Guest Author: John Sellers, Stealthwatch for Public Sector at Cisco.

Educational institution systems store a large amount of sensitive data, including student and employee records. They rely heavily on these systems for day-to-day operations. So any disruption or loss of access can be a game changer. But these same institutions also often have tight budgets and can’t afford to employ large security teams. That’s one reason they’re perceived as easy and lucrative targets by online adversaries.

A typical response may be to deploy multiple security technologies to block threats from entering your organization at various attack vectors, and you should continue to do so. However, just relying on these techniques isn’t enough since 100% prevention is not possible in today’s complex threat landscape. That’s where continuous monitoring of your network’s behavior comes in. By using this approach, you can help detect and respond to a ransomware attack more quickly and effectively.

How to stay ahead of cyber threats

Your network is a source-of-truth of every activity – normal or malicious. Adversaries must use your network in order to carry out their malicious objectives. Because of this, collecting and analyzing your network telemetry is an effective way of detecting advanced threats, like ransomware. Here’s how it helps you.

  • Detect threats early by pinpointing suspicious behavior. Ransomware attacks are generally initiated through methods like a phishing email or exploitation of a vulnerability. It might involve behavior such as port scanning, command-and-control (C&C) communication back to the attacker network, etc. Whatever means the attackers use, the activity touches the network. By using behavioral modeling, this kind of activity can be easily detected. You can also create custom security policy alerts to detect restricted communications such as use of SMB protocol, or access to sensitive data servers from outside the network. So even if the ransomware is an unknown strain and has infected the organization, the anomalous behavior will give the attackers away.
  • Correlate local alerts to global campaigns. Attackers often reuse ransomware strains to infiltrate multiple organizations. An effective network security analytics solution is powered by industry-leading threat intelligence that has the knowledge of all the malicious domains, servers, campaigns, and other indicators of compromise. Using multiple analytical techniques like statistical modeling and machine learning, billions of network sessions within your organization can be processed and correlated to global campaigns, in order to pinpoint attacks and then quickly remediate.
  • Perform forensic analysis for incident response. Your organization has been infected, and you have been immediately notified through alerts of the ransomware attack. Now what? Time is of the essence and your security teams need to answer questions like what machines have been infected, what was the source of the attack, and where are communications occurring? Because you have a record of every network communication, you can begin from the alert and investigate back in time to conduct a thorough forensic analysis to answer those questions and contain the ransomware.

Industry-leading network visibility and security analytics

The capabilities described above are offered by Cisco’s network traffic analysis solution, called Cisco Stealthwatch. It provides enterprise-wide visibility, from the private network to the public cloud, and applies advanced security analytics to detect and respond to threats in real-time.

By using a combination of behavioral modeling, machine learning, and global threat intelligence, Stealthwatch can quickly (and with high confidence) detect threats such as:

  • C&C attacks
  • Ransomware
  • DDoS attacks
  • Illicit cryptomining
  • Unknown malware
  • Insider threats.

With a single, agentless solution, you get comprehensive threat monitoring across your data center, branch, endpoint, and cloud. Plus, it can also analyze encrypted traffic for threats, without any decryption, using our proprietary Encrypted Traffic Analytics technology.

Network as a Sensor NaaS Educational IT education cybersecurity ransomware
Stealthwatch can detect ransomware hiding in encrypted traffic, and can also correlate it to global campaigns like WannaCry.

By deploying Stealthwatch, you can turn your network into a “threat sensor” by simply collecting telemetry such as NetFlow. And there is no need to deploy multiple agents. Stealthwatch can be deployed easily. Best of all, it scales automatically with your infrastructure, growing as your needs grow.

Next steps: