Paying the Ransom Doubles Recovery Costs
• Rate of Ransomware Attacks Remains Steady, with 66% of Organizations Surveyed Reporting They Were a Victim of Ransomware
  

Sophos, a global leader in innovating and delivering cybersecurity as a service, today released its annual “State of Ransomware 2023 ” report, which found that in 76% of ransomware attacks against surveyed organizations, adversaries succeeded in encrypting data. This is the highest rate of data encryption from ransomware since Sophos started issuing the report in 2020.

The survey also shows that when organizations paid a ransom to get their data decrypted, they ended up additionally doubling their recovery costs ($750,000 in recovery costs versus $375,000 for organizations that used backups to get data back). Moreover, paying the ransom usually meant longer recovery times, with 45% of those organizations that used backups recovering within a week, compared to 39% of those that paid the ransom.

Overall, 66% of the organizations surveyed were attacked by ransomware—the same percentage as the previous year. This suggests that the rate of ransomware attacks has remained steady, despite any perceived reduction in attacks.

“Rates of encryption have returned to very high levels after a temporary dip during the pandemic, which is certainly concerning. Ransomware crews have been refining their methodologies of attack and accelerating their attacks to reduce the time for defenders to disrupt their schemes,” said Chester Wisniewski, field CTO, Sophos.

“Incident costs rise significantly when ransoms are paid. Most victims will not be able to recover all their files by simply buying the encryption keys; they must rebuild and recover from backups as well. Paying ransoms not only enriches criminals, but it also slows incident response and adds cost to an already devastatingly expensive situation,” said Wisniewski.

When analyzing the root cause of ransomware attacks, the most common was an exploited vulnerability (involved in 36% of cases), followed by compromised credentials (involved in 29% of cases). This is in line with recent, in-the-field incident response findings from Sophos’ 2023 Active Adversary Report for Business Leaders.

Additional key findings from the report include:

• In 30% of cases where data was encrypted, data was also stolen, suggesting this “double dip” method (data encryption and data exfiltration) is becoming commonplace
• The education sector reported the highest level of ransomware attacks, with 79% of higher education organizations surveyed and 80% of lower education organizations surveyed reporting that they were victims of ransomware
• Overall, 46% of organizations surveyed that had their data encrypted paid the ransom. However, larger organizations were far more likely to pay. In fact, more than half of businesses with revenue of $500 million or more paid the ransom, with the highest rate reported by those with revenue over $5 billion. This could partially be due to the fact that larger companies are more likely to have a standalone cyber insurance policy that covers ransom payments

“With two thirds of organizations reporting that they have been victimized by ransomware criminals for the second year in a row, we’ve likely reached a plateau. The key to lowering this number is to work to aggressively lower both time to detect and time to respond. Human-led threat hunting is very effective at stopping these criminals in their tracks, but alerts must be investigated, and criminals evicted from systems in hours and days, not weeks and months. Experienced analysts can recognize the patterns of an active intrusion in minutes and spring into action. This is likely the difference between the third who stay safe and the two thirds who do not. Organizations must be on alert 24×7 to mount an effective defense these days,” said Wisniewski.

Sophos recommends the following best practices to help defend against ransomware and other cyberattacks:

• Strengthen defensive shields with:
  • Security tools that defend against the most common attack vectors, including endpoint protection with strong anti-exploit capabilities to prevent exploitation of vulnerabilities, and Zero Trust Network Access (ZTNA) to thwart the abuse of compromised credentials
  • Adaptive technologies that respond automatically to attacks, disrupting adversaries and buying defenders time to respond
  • 24/7 threat detection, investigation and response, whether delivered in-house or by a specialist Managed Detection and Response (MDR) provider
• Optimize attack preparation, including making regular backups, practicing recovering data from backups and maintaining an up-to-date incident response plan
• Maintain good security hygiene, including timely patching and regularly reviewing security tool configurations

Data for the State of Ransomware 2023 report comes from a vendor-agnostic survey of 3,000 cybersecurity/IT leaders conducted between January and March 2023. Respondents were based in 14 countries across the Americas, EMEA and Asia Pacific. Organizations surveyed had between 100 and 5,000 employees, and revenue ranged from less than $10 million to more than $5 billion.

