During a ransomware attack, it is critical to detect and respond early and quickly. By decreasing your mean time to detection in identifying the attacker’s behavior, your security team can quickly investigate and respond timely to prevent a ransomware incident. And, if you can interrupt the attacker’s tools, tactics, or techniques early in the process that will force most attackers to abandon the campaign as they cannot progress further along in the “kill chain”.

MITRE maintains a kill chain framework known as MITRE ATT&CK®. The framework models tactics, techniques, and procedures used by malevolent actors. The Enterprise Matrix has categories for Windows, macOS, Linux, and Cloud.

To protect against a ransomware incident, it is important to interrupt the kill chain as early as possible. One way to make it radically simple and fast is to harness the power of XDR (eXtended Detection and Response).

XDR relies on the combination of three solutions to provide the greatest outcome:

  1. An endpoint detection and response (EDR) solution that detects threats across your environment. It investigates the entire lifecycle of the threat, providing insights into what happened, how it got in, where it has been, what it’s doing now, and how to stop it.
  2. A cloud-native integrated security platform that connects intelligent detections to confident responses across the security portfolio. Capabilities that are integrated within each products’ console.
  3. A network detection and response (NDR) solution that reduces false positives by enabling behavioral detection with agentless visibility across the network and cloud.

With the correct combination of those three solutions, organizations are witnessing better security outcomes such as:

  • A 72% reduction in dwell time: Eliminate investigation tasks and shorten the time spent on threat hunting and staying compliant.
  • 6-10 hours saved per incident: Reduce response time and improve end-user productivity by returning access to data faster.
  • 100% more visibility across the network: Detect and prioritize threats across your private network, public clouds, and even in encrypted traffic.
  • 85% reduction in incident response lifecycle: Expose, contain, and resolve threats and vulnerabilities with a coordinated defense.

Let’s take a deeper look at each of the components as it relates to detecting and responding to ransomware

Endpoint ransomware protection

Endpoint security should constantly monitor all endpoint activity, so it will see ransomware as it unfolds—it can then rapidly terminate the offending processes, preventing endpoint encryption, and stopping the ransomware attack in its tracks.

Cisco Secure Endpoint has several key features that help identify such an attack:

  • Exploit Prevention: Memory attacks can penetrate endpoints, and malware evades security defenses by exploiting vulnerabilities in applications and operating system processes. The exploit prevention feature will defend endpoints from exploit-based, memory injection attacks.
  • Behavioral Protection: Secure Endpoint’s enhanced behavioral analysis continually monitors all user and endpoint activity to protect against malicious behavior in real-time by matching a stream of activity records against a set of attack activity patterns which are dynamically updated as threats evolve. For example, this enables granular control and protection from the malicious use of living-off-the-land tools.
  • Malicious Activity Protection: Secure Endpoint continually monitors all endpoint activity and provides run-time detection and blocking of abnormal behavior of a running program on the endpoint. For example, when endpoint behavior indicates ransomware, the offending processes are terminated, preventing endpoint encryption, and stopping the attack.
  • Orbital Advanced Search: Cisco Orbital is a service that uses Osquery to provide you and your applications with information about your hosts. Osquery exposes an entire operating system as a relational database that you can query with SQL to gather information about the host.
  • SecureX Threat Hunting: SecureX Threat Hunting is a proactive analyst-centric approach to detecting hidden advanced threats. This capability is offered exclusively as part of the new Premier license tier within Secure Endpoint. It tells the incident responders a narrative of how an attack was spotted or how it evolved and what to do next in terms of response.

In fact, during the most recent MITRE Engenuity ATT&CK Evaluation, Cisco scored impressive results in the key areas that would thwart ransomware attacks. Cisco Secure Endpoint recognized and stopped lateral movement automatically. Cisco Secure Endpoint’s advanced telemetry recognized and stopped suspicious file execution without human intervention. Cisco Secure Endpoint also identified unauthorized privilege escalation and discovered defense evasion techniques.

Ransomware investigation and response

The cloud-native integrated security platform must automatically collect and correlate data from multiple proprietary security components. XDR products are designed to alleviate challenges. They consolidate multiple vendor-specific security products into a cohesive security incident detection and response platform that is accessible to the mainstream market without extensive integration efforts.

Centralization and normalization of data improve detection by combining softer signals from more components to detect events that might otherwise be ignored. Detection across components can also detect tricky problems such as account takeover attacks, insider threats, and detecting incidents in IoT/ OT systems. Security can also be improved by enabling more rapid sharing of local IOC information among components to provide faster protection across all devices.

