Most cybersecurity experts agree that having Endpoint Detection and Response software is essential to fighting ransomware today—but not every EDR is equal.
Businesses, especially small-to-medium sized ones with limited budget or IT resources, need to make sure that their EDR is cost-effective, easy-to-use, and able to reliably stop the growing ransomware threat. So precisely what features should SMBs be looking for in an anti-ransomware EDR, and why?
In this post, Robert Zamani, Regional Vice President, Americans Solutions Engineering at Malwarebytes, gives his 6-point checklist of features your EDR should have to stop ransomware.
Table of contents
- Multi-vector Endpoint Protection (EP) is built-in
- Maintains visibility and patching regularly
- Has machine learning (ML) to recognize ‘goodware’ instead of malware
- Uses standard reference language and forensic analysis
- Thorough containment, eradication, and recovery options
- Searches for ransomware indicators across all your managed endpoints
How should EDR address ransomware?
At its core, ransomware is an exploitation of trust, Zamani says.
“We place our trust in applications to perform only the functions we intended, Operating Systems to perform functions we authorized, and that our credentials (user ID/password) are used only by authorized personnel. Stolen credentials, phishing attacks, zero-day applications, and OS vulnerabilities exploit our trust in endpoints. And since ransomware stems from exploitation of trust, then EDR is not optional when it comes to mitigating a detected threat."
A risk management strategy states that we cannot eliminate all system vulnerabilities or block all cyberattacks. In other words, your EDR should be optimized to “prevent what you can and mitigate the rest.”
"Since ransomware stems from exploitation of trust, then EDR is not optional when it comes to mitigating a detected threat."
Robert Zamani, Regional Vice President, Americans Solutions Engineering
1. Multi-vector Endpoint Protection (EP) is built-in
The base functionality of any EDR is to notify you of any suspicious activity that is taking place on your systems and offer “response” capabilities to mitigate the detection. However, EDR doesn’t inherently do any prevention: It won’t stop the threat from breaching your environment in the first place.
Relying solely on EDR as a prevention solution will overwhelm your staff and increase operational costs.
That is why anti-ransomware starts with preventing the known bad, Zamani says. Enter Endpoint Protection (EP), an advanced threat prevention solution for endpoints that uses a layered approach with multi-vector detection techniques.
Many EDR vendors will offer EP as a separate offering—usually, these are just file-based scanners looking for possible clues to malware in binary files. This is the minimal functionality of EP and insufficient because there is more that can be prevented, Zamani says.
EP must reduce the attack surface of ransomware through a combination of comprehensive web protection, application hardening, and other “first-layers of defense”. Since most ransomware attacks start with a phishing email, this primary ‘preventative’ type of endpoint protection is essential.
For a budget-friendly way to get the first layer of ransomware protection, look for an EDR with full-stack Endpoint Protection.
EP gives you a “first-layer of defense” against known and unknown malware, ransomware, and other threats.
2. Maintains visibility and patching regularly
Patching is not just system maintenance, Zamani says. According to the Ponemon Institute, 57% of cyberattack victims report that their breaches could have been prevented by installing an available patch.
“Application and OS vulnerability assessment and patch management solutions are preventative and reduce the ransomware attack surface on endpoints. A good application and OS, vulnerability management solution must automate inventory and severity classification based on CVSS scoring,” Zamani says. “The sorting by severity and grouping by the asset (endpoint) will allow you to prioritize patching the most valuable endpoints.”
In short, make sure your EDR has some sort of vulnerability and patch management component to make it more difficult for ransomware attackers to breach your systems.
3. Has machine learning (ML) to recognize ‘goodware’ instead of malware
A good EDR is looking for a deviation from good behavior, Zamani says. When an application launches and performs in an expected way, we call that an example of good behavior—and when it doesn’t, the administrator gets an alert notifying them of suspicious activity warranting investigation.
Contrast this with an ML model trained to recognize “bad behavior,” where the model finds patterns in datasets of known malware code. On the low side, there are tens of billions of unique malware, so we can safely assume “bad behavior” is seemingly endless.
