Protecting the Mid-Sized Enterprise Against Ransomware

Summary

Catalyst

Every enterprise, no matter how big or small, must have a ransomware detection and response solution in place. Otherwise, as one company recently learned, the consequences can be devastating.

This case study details the journey of a small circuit board manufacturing company in its search for a ransomware defense solution. It details how, in the aftermath of a ransomware attack, the company chose a high-profile cybersecurity vendor to save the day, only to realize a well-known brand is not always the best choice.

Omdia view

For small- and medium-sized businesses (SMBs), what really matters when selecting anti-ransomware technology?

There are three key areas:

• Comprehensive coverage of the IT estate, including across endpoints, networks, cloud, and email
• Technology that can quickly identify threats, prioritize the most important ones, and limit noise, allowing IT administrators to focus on what is most important without feeling overwhelmed
• Support that quickly resolves incidents and instills confidence that even in the worst-case scenario, a trusted partner will be there when it counts

In all these areas, Field Effect proved it could deliver for its client.

Key messages

• Take a breath: In the immediate aftermath of a ransomware attack, it is exceedingly challenging to make good decisions. The pressure to understand the scope of an incident, prevent further attacks, repair the damage, keep the business running, and make high-stakes decisions about what to do next can be overwhelming. IT organizations of all sizes should prepare for such an incident well in advance, querying their current cybersecurity providers to ensure they are well-versed in both ransomware prevention and response activities. Use bullet points and keep them short in length and number.
• Biggest is not always best: Buyers often gravitate toward the biggest names in cybersecurity, when in reality, these vendors are often not incentivized to provide technology and support to SMBs in the same way they do for large enterprises. SMBs should consider the broad spectrum of anti-ransomware vendors, even those that may not yet be well-known across the industry.
• Technology alone is not enough: Increasingly, threat detection, investigation, and response (TDIR) operations require some level of managed services. Vendors are increasingly offering what Omdia refers to as guided security services—a “lite” service option emphasizing co-managed solutions and on-demand support. SMBs should strongly consider such offerings.

Using Field Effect Covalence to prevent ransomware and other cyberattacks

Ransomware and small businesses: A cautionary tale

Ransomware is a confoundingly difficult problem for enterprises of all sizes.

Ransomware is a type of malware that applies malicious encryption to a target system's files for the purpose of extortion. It has surged in recent years to become arguably the top cybersecurity threat facing enterprises. Adversaries have widely adopted this low-cost cyberattack technique to convince victims to pay handsomely for the decryption of their files. These attacks can not only instantly cripple business operations, but are also designed to pressure targets into quickly paying the ransom fee. One vendor study shows that the average cost of dealing with and recovering from a ransomware attack can range as high as seven times the cost of the ransom payment itself.

Ransomware attacks also show no sign of slowing. According to Verizon’s 2022 Data Breach Investigations Report (DBIR), data breaches caused by ransomware grew by 13% year-over-year (YoY) in 2021—an increase exceeding that of the prior five years combined.

Therefore, it is no surprise that enterprises worldwide are desperate for ransomware defense solutions that prevent worst-case scenarios from playing out. However, does a ransomware solution truly exist that can be both affordable and manageable for smaller organizations? Ransomware often does not discriminate between the largest multinational conglomerates, the smallest mom-and-pop local businesses, and all the organizations in between. Yet, these companies differ vastly in their business requirements, enterprise IT architecture footprints, and the breadth and depth of cybersecurity solutions they can afford.

Royal Circuits Solutions is one of hundreds of thousands of companies that suddenly found itself in need of defense against ransomware.

Based in Hollister, California, the 200-employee company manufactures printed circuit board prototypes and like many other SMBs, operates on a shoestring IT budget. It had not been paying much attention to the threat of ransomware (or any other cybersecurity concern).

However, one day in September 2019, its priorities changed in an instant.

Royal Circuits was hit with a ransomware attack that, in a matter of minutes, brought the entire organization to a near standstill. While the attack source was never confirmed, its implications were immediately apparent. The company's survival depends on its ability to quickly respond to customer needs. Its specialty is designing and developing custom circuit boards, often with lightning-fast turnarounds, taking as little as 24 hours for intricate, custom jobs.

When the ransomware spread, Royal Circuits’ ability to conduct nearly all its key business processes, including manufacturing operations, were essentially shut down; the financial impact was felt immediately.