• Sophos Adds Team of MDR Experts in Germany, Expanding Global Footprint of Security Operations Specialists

• Defenders Have Less Time to Defend; MDR Services Become Critical Cybersecurity Layer as Attacker Dwell Time Decreases, Says Sophos’ Annual Active Adversary Report

Sophos, a global leader in innovating and delivering cybersecurity as a service, has announced that its industry-first vendor-agnostic Managed Detection and Response (MDR) service has grown its customer base by 33% in the first six months since introducing the service’s ability to ingest and analyze telemetry from third-party security vendors. Already, Sophos is processing more than 150 million alerts from nearly 30 other security providers.

Sophos has also added a new team of MDR experts in Germany to service the increasing demand in the German and European markets, as well as to support the existing globally located MDR team that monitors and defends organizations 24/7/365.

The service now protects more than 16,000 organizations worldwide and has been doubling in size year-over-year as the industry’s most widely used MDR offering.

MDR services are fast becoming an essential cybersecurity layer as attackers refine their tactics, techniques and procedures (TTPs) to overwhelm defenders. This includes decreasing their dwell time, as evidenced in Sophos’ 2023 Active Adversary Report for Business Leaders report, also announced today. Reduced dwell time indicates attackers are working faster to accomplish their end goal, whether it’s stealing data, deploying ransomware, spying, or perpetrating some other nefarious activity against a target. Consequently, defenders have less time to respond, from identifying the presence of attackers to neutralizing them. Analysis of incident response cases shows that median dwell times are dropping significantly – down to 10 days for the first time, and a day less for ransomware cases – and attacks are occurring continuously instead of during off business hours or over the weekend. Just as interesting, there’s no significant difference in dwell time among organizations of different sizes or sectors.

“The adoption of MDR is skyrocketing because organizations need 24×7 teams of experts to simply take over and handle cyberattacks that are executed in less time, change quickly and are more complex in nature. These factors put Sophos in the ideal position to further trailblaze the market,” said Rob Harrison, vice president of product management for security operations solutions at Sophos. “Since introducing our game-changing ability to ingest, collate and correlate other security vendors’ signals, we’ve already processed more than 150 million non-Sophos alerts from nearly 30 common providers. We’re leading the market in terms of volume, variety and time with unique MDR data from both Sophos and the other security providers. With this advantage of ingesting data from third-party sources, we have broader context, enabling us to make better decisions, defend faster and apply deeper knowledge to new and existing MDR customers.”

“The MDR market is gaining momentum as companies scramble to stay one step ahead of rapidly evolving attacks that continue to increase in number, sophistication and complexity while simultaneously trying to manage the cybersecurity talent skills shortage reality. Since its launch in October, Sophos MDR has mirrored that momentum as organizations look to realize secure outcomes and reduce their cybersecurity risk posture from their existing cybersecurity investments. The benefit of Sophos’s technology-agnostic managed service approach is that it meets customers where they are rather than requiring investment in new security tools to achieve an outcome,” said Frank Dickson, group vice president for IDC’s Security and Trust research practice.

Sophos MDR successfully reported malicious activity across all 10 MITRE ATT&CK steps in the first-ever independent MITRE Engenuity ATT&CK Evaluation for security service providers. Sophos MDR was evaluated with 15 vendors, excelling in its ability to detect sophisticated threats with speed and precision. Sophos was named the only Leader across the G2 Grid Reports for MDR, Extended Detection and Response (XDR) Platforms, Endpoint Detection and Response (EDR), Endpoint Protection Suites, and Firewall Software in the G2 Spring 2023 Reports. In the Managed Detection and Response (MDR) Services market on Gartner® Peer Insights®, Sophos MDR is the highest rated and most reviewed MDR service with a 4.8 rating across 296 reviews as of April 24, 2023.