Welcome Guest | Sign In
TechNewsWorld.com

New Tech Targets Enterprise Ransomware

By John P. Mello Jr.
Nov 23, 2015 11:10 AM PT

SentinelOne last week introduced an addition to its behavioral solution designed to address the problem of ransomware scrambling files on a computer.

New Tech Targets Enterprise Ransomware

Ransomware has been a scourge not only for consumers, but for the enterprise, too. The malicious software can be particularly nettlesome for enterprises because they have to protect so many endpoints -- phones, tablets, laptops, desktops and servers.

The company, which gained some notoriety when Netflix said it was ditching its antivirus software for SentinelOne's Endpoint Protection Platform, has a security scheme that uses a client app on each endpoint device that watches for malicious behavior and counters it.

That gives SentinelOne a leg up on traditional antivirus programs that depend on signatures to foil malware, since signatures can be changed faster than antivirus programs can identify them, the company said.

Unlike signatures, malware behavior is more constant. "The core malware behavior -- trying to remain persistent on a machine, trying to inject itself into other processes, connecting to command and control servers, exfiltrating data -- doesn't change," said Dal Gemmell, director of product management of SentinelOne.

"That allows us to identify zero-day threats and advanced attacks that nobody else has seen because we're not relying on signatures or a blacklist," he told TechNewsWorld.

Rollback Feature

In a typical ransomware attack, malware encrypts important files on a computer or phone and demands a ransom payment to unscramble them.

SentinelOne's new "rollback" feature piggybacks on the restore feature found on Windows computers. It doesn't have to do a full restore, however, Gemmell said.

"Because we're monitoring all the activity on the endpoint, and we can see which files have been encrypted or modified, we can be very selective about what files we rollback. We can select specific files that we know have been modified or deleted by the malware," he said.

The natural path for an attacker confronted with SentinelOne's platform would be to scramble the "shadow" files created by Windows Restore, but the company is prepared for that eventuality, too.

"We are able to protect the volume shadow copy using antitamper protection," Gemmell said. "We have protection in place to prevent unauthorized modification of those files."

Reversing Snowden Fallout

The mistrust sown among the Western powers by Edward Snowden's revelations about the unbridled data snatching by U.S. intelligence agencies may soon give way to the exigencies of fighting a common enemy.

"After the Paris terror attacks, governments will be cooperating more closely," said Scott Borg, CEO and chief economist at the U.S. Cyber Consequences Unit.

"After the Snowden revelations and the posturing by European leaders, communications and cooperation between the various government intelligence agencies might have been impeded," he told TechNewsWorld.

"That may have been one of the factors that caused everyone to be taken by surprise by these last attacks," Borg said.

"No individual government can track ISIS adequately because of the way they operate across the Middle East and Europe," he added. "We very much need cooperation between governments of Europe and the American intelligence agencies to stay on top of what ISIS is doing."

Social Media as Evidence

Social media users not only have to worry about potential employers peeking at their Facebook and Twitter feeds, but now lawyers will be looking at them, too.

Starting Dec. 1, changes in the Federal Rules of Civil Procedure will require companies to retain social data for data governance and corporate compliance.

"What these new rules say is that organizations have an obligation to exercise reasonable preservation efforts," said Robert Cruz, senior director for information governance for Actiance.

"That sounds a bit nebulous, but it means organizations need to demonstrate that they've protected information that potentially would be involved in litigation when it arises," he told TechNewsWorld.

"This is a large area of legal risk," Cruz added. "Today, it's not just email. It's social media and all these other communications forms that companies have to be responsible for."

Overpreservation of Information

The idea that an organization can be too diligent in preserving information -- after all, if something isn't preserved, it can't be used as evidence later -- may be short-sighted.

"If you don't collect and store the information in a central location, and the court says, 'Give me everything you've got pertaining to this individual for the last year,' just because you're not storing in a central location does not remove the obligation to demonstrate the information isn't somewhere else," Cruz said.

"It would be very unusual for information not to exist someplace that then the company would be obligated to go off and find," he continued.

"Doing that would be much more expensive, much more inexact and much more difficult for the people going through that effort," Cruz said.

"Even if you say you're only keeping data for 30 days and then you delete everything, the likelihood is you'll find a copy of that information someplace. There will be some other business reason for that information to continue to exist," he added.

Breach Diary

  • Nov. 17. An hour before they were scheduled to testify on federal data breaches before the U.S. House Armed Services Committee, officials from Office of Personal Management, the Department of Homeland Security and the Office of Management and Budget cancel their appearance after learning testimony at the forum would be recorded.
  • Nov. 18. Georgia Secretary of State Brian Kemp reveals his office illegally disclosed Social Security numbers and other personal information of some 6.2 million registered voters in the state to 12 organizations that regularly subscribe to voter lists maintained by the state.
  • Nov. 18. Forty percent of companies expect an insider data breach in the next 12 months, according to a Clearswift survey. They survey of 500 IT decisions-makers and 4,000 employees at companies around the world was performed by Loudhouse.
  • Nov. 19. The Federal Trade Commission reports Chief Administrative Law Judge D. Michael Chappell has dismissed an FTC complaint against LabMD alleging a data breach at the company resulted from failure to employ reasonable and appropriate measures to prevent unauthorized access to consumers' personal information. The FTC failed to prove the alleged conduct caused substantial harm to consumers, he said.
  • Nov. 20. Starwood Hotels & Resorts Worldwide reveals data theft at the restaurant and gift shops at 54 of its locations over nearly eight months. The company did not reveal the number of patrons affected by the data breach.

Upcoming Security Events

  • Nov. 24-25. Cyber Impact Gateway Conference. ILEC Conference Centre and Ibis London Earls Court, London, UK. Registration: Before Oct. 9 -- end users, 1,799 pounds plus VAT; solution providers, 2,799 pounds plus VAT. Before Oct. 30 -- end users, 1,899 pounds plus VAT; solution providers, 2,899 pounds plus VAT. Standard -- end users, 1,999 pounds plus VAT; solution providers, 2,999 pounds plus VAT.
  • Dec. 3. Cloud Security Alliance Los Angeles Summit. Marina del Rey Marriott, 4100 Admiralty Way, Los Angeles. Registration: $96.59, plus $3.40 fee.
  • Dec. 4. Privacy & Europe: Debating the "Right to be Forgotten," Trans-Atlantic Data Flows, and the World's Toughest New Privacy Laws. Noon ET. Harvard Law School campus, Wasserstein Hall, Room 2009. RVSP to Harvard University Berkman Center for Internet & Society required.
  • Dec. 7-9. Gartner Identity & Access Management Summit. Caesars Palace, 3570 Las Vegas Blvd. South, Las Vegas. Registration: $2,695; public sector, $2.225.
  • Dec. 8. Threat Hunting with Bro, Sqrrl and Reservoir Labs. 2 p.m. ET. Webinar sponsored by Sqrrl and Reservoir Labs. Free with registration.
  • Dec. 9. How Do You Really Know if Your DDoS Protection Solution Will Stop a DDoS Attack? 11 a.m. ET. Webinar sponsored by Arbor Networks. Free with registration.
  • Dec. 12. Threats and Defenses on the Internet. Noon ET. Northeastern University, Burlington Campus, 145 South Bedford St., Burlington, Massachusetts. Registration: $6.


John Mello is a freelance technology writer and contributor to Chief Security Officer magazine. You can connect with him on Google+.


Facebook Twitter LinkedIn Google+ RSS
What's your reaction to the Turkish Crime Family's claim that it can access hundreds of millions of iCloud accounts?
I'm very worried -- I take all cyberthreats seriously.
I'm feeling secure -- I changed my password and set up 2FA.
I'm angry -- companies need to be more responsible.
I'm not at all concerned -- I trust Apple.
I'm resigned -- I expect to be breached at some point.
I don't care much -- the world has bigger problems.