“We were caught completely off-guard,” said Jacob Scagliotti, IT operations manager for Royal Circuits. Scagliotti was brought in shortly after the attack to manage the company’s recovery efforts and design and implement a new cybersecurity strategy. “When I came in, we had a hodgepodge of protections—a lot of free stuff combined with some old Trend Micro solutions, most of which had expired long ago.”

To Scagliotti, it was clear that Royal Circuits needed a new cybersecurity technology provider—one that could ensure ransomware would no longer endanger the company. However, as Scagliotti and Royal Circuits would learn, finding a right-sized ransomware protection solution for an SMB was more difficult than it seemed.

An ill-fitting cybersecurity solution

When Scagliotti joined Royal Circuits in the aftermath of the company’s ransomware attack, he immediately knew time was not on his side. Royal Circuits had a twofold problem: it not only needed help to clear out ransomware that it could not address on its own, but it also had to quickly purchase and implement a new solution in case the adversary decided to strike again.

“When I came in, I could tell we had a barn door-sized security hole,” Scagliotti said. “There were shared passwords, elevated privileges everywhere—nothing was locked down, no restrictions on anything. There were so many different points where we could've been attacked. We decided not to look backward, but instead we decided to focus on closing the door.”

Scagliotti instantly started shopping for new cybersecurity technology that could address the company’s gaps. However, the urgency of the situation prevented a detailed look at the cybersecurity technology landscape. This would ultimately prove costly for Royal Circuits.

The company soon gravitated toward CrowdStrike and its Falcon endpoint platform. CrowdStrike's well-known brand carried much weight among Royal Circuit’s decision makers. While Scagliotti had not researched the solution himself, he had several business contacts who either worked at CrowdStrike or had used its technology and spoke highly of what it could do. Perhaps most importantly, Scagliotti was confident he could get his CEO to quickly sign off on the purchase.

Scagliotti recounted: "Basically [the executives] came to me, they said, ‘We're thinking about CrowdStrike,’ and I just said, ‘Yes, it's good, let's get it in here.’”

Unfortunately for Scagliotti and Royal Circuits, what was supposed to be a comprehensive cybersecurity solution in Falcon merely created a new set of problems.

The first of those problems appeared right away—the cost of Royal Circuits’ one-year deal for Falcon was just over $50,000, which was by far the most the company had ever paid for a cybersecurity solution. Yet, the purchase seemed reasonable at face value, considering the solution offered comprehensive endpoint protection and threat detection, including ransomware mitigation.

However, Scagliotti soon learned that, at that time, CrowdStrike's smallest licensing package included coverage for 300 seats; Royal Circuits only had about half that many endpoints. As a result, the company was paying for nearly twice as much protection as it needed.

“A good 150 of those seats sat dormant—they weren't used for that whole year,” Scagliotti said. “That was a hard pill to swallow.”

In addition, while Falcon had remediated Royal Circuit’s outstanding ransomware issues and worked well on its traditional endpoints, Scagliotti realized the company was still exposed. Its manufacturing systems relied on various IoT systems, many of which did not support an endpoint security client.

“Falcon wasn’t covering our network, our cloud systems, or my Office 365 accounts. I was flying blind with all of that,” Scagliotti said. “That was alarming to me because I had no idea if someone was plugging in a USB thumb drive somewhere and taking gigs and gigs of data or uploading it to Dropbox. We needed to protect against those attack vectors, and with Falcon, we weren’t.”

Furthermore, cybersecurity was not Royal Circuits’ only concern. As a circuit board manufacturer, the company is subject to various regulatory requirements, including the International Traffic in Arms Regulations (ITAR), which regulates the export of defense and military-related technologies made in the US. To comply with ITAR, Royal Circuits needed a solution that would also provide comprehensive data protection across its hybrid IT estate, including email systems. Once again, Falcon was falling short.

A new search begins: Enter Field Effect

In mid-2020, when Royal Circuits’ one-year contract with CrowdStrike was about to end, Scagliotti saw an opportunity to turn the page. Falcon was not meetings Royal Circuits’ cybersecurity needs, and was costing too much to boot. As a result, Scagliotti, began a new search for a more comprehensive and affordable cybersecurity solution.

Early on, Darktrace was the frontrunner in his search. The multifaceted enterprise threat detection specialist aggressively courted Royal Circuits, delivering detailed sales demos and open access to its field engineers. Soon, its Enterprise Immune System (EIS) was deployed across Royal Circuits on a free one-month trial.

Scagliotti was impressed by the breadth of functionality Darktrace offered, but the solution was even more expensive than CrowdStrike’s. While the EIS offered cloud and network monitoring, it did not cover endpoints (Darktrace partners with Zscaler for endpoint security), meaning an additional solution purchase and deployment would be required. In addition, as the organization learned the hard way with CrowdStrike, there was something to be said for an SMB-centric solution—one designed for and operated by an organization with few IT staff and limited security expertise.

“Darktrace was very cool, exciting, but for me, not being from a security background, I'd quickly get lost and confused in the system,” Scagliotti said. “I'd get an alert, click a couple things, and then I was lost. I couldn't understand what it wanted me to do.”

Once it became clear that Darktrace was not the answer, Scagliotti broadened his search. Before long, he discovered Field Effect, an upstart Canadian cybersecurity provider.

Founded in 2016, Field Effect is a managed threat detection and response (MDR) specialist focused on making enterprise-grade cybersecurity attainable for companies of all sizes.

Its Covalence platform offers TDIR functions and is, at its core, a managed endpoint detection and response (managed EDR) solution covering Windows, Mac, and Linux. Covalence also includes natively integrated cloud and network sensors, delivering a comprehensive offering that mirrors emerging managed extended detection and response (managed XDR) solutions.

Field Effect Covalence: Understanding the architecture

Unlike many cybersecurity vendors and managed security service providers (MSSPs) that have assembled their solution stacks through acquisitions and integrations, Field Effect built its Covalence architecture from the ground up.

The solution’s Covalence Endpoint component combines next-generation antimalware and EDR capabilities in a unified agent that also monitors every CPU cycle and byte of memory across covered endpoints, providing real-time visibility over endpoint activity. Its proactive defense capabilities detect and block five distinct but common adversarial action types:

• File system access
• Network connections
• Windows registry access
• Process and thread creation
• Kernel module loading

In addition, by taking a unique adaptive approach, the Covalence endpoint agent can determine the specific characteristics of an endpoint and eliminate excess use of rules- and analytics-based detection, thereby improving performance and preventing adversaries from attempting to exploit unnecessary rules. While other EDR solutions commonly use process shortcuts such as the unscanned loading of certain DLL files, which inadvertently create openings for adversaries to exploit, Field Effect closes these doors with a patent-pending adaptive, per-host profiling engine. This engine conducts a real-time analysis of the host’s software configuration, intended purpose on a network (i.e., workstation vs. server), and end-user behavior to identify and enable the ideal set of policies applicable for each individual host.

Given the importance of ransomware defense, Covalence Endpoint offers a series of advanced anti-ransomware features. The unique heuristics in its adaptive policy engine offer definitive recognition of activities and patterns indicative of ransomware. It is a signature-free approach to recognizing and blocking ransomware before it is ever deployed on a target system.

Covalence Endpoint’s other key features include proactive exploit detection, host network isolation, roaming DNS firewall, integrated data loss prevention (DLP), performance tracking, and automatic updates.

Optionally, Covalence Network Sensor and Covalence Cloud Sensor components also support the endpoint. Network Sensor is a physical or virtual appliance deployed on the customer network using machine learning-powered anomaly detection, supported by expert human analysts, to identify anomalous network activity. It can process up to 10Gbps of network traffic, offering targeted traffic inspection for web browser network streams or DNS lookups to identify malicious activity on a network before it ever reaches the host level. Cloud Sensor, on the other hand, is deployed in a customer's hybrid cloud environment to monitor select cloud resources (including Microsoft 365, Google Workspace, Microsoft Azure, Amazon Web Services, Dropbox, Box.com and more) and identify anomalous activity. It is especially useful to identify hard-to-detect activity such as suspicious logins; Cloud Sensor can evaluate suspicious logins based on key criteria and query endpoint activity to determine if the login is valid. If found invalid, Covalence can block the login or temporarily freeze the account.

All three telemetry-gathering components feed data into the Covalence Server, a proprietary turnkey on-premises or virtual appliance that takes in endpoint and sensor telemetry, applies machine learning and discreet analytics, manages threat detections and response actions, and enables data privacy and other compliance assurance activities. The Covalence architecture is co-managed by Field Effect and its customers using the Covalence Dashboard web portal.

