With ransomware attacks becoming more sophisticated and harder to detect, they continue to be the most prevalent and persistent cyberthreat to organizations today.

Nevertheless, having security controls and understanding malicious behavior are proving to be game-changers, and this goes beyond just having proper email security to incorporating both endpoint and extended detection and response, according to John Fokker (pictured), head of threat intelligence, Trellix Advanced Research Center, at Musarubra US LLC.

“When you look at a large organization, it takes work for that threat actor to go from that initial foothold all the way up to the full encryption … your detection and actually your protection opportunity lies before that stage,” Fokker said. “What we see is that a lot of organizations that are targeted are struggling with detecting what we call malicious behavior by non-malicious tooling. You need to have proper EDR, XDR and all these things together to have a really, really good chance to spot that behavior before you get that final payload.”

Fokker spoke with theCUBE industry analysts Rebecca Knight and Rob Strechay at the mWISE Conference, during an exclusive broadcast on theCUBE, SiliconANGLE Media’s livestreaming studio. They discussed the out-of-the-box solutions needed to curb the ransomware headache in the current day and age. (* Disclosure below.)

Artificial intelligence as a game-changer in cybersecurity

Given that there is a target-rich environment for bad actors, looking at the other side of the coin on how AI can enhance cybersecurity is critical. As a result, large language models can be a stepping stone toward this objective, according to Fokker.

“If we talk about every SOC member being overwhelmed with alerts, having the trouble to correlate separate alerts or low indicating signals, things that would not pop out, but tying those things together into a cohesive story, I think AI can really play a difference,” he said. “Large language models can play a role … if you can have all that threat data, and you can say, ‘Translate what it is that I’m seeing,’ and the struggle I have into a message that actually will appeal to a board-level executive.”

Enterprises should have a watchful eye on anomalous behavior, as this is what will help in spotting lateral movement and privilege escalation attempts, according to Fokker. A secure environment is also generated by thoroughly testing applications whenever sensitive data transfers are undertaken by software-as-a-service providers.

“It even goes to knowing your external attack service,” he stated. “It’s interesting to see, and we see a clear shift towards more data exfiltration right now. MOVEit is a big example that we’ve seen recently where organizations get hit in their managed file transfer systems. And they get extorted for the sensitive data that they have, and they get extorted for that data instead of locking up all the machines.”

Here’s the complete video interview, part of SiliconANGLE’s and theCUBE’s coverage of the mWISE Conference:

(* Disclosure: Trellix sponsored this segment of theCUBE. Neither Trellix nor other sponsors have editorial control over content on theCUBE or SiliconANGLE.)

Photo: SiliconANGLE