Ransomware prevention, not defense

Ransomware needs to be prevented on business networks. When I first wrote that in 2013, it was referring to on-premises networks with fixed perimeters. We live in a different world now. In this modern world, workers are more mobile, work from home is common, business don’t own every device that accesses their business data and most if not all apps are SaaS applications. There often is no perimeter firewall anymore and no on-premises infrastructure, except for wifi access points, printers and other disposable devices.

Defense implies a reactionary approach. Prevention set the scene where ransomware can’t get you in the first place.

Ransomware prevention policies

Also back in those days, I wrote group policies to prevent ransomware. Those policies turned into some of the apps that you might subscribe to today. I know because I had tells in those policies and the “new amazing software” would send me constant pings because they never switched it to themselves like the instructions said to. Probably because they never actually purchased those from me and didn’t have the instructions. Those are pretty well obsolete now.

At this point you should be using sensors, intelligence, and let Windows itself and the processor do a lot of the heavy lifting. This of course requires things like a software subscription that includes Defender for Business, Azure AD P2, TPM 2.0 chip, Windows 11, and Intune. Essentially a modern network and a well-planned inventory of devices.

From tech generalist to security generalist

Recently my MSP’s staff has started to complain that all they do is security. It’s true. Once upon a time, security meant making sure that the anti-virus was running, and the PC was joined to the domain. It also meant that we had configured the perimeter firewall when it was installed and loaded up the group policy templates that I had written. And once a month we installed updates on PC’s and the firewall. It was a pretty small ask of them and the majority of it was a once off.

Today security is job one. The monitoring of logs through configuration of rules to help us watch those logs, can be a fire hose of information. One of our goals is to reduce that flow down to the most critical ones to observe personally and make use of EDR in Defender for Business (the greatest gift to small business Microsoft has ever made) to automatically manage most of it for us. But we also have to watch the watcher. There’s no longer set it and forget it. There’s no more, I’ll schedule to look at that once a month. Crime doesn’t work at that pace and so we can’t either.

The tech generalist is now the security generalist. They have a great advantage over the security trained new graduate, because they also understand how to interact with the customer, help them be productive, and solve problems. There’s a role for security specialists, but there’s a greater role for the security generalist.

Last line of defense is defense

There is a case for defense as a last resort. It’s the backup, the Google, Microsoft, and iCloud accounts. The backup is tricky because it needs to be isolated or offline. Achieving that isn’t easy but can be done with oAuth or drive swapping but you really have to be careful to do it right. Since most businesses have yet to have a working backup (I’m still in disbelief but it’s true), most don’t have a way to recover from the worst-case scenario.

Of course, the backup is useless if you can’t restore from it. Restoration has to be tested every month.

Investment needed

All of this constant monitoring, checking, re-configuring, and testing, takes a lot more time. To do it right, it just does. Even with a complete toolset, the criminals are iterating their methods and so we have to iterate our preventions at the same rate. We then also have to verify that what we think is secured is still secured. Permission creep has always been real and security creep can be said to be even more real.

What is needed from business is a great investment in security management. They need to recognize that IT needs more eyeball time on this new network. There are so many more moving parts to security today. Applications, AI’s and helpers don’t do all of the work and they don’t do it without being themselves managed.

Training needed

On the IT side of the world, certifications are back and they are needed to move current IT staff from IT generalist to security generalist. But the ordinary employee has just as much of a role to play in security. They need to understand what PII means. They need to know how DLP works. They need to know how to operate a password keeping tool and an authenticator. They need to recognize a phishing message and to be confident enough to be that annoying person that makes others jump through hoops while they verify the legitimacy of the request. They need to know how to and when to remove the mark of the web from a document. And so much more. Most business have no internal training program. Somehow it is thought that if you can type, use a mouse, and turn a computer on, that you’re computer literate. It’s not true.

Times have changed and if employees are not trained to work securely, then they won’t. If they aren’t trained on how to use new more secure features and methods available in the software they use day to day, then they won’t. Productivity is lost and the business is at risk. This must change.

This single change could make the biggest dent in the success rate of cyber criminals and save our country billions of dollars.

Bringing it all together. 1, 2 and 3

Recently I’ve organized this blog into sections to make it easier for readers to find similar content on Azure AD, Defender for Business and Endpoint Management (Intune). Two years ago I ran a 12-month webinar series on getting 365 setup correctly, then I taught you how to make money. We went through every portal. Last year, I wrote a two-day course on Endpoint Manager, an eBook and a set of basic policies. This year, I’m going to do the same for Defender for Business.

If you get your portal and Azure AD setup correctly, then deep dive into Endpoint Management, then setup and learn to manage your network using Defender for Business, then you will have reach the point of being able to manage a modern network. From on-premises servers to fully cloud. If you knew how to do the former, you can learn these new ways.

If you like this content please join our Endpoint Manager, Lighthouse & Defender group. https://www.facebook.com/groups/endpointmanager

All we do is support IT professionals. Microsoft 365 technical assistance, Super Secret News, Security community, MSP Legislation community, EndPoint, Defender and Lighthouse community, Peer groups, Kits, papers, Business consulting and more. https://www.thirdtier.net

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.