Ransomware is rampant in South Africa, and without the right tools and support in place, local organisations could lose this cyber crime battle.
This is according to Dr Pierre Jacobs, Head of Operations and Compliance at CyberAntix, a South African-owned SOCaaS provider.
CyberAntix, backed by NIL, a leading global security operations centre (SOC) provider, is seeing rapid growth on the back of an increase in ransomware attacks.
Jacobs says ransomware is impacting organisations across the board – from government and the financial sector, through to retail organisations. “In a ransomware attack, there are really only three things organisations can do to recover: look for a public decryptor, recover their data from backups or pay the ransom. But often public decryptors aren’t available, and backups are infected or not current, meaning that ransomware attacks will always have a negative impact. The most important measure organisations can take is to proactively protect and monitor the environment,” he says.
However, many organisations are vulnerable to attack due to improperly configured controls, unpatched systems, untrained staff and a lack of cyber security skills, he says.
“Key controls to protect against ransomware include technical controls such as anti-virus, EDRs, properly patched and configured systems and robust backups stored offsite and segregated from the network. In addition, organisations need admin and physical controls. Importantly, they need to proactively monitor the environment for signs of compromise,” he says.
These signs of compromise can include the exfiltration of large volumes of data, or rapid encryption of data. Jacobs says many organisations do not focus on data exfiltration when monitoring the environment for signs of compromise. “Exfiltration of data isn’t a well-known indicator. It is typically an IT security responsibility to track data exfiltration, but many organisations only review logs once a week, by which time it may be too late. Thanks to high bandwidth connections, attackers could exfiltrate huge volumes of data very quickly, and use this data for blackmail, or sell it online. To mitigate this risk, organisations need an SOC detecting these activities as they happen, and escalating them quickly,” he says.
With limited resources and cyber skills in short supply, few organisations have SOCs and cyber security teams large enough to proactively mitigate the risks, Jacobs says.
CyberAntix is investing heavily in skills development to meet soaring local demand for SOCaaS. Jacobs says: "We already have 19 skilled IT security engineers on our team, with ongoing upskilling and a growing internship programme to meet demand. It’s certainly the largest SOC I’ve been part of, and it’s still growing. Our engineers are so skilled, we have had to strengthen our retention policies to keep the rest of the industry from poaching them!” he says.
“One thing we do very well is the development of use cases to detect ransomware-related indicators of compromise and binding those to use cases. We then develop playbooks for each use case. This helps us to respond at machine speed to exfiltration activities or rapid encryption activity, with our SEIM – the security incident event monitoring tool. The SEIM assesses if conditions for the use case are met, an incident is created and it's thrown to the SOAR, which orchestrates and automates the response portion of the incident management chain.
“We are one of the first MSSPs in South Africa to make use of SIEM, SOAR, in-house playbooks and use cases, and we partake in red and purple team exercises with our clients. Our SLAs are also unique – we guarantee our clients will be informed within 15 minutes of high-priority incidents, with a remediation and containment plan within one hour,” he says.
Share