The larger the dataset of bad behavior, the greater the chances of misinterpreting good behavior as bad, leading to many false positives.
“Indicators of Compromise (IOC) and Indicators of Attack (IOA) are ill-suited for EDR detections. IOC and IOA define bad, and ‘bad’ mutates, creating 100s of billions of possibilities,” Zamani says. Therefore, a modern EDR heuristics engine must be trained on the good behavior of known-good applications.
Dealing with too many false positives costs time and manpower, distracting you from actual security issues like ransomware. Make sure you choose an EDR that detects deviations from known-good applications to reduce false positives that could distract you in your fight against ransomware.
4. Uses standard reference language and forensic analysis
So your EDR has EP and is looking for deviation from known-good behavior to lower false positives—now, it has sent you a notification of a ransomware threat. The next piece of an anti-ransomware EDR is that the information that comes to you should be standardized both in summary and in detail.
“Traditional, older style EDR will use vendor-specific verbiage for describing the attack,” Zamani says. “But in your EDR, you want the TTPs (tools, techniques, and procedures) of threats to be described in plain English with a common reference number.”
The reference number is necessary for documentation purposes, Zamani says. At the same time, the plain-English description is necessary for you to know at what stage an endpoint was ransomed (because a hacker could have exploited a vulnerability in a still-running application).
"In your EDR, you want the TTPs (tools, techniques, and procedures) of threats to be described in plain English with a common reference number.”
Robert Zamani, Regional Vice President, Americans Solutions Engineering
To avoid unnecessary complexity in figuring out the origin of a ransomware threat, your EDR solution should have an industry standardized way of describing the attack—such as MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge).
“Your EDR needs to tell the story of what happened using the standard reference language of MITRE with direct links to the MITRE ATT&CK reference library,” Zamani says. “It should provide a summary using a Kanban board and a separate process graph with detailed forensics of what and how it happened.”
Your EDR should show you alerts that are standardized both in summary and in detail.
5. Thorough containment, eradication, and recovery options
Look to an EDR to mitigate unforeseen threats and ultimately a new method of ransomware (exploitation of trust), says Zamani.
Containment prevents lateral movement of an attack by allowing you to contain individual machines, processes, or user-IDs and continue active response activities—making quick and easy containment features a must for your EDR.
But the fight doesn’t stop at containment, says Zamani.
“So you’ve contained and studied a threat with your EDR. That’s great,” says Zamani. “But now you want to do remediation. You want to remotely eradicate the ransomware and restore the endpoint to a known-good state free of malware, virus, unwanted programs including unwanted modification.”
But you may ask: Aren’t eradicating and recovering from ransomware the same thing? Not quite, Zamani says.
“Just because you deleted the artifacts does not restore the endpoint into a state where the machine can function. For example, a registry key says the startup sequence is ‘malware first, and then boot.’ So we remove the nasty registry key ‘malware first’, but if you say nothing else, the system won't boot!”
In other words, your EDR needs instrumentation that not only eradicates ransomware but actually recovers and restores the machine's state into a functioning state where it can be returned to the network.
“Your ransomware rollback should store changes to data files on the system in a local cache for 72 hours (no ransomware actually exceeds 24 hours), which can be used to help revert changes caused by ransomware,” Zamani says.
6. Searches for ransomware indicators across all your managed endpoints
What if you want to see if the same ransomware threat you discovered on one of your endpoints is in the early stages of the attack on other endpoints?
“Your EDR should have a search engine that can look at any of the TTPs and search across your network,” Zamani says. “Because you want to see if you can catch something early enough before it hits the point of ransom.”
Look for an EDR that can search data like files, registry, processes, and networking activity so you can threat hunt or analyze how a ransomware compromise occurred in your environment.
Businesses need an EDR that immediately detects and responds to ransomware threats
In this post, cybersecurity expert Robert Zamani explained the features SMBs should look for in an anti-ransomware EDR and why.
Of course, the fight against ransomware doesn’t stop at EDR: you still good cyber hygiene with a well-written and practiced Incident Response Plan (IRP). Looking to further empower your business in the fight against ransomware?