Covalence’s greatest point of differentiation from other TDIR solutions lies in a concept Field Effect refers to as Actions, Recommendations, and Observations (AROs). To avoid generating an overwhelming number of event alerts as with most TDIR solutions, Covalence automatically sorts, groups, and prioritizes events to group related activity, eliminate redundant alerts, and mute or automatically resolve easy-to-fix or insignificant events. As a result, instead of dozens (if not hundreds) of alerts per day, Covalence customers typically receive only a few AROs per month, making security more manageable for enterprises of all sizes.

Furthermore, Covalence can be configured to support a customer’s desired level of response automation. Using a feature called Active Response, a protected endpoint can be configured to issue alerts or automatically block various types of suspicious or malicious activity, based on the type and severity of an event.

Because the Covalence solution is delivered as a managed service, software updates and new detections are automatically delivered and the entire TDIR lifecycle is supported by a highly trained and experienced team of Field Effect managed security service experts. When needed, they can assist with incident analysis and response activities, conduct threat hunting, provide software and hardware assurance, and offer other related solution support.

Royal Circuits and Field Effect: A perfect match

Back at Royal Circuits, it did not take long for Scagliotti to realize Field Effect offered everything he was looking for. It was an endpoint-centric solution, but also protected the network and the cloud, including his Microsoft 365 accounts. The interface was intuitive and easy to use, and having the entire solution backed up by a dedicated managed security services team gave Scagliotti confidence that he would not be alone in the event of another cyberattack.

“With Field Effect, it was easy to go to my CEO and say, ‘We can pay over $50,000 again for Falcon, or we can pay less than half that for Covalence and get much better protection,’” Scagliotti said. “I told him it was going to be great, and he said, ‘OK, let’s do it.’”

The deployment, Scagliotti said, was easy. Within hours, Royal Circuits had Covalence running on its network and all endpoints with network and cloud sensors deployed, and the Covalence Server was as simple as plug-and-play. In just a weekend, Royal Circuits had Covalence fully up and running, with no IT network downtime or disruption to its operations.

Scagliotti’s biggest concern was whether Covalence’s ARO system would really prevent the deluge of threat alerts common to nearly all other TDIR solutions, especially now that Covalence would be monitoring his network and cloud environments as well. Alert fatigue had been one of his major issues with Falcon, which constantly issued alert emails (many of them redundant), making it difficult to distinguish minor alerts from those requiring urgent action.

With Field Effect, Scagliotti receives far fewer alerts—only about a dozen per month. Most minor issues are automatically taken care of, and the alerts he does receive are easy to understand. They highlight the threat level while providing clear details and guidance on what to do.

“Every alert so far has been a legitimate, high-priority issue,” Scagliotti said. “I can look at it right on my phone if I’m away from the office and see if it’s something I need to act on immediately. It’s been a great tool, easy for me to follow, and gives me exactly the steps I need to take to fix it.”

Furthermore, Scagliotti said the Field Effect support has been superb. In the few occasions when he has needed support, getting it has just required going into the Covalence Dashboard, raising a ticket, and detailing the issue. Field Effect security analysts consistently respond within minutes, quickly resolving issues each time.

Scagliotti also quickly learned that he can count on Field Effect when things go wrong.

Recently, Royal Circuits experienced an odd malfunctioning of some new IoT-enabled drilling machines used in the circuit board manufacturing process. The machines were resetting and losing sensitive configuration settings in a way that suggested a potential software supply chain compromise was taking place.

Scagliotti reached out to Field Effect for help to investigate the issue. Two hours later, the Field Effect team had responded with a detailed analysis of all log files from the drilling machines, showing no signs of external tampering. It turned out the problem was an ill-timed Windows update reboot that Scagliotti could quickly mitigate, thereby keeping his manufacturing team on schedule.

Royal Circuits is now in the middle of a three-year contract with Field Effect; Scagliotti said the contract is one of the best decisions he ever made.

“Every security problem I have now, they either see it coming, or I mention to Field Effect and they say, ‘We’re on it, we’ll protect you, you don’t have to worry about it,’” Scagliotti said. “The owner of the company came to me and asked me if I can sleep at night, and I said, ‘With Field Effect, I can.’ And he said, ‘Well if you can, then I know I can too!’”