Building an anti-ransomware program at Microsoft focused on an Optimal Ransomware Resiliency State

|

Screenshot of Microsoft employees working inside a security operations center at Microsoft.
To guard against attack, Microsoft works toward the Optimal Ransomware Resiliency State—a series of standards, practices, and tools—that help keep everyone safe.

Microsoft Digital storiesMicrosoft strives to deliver the productivity tools and services the world depends on. With this comes the responsibility of ensuring protection, continuity, and resilience from cyberattacks of all sorts—including emerging threats.

Highlighted in the third edition of the Microsoft Digital Defense Report, ransomware and extortion are considered nation-level threats due to the sophistication and boldness of attacks and their financial impact. No business, organization, or government can be considered safe from the crosshairs of ransomware threat actors. Experts estimate that ransomware’s cost to the world could reach $234 billion within the next decade.

To defend against the evolving ransomware landscape, Microsoft created the Optimal Ransomware Resiliency State (ORRS), a key component of its Ransomware Elimination Program.

This post, the third in our series on ransomware, overviews the concept of ORRS and the steps that you can take to build a ransomware resiliency state of your own.

[Read blog one in our ransomware series: Sharing how Microsoft protects against ransomware. | Read blog two in our ransomware series: Why Microsoft uses a playbook to guard against ransomware.]

What is ORRS?

Optimal Ransomware Resiliency State is the term that the Ransomware Elimination Program team uses to describe our aspiration to defeat ransomware attacks—today and in the future.

Optimal means we’re doing everything we can do—all the ORRS-required capabilities and controls are in place and verified.

—Monty LaRue, principal program manager, Ransomware Elimination Program team

LaRue poses for a portrait photo in front of a wall and plant.
Monty LaRue is the principal program manager on the Ransomware Elimination Program team.

Specifically, ORRS is the outcome of meeting the requirements covering an extensive set of protection and operational capabilities. Built on the foundation of Zero Trust, our ORRS consists of the collection of requirements for training, capabilities, and controls aligned to the NIST Cybersecurity framework and supported by continuously improved processes and practices. These requirements are common across Microsoft’s business, service, and product groups. Their complete implementation produces an organization-wide state of readiness that protects and defends the company and its customers, while also minimizing exposure and increasing resiliency to ransomware attacks.

“Optimal means we’re doing everything we can do—all the ORRS-required capabilities and controls are in place and verified,” says Monty LaRue, the principal program manager on the Ransomware Elimination Program team.

“It’s about achieving that optimal state through the deployment and operationalization of products, like Microsoft Defender for Endpoint for devices, covering our assets, applications, and infrastructure. We consider training and awareness to be a crucial part of ORRS. It’s essential that everyone knows how to recognize threats and how to respond appropriately. Our toolkit includes, incident response plans and playbooks, phishing education and simulation, and other simulation exercises.”

Partnerships are key to producing optimal resiliency

The role of partnerships and teamwork cannot be understated in the development and maintenance of our Optimal Ransomware Resiliency State. The approach must be holistic and cohesive, closing gaps and seams where possible.

Collaboration and open lines of communication with key stakeholders across Microsoft ensure that products and systems with protection needs are accounted for; likewise, Microsoft’s Ransomware team provides requirements to partnering teams to ensure they are equipped and running the latest defensive measures to minimize their attack surface. All involved parties have a deep understanding of their role in keeping the enterprise and our customers safe.

“We’re looking at Microsoft 365, Windows, and Azure,” LaRue says. “We’re looking at the people running MacOS, Linux, and personal devices within Microsoft. If the platforms and foundations follow Zero Trust principles and highly resilient to ransomware attacks, everything built on top shares that benefit.”

The REP team also has close ties to Microsoft’s threat intelligence and research teams, which provide information on the threat landscape and how attackers’ techniques, tactics, and procedures evolve and trend on a regular basis. They also work with internal Security Operation Centers (SOCs), which monitor threat actors and provide insights via attack data and post-mortems.

The more you prevent and protect, the less you have to respond and recover. The further you are in an attack sequence, the more complex and expensive it is to respond and recover.

—Monty LaRue, principal program manager, Ransomware Elimination Program team

Maintaining our Optimal Ransomware Resiliency State also involves using existing technology, such as Microsoft Defender suite, with a continuous improvement approach to take advantage of their latest capabilities and threat information. Learnings and insights from the ransomware program team flow back to the product and engineering teams in the form of enhancements or new requirements and features, helping to further improve our commercial products and services. One example of this is the detection of abnormal file activities, such as encryption or exfiltration, for data stores and backups in commercial services such as OneDrive, SharePoint, and Microsoft Azure which extends beyond Microsoft’s walls to protect all customers.

The practice of continuous improvement is also applied to the response procedures that make up the ransomware incident response playbook. Tabletop exercises based on new threats and information help to uncover gaps in response procedures, while simulations stress test the response system to ensure the involved security professionals have response readiness excellence should an attack ever breach our protective capabilities and controls.

Our commitment to company-wide alignment reduces the risk of a successful attack and the chance of a resulting payoff. “The more you prevent and protect, the less you have to respond and recover,” LaRue says. “The further you are in an attack sequence, the more complex and expensive it is to respond and recover.”

Building toward an optimal state

As we’ve seen throughout this series, ransomware is evolving and attackers are opportunistic. The goalposts for protection continue to shift, and ransomware’s impact on the world shows no signs of slowing. Because of this, there is no universal optimal resiliency state. Every organization’s situation is unique, from level of exposure to threats, to capabilities and services deployed, to protection needs, so every organization’s optimal state must be tailored to their business and risk tolerances.

“The Optimal Ransomware Resiliency State means different things to each organization, it’s different depending on whether your systems are physical, in the cloud, or hybrid, if you provide high availability services or large data stores, and if you work with highly confidential or sensitive data in regulated environments,” LaRue says.

The task of building an optimal ransomware resiliency state begins with a comprehensive inventory of the current state—and that means asking a lot of questions and doing verifications. Start with an understanding of which business-critical systems and services across the organization must be defended and why. It also means understanding the systems themselves, their dependencies, which configurations and controls are enabled, as well as the state of existing ransomware readiness capabilities. Such an inventory can shed light on high-value targets and the unforeseen risks to them exposing potential weaknesses and highlighting strengths.

The process of establishing your current state is insightful and has the potential to be humbling, but it encourages taking the next steps in developing your ORRS roadmap. This may include investments in training for response readiness or new technologies to reduce attack surface risk, but all optimal resiliency states require implementing a continuous improvement process to keep the organization and those that depend on it safe now and in the future.

Microsoft’s investment in the Ransomware Elimination Program highlights our commitment to defeating successful ransomware attacks. Establishing our ORRS provides us with learnings and guides us to improving our security posture, which helps the company produce secure and dependable products and services.

Ransomware may be one of the biggest security threats to your organization. Taking up the challenge to develop your own ransomware resiliency state will put you on a path forward to protecting and defending what matters most.

Key Takeaways

  • You will define optimal for your organization, but attackers will always be looking for new avenues. You must be able to shift focus and update ORRS quickly to match the threat and attacker’s agility.
  • Ransomware elimination starts with a shared understanding, frameworks e.g., Zero Trust, and defining your ORRS. Core protections such as MFA, pervasive backups, comprehensive telemetry and alerts, as part of a holistic, cohesive effort that spans devices and services are crucial in responding to cyberthreats like ransomware.
  • Implementing tamper-resistant security capabilities and controls, and attack surface reductions reduces your malware related risks.
  • Understanding the right investments is difficult, especially when threats and attackers are moving fast. Engage early and often within your organization to understand your assets, risks, and state as you define your ORRS and implement capabilities, controls, processes, and practices.

Related links

We'd like to hear from you!
Want more information? Email us and include a link to this story and we’ll get back to you.

Please share your feedback with us—take our survey and let us know what kind of content is most useful to you.

Recent