Ransomware is malware that employs encryption to hold a victim’s information at ransom. A user’s critical data is encrypted so that they cannot access personal files and a ransom is demanded to provide access to the files.

Ransomware uses asymmetric encryption. This is cryptography that uses a pair of keys to encrypt and decrypt a file. The public-private pair of keys is uniquely generated by the attacker for the victim, with the private key to decrypt the files stored on the attacker’s server. The attacker makes the private key available to the victim only after the ransom is paid, though as seen in recent ransomware campaigns, that is not always the case. Without access to the private key, it is nearly impossible to decrypt the files that are being held for ransom.

Security policies

Security policies typically look at the information assets from a lens of protecting confidentiality, integrity, and availability. Organizations that follow standards such as ISO 27001 generally should have policies that address the following information security management functions:

  • Access control
  • Asset management
  • Business continuity
  • Communications security
  • Compliance
  • Cryptography
  • Human resources security
  • Incident response
  • Operational security
  • Physical and environmental security
  • Supplier relationships

While the list above is not exhaustive, the idea is that a solid policy framework will address people, process, products and technology, and partners and suppliers. Generally accepted best practice is to make these policies available to all employees and suppliers and to review policies for changing business and legal requirements every 12 months.

Security frameworks and standards

A widely accepted goal of information security management and operations is that the set of policies put in place—an information security management system (ISMS)—should adhere to global standards. ISO 27001 is the de facto global standard. ITIL security management best practice is based on the ISO 270001 standard.

Another framework or ISMS that is gaining wider acceptance within the United States is the National Institute of Standards and Technology (NIST) cybersecurity framework. According to NIST, the framework "focuses on using business drivers to guide cybersecurity activities and considering cybersecurity risks as part of the organization's risk management processes."

The NIST framework is notable in that it not only outlines a series of functions and outcomes to be managed within the cybersecurity domain, it also describes maturity levels for implementation through tiers. These implementation tiers help determine the extent to which cybersecurity risk management is informed by business needs and is integrated into an organization's overall risk management practices.

Security operations

The function of a security operations team and, frequently, of a security operations center (SOC), is to monitor, detect, investigate, and respond to cyberthreats around the clock. Security operations teams are charged with monitoring and protecting many assets, such as intellectual property, personnel data, business systems, and brand integrity. As the implementation component of an organization's overall cybersecurity framework, security operations teams act as the central point of collaboration in coordinated efforts to monitor, assess, and defend against cyberattacks.

A SOC acts like the hub or central command post taking in telemetry from across an organization's IT infrastructure, including its networks, devices, appliances, and information stores, wherever those assets reside. The proliferation of advanced threats places a premium on collecting context from diverse sources. Essentially the SOC is the correlation point for every event logged within the organization that is being monitored. For each of these events, the SOC must decide how they will be managed and acted upon.

Security technologies

Correlating the terabytes of data that a large enterprise produces requires an effective security monitoring system that can scale with the data challenge, as well as incorporate data gathered from diverse sources such as devices, networks, and log and event sources. SOCs have been typically built around a hub-and-spoke architecture, where a security information and event management (SIEM) system aggregates and correlates data from security feeds. Spokes of this model can incorporate a variety of systems, such as vulnerability assessment solutions, governance, risk and compliance (GRC) systems, application and database scanners, intrusion prevention systems (IPS), user and entity behavior analytics (UEBA), endpoint detection and remediation (EDR), and threat intelligence platforms (TIP).