Last year alone, the Varonis Incident Response team investigated more than 250K alerts. No, that’s not a typo — our IR team reviewed a quarter of a million alerts. With ransomware on the rise and the amount of data growing at an exponential pace, having a proactive team on the frontline is more important than ever.
In our latest masterclass, Mike Thompson, Raphael Kelly, and Chris Kisselburgh from the Varonis IR team discussed current global threat trends, including the spikes in insider threats and the importance of focusing on the early indicators of compromise.
Watch the full recording to see a walk through of why Proactive Incident Response is the future of data security, the cyberattacks the Varonis IR team thwarted in the past year, and what makes Varonis’ data detection and response different.
Ransomware is on the rise…again.
Our incident response team addresses these types of incidents almost every week, and some of the things they’ve noticed about the increase in attacks is a change in approach.
As organizations have gotten better at recovering from ransomware attacks, threat actors moved from encryption alone to data encryption and exfiltration for additional leverage over victims. Although this trend first took off only a few years ago, it’s now standard practice in most attacks. “The ransomware event is almost more of the notification that the attacker is there — the more dangerous piece is that the data has left your environment,” said Mike Thompson, Varonis Security Architect Manager. “You can recover encrypted data; you can’t recover data that’s been exfiltrated.”
You can recover encrypted data; you can't recover data that's been exfiltrated.
Economic turmoil always leads to an increase in insider threats.
To date, there have been more than 150,000 big tech employees laid off in 2023 alone in what is widely considered a more “recession-proof” industry.
Witnessing your friends and coworkers lose their jobs — and worrying about your own employment security — can increase the likelihood that “somebody tries to cover their bases and make a little extra money on their way out the door,” Varonis Security Architect Chris Kisselburgh said.
“When we have critical worldwide events like this that have a global impact, we should be looking at how this affects human behavior at the end of the day.” Concerns of an economic downturn and recession can affect people at their core. “Human behavior is what we’re really studying,” Chris said.
It’s vital to focus on the early indicators of compromise.
The Russia-Ukraine war has disrupted a lot of ransomware organizations. Experts thought threat actors like Emotet, a malware strain and a cybercrime group believed to be based in Ukraine, had been dismantled, but our IR team has seen them resurface quite aggressively, which is why “looking earlier in the kill chain is absolutely a priority,” Chris said.
He added that he can’t stress enough the importance of investigating those early indicators. “Companies will see alerts on a Friday that maybe are not taken as seriously as they should be and then by Monday morning, the entire domain is encrypted,” he said. “It’s critical that we take the early indicators as seriously as possible.”
Mike added, “What we’ve seen on occasion is people pick up on one potential compromised user and they really focus their efforts on remediating that one user or compromised device and then they consider the case closed. Then a week later — bam. Ransomware pops up.”
Data has no home base.
“We’ve seen a lot of changes in IT over the last two to three years. We have this global shift to a remote workforce during COVID; that was a big shift in IT in addition to security at the same time,” Chris said. “Because one of the things we have to consider is, ‘Where does the data go now that I have 10,000-plus remote users all across the globe?’”
He added that the current remote workforce situation won’t revert to the pre-pandemic ways of working. “Data is no longer limited to your file servers. Data — in reality — is everywhere.”
And the shift to a remote workforce trend was a rapid one. This means there is most likely a large security gap in security posture between what orgs had in an on-premises environment versus what they have now in a cloud environment. The same due diligence must be executed now, which can be tricky when the cloud security space is relatively new as compared to on-prem security tactics.
Data is no longer limited to your file servers. Data, in reality, is everywhere.
Incident response is moving from a reactive methodology to a proactive one.
Historically, incident response teams have been reactive, waiting to jump on calls after a customer reported an incident. But the future of incident response must be proactive to keep pace with evolving threats.Closing
With the launch of our SaaS Data Security Platform, Varonis can provide proactive IR services: analysts regularly reviewing customers’ environments, threat-hunting, and investigating, all without taking up our customers’ valuable time. With our analysts' collective decades of experience, we can spot indicators that a ransomware attack is imminent, and if we do find something worth noting, we escalate those incidents only to avoid alert fatigue.
Watch the full discussion on global cybersecurity trends and the future of incident response here.
-1.png)
