back to article Ransomware more efficient than ever, and baddies are still after your logs

Organizations are still failing to implement adequate logging measures, increasing the difficulty faced by defenders and incident responders to identify the cause of infosec attacks. In 42 percent of incident response (IR) cases analyzed by Sophos, organizations didn't have the requisite telemetry logs needed to properly …

  1. Mike 137 Silver badge

    'Ransomware attacks that take longer than five days are now considered 'slow attacks'

    And detection times shorter than several months are considered fast. So it's obvious who wins.

    In a couple of decades consulting I've never encountered an organisation that makes active use of its logs for security checking until after an incident. So they don't have the necessary sense of normality to compare with deviations that might represent an attack.

    1. Version 1.0 Silver badge

      Re: 'Ransomware attacks that take longer than five days are now considered 'slow attacks'

      I modified our mail server detection's - we received "DHL CONSIGNMENT NOTIFICATION: AWB 9899691012 Clearance Doc" this morning but my log shows a "AWB 9899691099 Clearance Doc_pdf.gz" attachment so my updates have blocked it. I've been describing my functional checks to the mail server company for years now but they are always ignored - they keep telling everyone that users need to keep paying for a new antivirus update.

      Essentially Ransomware and Malware attacks are very risky everywhere but they seem to be resulting in corporations everywhere offering new update purchases, not just features that totally block this crap. Viruses and Malware have always been profitable on both sides ever since they originally appeared.

      I remember a comment on El Reg about 20 years ago that suggested that the anti-virus companies were creating viruses to make sure everyone purchased their anti-virus software ... I expect that was just a snivelling miserable comment back then, but the attack environment has been profitable on all sides every since, we're paying a little regularly for protection - and a lot if the protection doesn't work.

  2. claimed Silver badge

    Best Practice

    Thinking of the article a couple of days ago it sounds like we should be recommending that there is a data diode as part of standard enterprise practice, with logs going to jail and not passing go.

    I’m sure MS can set up a nice stream and replication end point to plug a diode into a generic storage location that will protect these logs

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like