Ransomware Risk Reduction Enhanced Managed ePO Service 1

Ransomware Risk Reduction Enhanced Managed ePO Service

I.T. Security Specialists

2 Ransomware Risk Reduction Enhanced Managed ePO Service

SERvicE OvERviEw

The purpose of this document is to provide and explain the high-level concepts of the new “MSS Ransomware Risk Reduction” service. It will briefly describe the overall process implemented into the service and the key points of the new enhanced Access Protection policy.

Caretower will configure a new set of user-defined Access protection rules that will provide increased protection against ransomware infections. The rules will be mostly based on official McAfee recommendations and threat advisories.

The goal of this new configuration will be to block the creation of specific file and registry indicators related to some common ransomware families. Additionally part of the rules will also restrict the access to some of the most commonly used malware locations. This way we can prevent and stop the ransomware operation cycle and block the infection.

monitoring phase

Initial Setup

“Report” only

1 2

34

Î One month of monitoring Î Daily reports with AP events Î Exclusion configurations

“Block” Mode

Î Enabling the protection

Î Alternative policy for installation / upgrades

Î Issues reported to Caretower support

Policy Improvement

Î new AP rules Î All new McAfee

recommendations will be applied within 2 weeks’ period

Î New rules will follow the same cycle

Ransomware Risk Reduction Enhanced Managed ePO Service 3

RanSOMwaRE SERvicE iMPlEMEntatiOn PhaSESThe service will be implemented in several stages:

Initial configuration (Report Only)

The McAfee Access Protection rules can be configured in two modes – “Report” and “Block”. During this stage all rules will be set to “Report” only so we can avoid any false positive detections and business operations interruption.

Monitoring phase

There will be a monitoring period (at least 1 month) during which we will monitor the ePO for the events related to these rules and provide daily/weekly reports to the customer.

Based on the generated events and after discussion with the customer we will generate exclusions in the rules in order to avoid any problems with regular company applications.

Block mode

At this point the Access Protection rules will be set to “Block”. This is the moment when the rules will actually start providing protection and blocking unwanted behaviour/indicators.

During this stage we will enforce the blocking policy on small number of pilot systems provided by the customer in order to monitor their behaviour and avoid any issues.

If any issues arise once the “Blocking” option is enforced they can be reported back to the Caretower support team so we can create exclusions in the ransomware rules. Common scenario when this can happen is related to installer/upgrade applications that unpack themselves in the “Local/Temp” folder (since the access for applications running within this location will be restricted sometimes there may be events related to legit applications that are not able to access certain files during installation/upgrade).

We will create an additional tag/policy on the ePO that can be used by the local IT support in such cases. If they face any issues during an installation/upgrade they can temporarily apply a policy with the ransomware rules set on “Report” only. It will last 24 hours and will be automatically switched back to the original one by the ePO.

This way they will not interfere with the process (it should be noted that once this policy is applied the ransomware protection is switched off and the chance of infection is increasing).

Continuous policy improvement

Since the ransomware threats are evolving constantly and there are new families/variants every day we will continue adding new Access Protection rules based on their observed behaviour and other indicators of compromise. All new McAfee recommendations will be implemented into the customer’s environment within a two weeks period.

1

2

34

why caREtOwER?As an independent IT security specialist, with over 17 years experience, we provide comprehensive solutions to individual problems, thus allowing our recommendations to be unbiased. Over the years, we have quickly established many long standing relationships with all of our vendors, achieving the highest status within these organisations based on the level of expertise within our internal sales, support and professional services teams.

This relationship ensures we provide our customers with key changes within the industry which assists in their on-going security management strategy.

Î Live global 24/7 Managed Service

Î Experienced and certified security engineers

Î Dedicated GIAC Certified Digital Forensic Security Engineers (SANS (SysAdmin, Audit, Networking, and Security) Institute)

Î Full-onsite and hosted architecture options, depending on your requirements

Î We are CSA (Cloud Security Alliance) member and ISO 27001 Accredited

Get in touch:

020 8372 1000

info@caretower.com

www.caretower.com

NON DISCLOSURE STATEMENTThe information present in the current document contains intellectual property rights and copyright, which are proprietary to Caretower. The data should be treated as confidential and should not be used for any other purpose. It shall not be copied or disclosed to third parties in whole or in part without the prior written consent of Caretower.