This improved correlation, context, and analytics lead to reduced security alerts requiring human intervention by automating actions and providing stronger pre-validation capabilities. With XDR you can now spend more time on incidents and less time on alerts that lack context.

Cisco SecureX is a cloud-native, built-in platform that connects our Cisco Secure portfolio and your infrastructure. It allows you to radically reduce dwell time and human-powered tasks. SecureX has several capabilities to assist organizations in preventing, detecting, and responding to ransomware attacks:

  • Integrations: SecureX has built-in turn-key integrations with Cisco Secure products and integrates with an extensive list of third-party solutions through built-in, pre-packaged, or custom integrations for a connected backend architecture and consistent frontend experience.
  • Ribbon: The SecureX ribbon is a transport framework for functionality: it allows you to take the capabilities of SecureX and integrated products with you when you pivot to any other product console. It helps share and maintain context, provides unified experiences, with broad response capabilities.
  • Dashboard: The SecureX dashboard is the first page users see upon logging in. It gives one view across your security infrastructure for unified visibility and aggregated, actionable intelligence across your security environment.
  • Threat Response: SecureX threat response is a core platform application that aggregates and correlates global intelligence and local context across Cisco Secure and third-party technologies, in one view – accelerating threat investigation and response.
  • Orchestration: SecureX orchestration with pre-built workflows aligned to common use cases and a no/low-code, drag-drop canvas to build your own workflows to eliminate friction in your processes and automate routine tasks.

Network ransomware protection

Your organization must know who is on your network and what they are doing using telemetry from your network infrastructure. Your security team must detect advanced threats and respond to them quickly all while protecting critical data with smarter network segmentation. Your security professionals need comprehensive visibility into all user and endpoint behavior both on- and off-premises. The solution needs to provide your security analysts the information they need to conduct more efficient and context-rich investigations into user machines that exhibit suspicious behavior.

Cisco Secure Network Analytics delivers an agentless network detection and response solution that monitors your network traffic and sees when something anomalous occurs—like a ransomware infection. Using multilayer machine learning and entity modeling to detect ransomware, you will be able to quickly accelerate your response to stop ransomware attacks.

Cisco Secure Network Analytics delivers real-time threat detection through:

  • Unknown threat detection: Identify suspicious behavioral-based network activity that traditional signature-based tools miss, such as communications and malicious domains.
  • Insider threat detection: Get alarmed on data hoarding, data exfiltration, and suspicious lateral movements.
  • Encrypted malware detection: Leverage multilayered machine learning and extend visibility into encrypted web traffic without decryption.
  • Policy violations: Ensure that security and compliance policies set in other tools are enforced.
  • Incident response and forensics: Respond quickly and effectively with complete knowledge of threat activity, network audit trails for forensics, and integrations with SecureX and other Cisco Secure solutions.

Bringing it all Together

As was stated earlier, “The whole is greater than the sum of its parts”.


  • being able to login to the SecureX platform to see the status of your entire network, with the ability to create playbooks and casebooks for investigation with a ribbon that follows you with context.
  • the SecureX console with automated orchestration automatically blocking threats and reducing the amount of time spent investigating and the total number of alerts received.
  • SecureX aggregating and correlating global intelligence and local context across Cisco Secure and third-party technologies, all within one view.
  • Cisco Secure Endpoint monitoring all endpoint activity and at the first sign of a ransomware attack having the ability to rapidly terminate the offending processes, preventing endpoint encryption, and stopping the ransomware attack in its tracks.
  • Cisco Secure Network Analytics delivering an agentless network detection and response solution that monitors your network traffic. And when something anomalous occurs, like a ransomware attack, it can identify suspicious behavioral-based network activity, such as communications and malicious domains, notify you through the SecureX console and automatically stop the attack through orchestration.

And lastly, imagine what your security outcome will look like with a massive reduction in the mean time to detection and the mean time to respond.

Next Steps

Gartner states that “XDR products may be able to reduce the complexity of security configuration and incident response to provide a better security outcome than isolated best-of-breed components.” What if the best-of-breed components all came from one company that delivers an XDR solution that truly protects against ransomware.

Sign up for free trials of the Cisco Secure XDR solution

Read more about Cisco’s XDR solution

Review our latest information on ransomware defense

We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels



Adam G. Tomeo

Product Marketing Manager – Cisco Secure Endpoint

Security Marketing