Why Security Logging Is Key to Ransomware Response
Security logging can help organizations recover from ransomware attacks – and even negotiate with attackers.
Security logging can make or break incident response and recovery for an organization that has suffered a ransomware attack. Effective forensics relies on visibility, and logging provides the insight that businesses need in the wake of an incident.
In a conversation on how logging can expedite forensics, and even support threat negotiations, Michael Rogers, director of technical advisory services at MOXFIVE, said, “It’s all too common where clients have logs but are unable to properly search them, or haven’t yet created alerts, which really reduces the value they are getting out of their security stack.”
Security logging can not only help to limit an incident ’s fallout, but it can arm organizations to better negotiate with bad actors. With clarity around what data has been taken, organizations can potentially push back against threat actors and minimize or avoid paying ransom altogether.
Cyber Insurance Covers Less, Ransoms Continue to Rise
“Clients impacted by ransomware can find themselves stuck in additional bottlenecks created by being unable to search for different types of logins for service accounts,” Rogers said. “For example, one organization would have had to trigger a full password reset and take the business down for an entire week if they hadn’t been logging.”
There was a time when companies would lean on cyber insurance coverage in the event of a ransomware attack. However, those times are not going to last for much longer as coverage becomes more prescriptive. Add in the cost of post-incident regulatory and compliance fees, the total cost of recovery continues to climb.
Rogers pointed to the havoc that ransomware attacks can unleash, which reinforces how logging protocols can make a difference.
When attacked, critical operations for a business can be down for five or more days, costing resources without revenue.
In addition to loss of revenue, customer service might not be able to perform important client outreach, which can ultimately damage your brand.
There might not be a way to mitigate damage to your brand because certain threat actors immediately publicize that they have your company data, completely forgoing negotiations.
Without network logs, you can’t see how much data was exfiltrated, which leads to paying a higher ransom demand due to the unknown details. Threat actors often exaggerate the amount of data they have.
Additional Network Challenges for Remote Workers
Maintaining logs for remote workers presents an addition challenge, as there can be limited visibility into remote users’ network activity.
In the event of a ransomware attack via a remote user, visibility is crucial to efficiently and effectively containing and recovering from the incident. Comprehensive endpoint logging plays a key role in enabling this visibility.
About the Author
You May Also Like