What strategic approaches are you seeing in the industry for addressing ransomware?

1.9k views5 Comments

CISO in Software, 51 - 200 employees
We're still approaching these threats in the same way that we always have; at least, that's how I see it after working at two different security companies. I was recently in this CISOs roundtable about ransomware because it's all over the news. At the end they shared a list of suggestions we discussed to help prevent it from happening to your organization and some of them were just crazy to me.

The first point asked how attackers are getting in—are you kidding me? We know that. Then it says behavioral training is the most important thing, but training the end users not to click on phishing emails only goes so far. I've been doing awareness training for the last 12 years and when I send out a fake phishing campaign, half the users still click on it. So is it effective? I don't know. To me, that's important but not effective. Then they say technology is the enabler; your strategy should be 50% behavioral and 50% tech, which also means training the end user.

Another point was to determine who is responsible for the recovery and follow the MITRE framework. Coming from the pharmaceutical industry, I think checkboxes for audits are great. But are they effective? Do they really protect you from real threats? I’m not sure. They also included education of the board on this list. They say that the board still thinks it will happen to other companies and not their own. But I know many people in my CIO circles who have paid ransoms, so that's pretty crazy.

There was a recommendation to punish the people that click on the phishing emails, which I don't think will go over too well. And the list even proposed using incentives, like bonuses for employees that don't click on phishing emails—give me a break. I was losing my mind in this call because these were CISOs from 20+ big companies, including banks, retail locations, all kinds of diverse companies.
CIO in Finance (non-banking), 51 - 200 employees
Everyone is going back and forth: "We're doing X, Y and Z, but we also need to see relationship building. And what are the new vectors? How are we taking care of that?” At the beginning, the main approach is to have a lock on the door, which could be that same old firewall that everyone else is using. I get that because you need to start somewhere. But from there, it's the buzzword lingo, such as implementing AI/ML that learns those attack vectors, especially the new ones.

Because folks are putting more and more in the cloud we're seeing a lot of emphasis on that. Especially in today's world, not many people are VPN-ing to their Salesforce so a lot of people have gone that route to reduce the friction. But how do you protect those folks? There are clever ways to do it without adding a lot of passwords and multi-factor authentication (MFA), or having people put in a token and then they have their sticky sheet under the keyboard, just so that they can put in their Salesforce task.

I've seen a big over-index on not only protecting end users to cloud but also protecting your source code. After SolarWinds the question is, how can we have more hygiene on that component, so that we don’t just say, "I went through Jenkins and everything looks good, so push to prod." Those two places seem to be a hot button outside of your normal endpoint detection and response (EDR) and components like that. And there’s another way to do two-factor authentication where it will learn where you are using heuristics and telemetrics. But a lot of these things are features and not necessarily a moat. I'm always cognizant about that.
2 2 Replies
CISO in Software, 51 - 200 employees

We still have passwords. I don't know any company that has successfully implemented passwordless across the organization.

CIO in Finance (non-banking), 51 - 200 employees

That's tough. I've seen things which rely on social interaction but they’re not social logins, it’s more like, "Hey, I can vouch that that's Tim. And he can log in." Or you can do your own blockchain and then the blockchain is your authentication component versus AD or something like that. There are interesting ways of trying to solve it that way, but I don't know what the answer is to get rid of passwords forever.

CEO in Software, 11 - 50 employees
If I could, I would figure out a way to build an environment that I can throw away and reconstruct at a moment's notice. Because if we can't come up with an answer for ransomware—and right now the only answer appears to be a greater layer of security scabbing over the operational performance and profitability of a company—then at some point, somebody is just going to say, "I'll just build something that doesn't need any of that stuff, something I can destroy and reconstitute in an hour."

It would be like terraform for your entire network. Figure out a way to protect your data secondarily to whatever normal network protections or access that your admins might enjoy, find a way to encrypt an off-site network that has a third party access key or something and just have a throwaway environment. That may be the best potential security answer from a supplier standpoint.

Content you might like


Very good54%


Fair / acceptable9%


Very poor0%



CTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.
Read More Comments
48.6k views133 Upvotes326 Comments