Securing Endpoints: A Three-phase Strategy for Defending Against Ransomware Attacks

Securing Endpoints: A Three-phase Strategy for Defending Against Ransomware Attacks

Learn how to fortify your cybersecurity against ransomware attacks with Vibin Shaju, VP of Solutions Engineering EMEA at Trellix. Explore a three-phase strategy covering prevention, detection, and response.

There is little rest, it seems, for CISOs in the Arab Gulf region. In its latest Cost of a Breach analysis, IBM estimated a combined average for the United Arab Emirates UAE and the Kingdom of Saudi Arabia of more than $5.3 million per incident. Figures like these are stressors for GCC cybersecurity leaders, who face an uphill struggle to stave off the advances of threat actors amid the creep of IT complexity, the widening of skills gaps, and the dwindling of on-hand resources. 

According to Trellix’s recent The Mind of the CISO report, 66% of CISOs in the UAE and KSA still believe their organisations lack the right people and processes to be cyber resilient. Almost three-quarters (74%) believe their current technology setup is insufficient.

Clouds, on-premises, users, and platforms operate under siege. Ransomware gangs have set their sights on inadequately protected crown jewels. Some of their campaigns are sophisticated, multistage assaults that do not discriminate on a business’s industry or scale. 

To prevent the nightmare scenario, we must look to the endpoint. But to even see the endpoint, we must address visibility and control issues that are the unfortunate remnants of the necessary cloud migration that took place during pandemic lockdowns. In fact, in the Trellix “Mind of the CISO” research, better visibility was cited by security teams in the UAE and KSA as the number one area where their security solutions need to get better. Suppose we can only return visibility and control of endpoints to the SOC. In that case, security teams can act before, during, and after ransomware attacks to improve outcomes.

Today’s endpoint detection and response (EDR) technologies are a significant step beyond the prevention-oriented security tools of the old. They give security analysts and threat hunters a window into attacker activity in progress, allowing detection and investigation. But they also grant before-and-after agency over endpoints to SOCs, empowering the CISO and their team to manage and protect devices before the attacker makes their move and responds after the payload is dropped. 

Separating the ransomware campaign into these phases is a great starting point for a winning strategy.


Prevention is cheaper than a cure. Management and optimal use of protection tools can minimise the cost of investigation and recovery. This is because protection helps to screen out the false positives that distract security teams from genuine threats. Teams operate in a sea of complexity — a swelling attack surface and more overlap with third-party environments than ever before. They need management platforms that give them a comprehensive view of their network, including managed and unmanaged endpoints. They must be able to enforce policies across cloud and hybrid environments and traditional premises. 

Agents on boxes are what give the SOC its eyes and ears. They must ensure that security software is deployed across the board and that no asset slips under the radar because a threat actor could latch on for the ride and escape detection. Signatures — although an effective means of stopping many malware strains before execution — cannot stand alone. Machine learning, exploit blocking, real-time containment, and automation for remediation are just some of the allies that can join signature-matching in the fight to protect endpoints. 

Many security teams, when analysing an incident, discover that if an available protection tool had been installed and enabled at the entry point, the campaign could have been prevented. Productivity and protection exist on a seesaw of judgment, and teams often need guidance on balancing the two to align with the organisation’s risk strategy. Visibility helps here, too, because it grants insights into which endpoints are compliant with baseline metrics and which are not.


This is a traditional ground for EDR and is often what non-security people imagine if they ponder what IT security professionals do — an attacker breaches the perimeter, security analysts detect them, and a game of cat and mouse ensues. This is only true, however, for cats equipped with the tools to sniff out the mouse, and even then, the EDR tools must be effective enough to allow the mouse to be run to the ground before it gets the cheese. 

Threat intelligence plays a major role in detection. With the right information (accurate and timely) about past campaigns, indicators of compromise and the tools and methods used by attackers, SOCs can move more quickly. Threat intelligence can be filtered by country or industry — a further advantage to threat hunters. Add to this an EDR solution’s ability to reduce the number of false positives, weak signals, and irrelevant telemetry, and the security team gets deep and granular visibility of endpoint activity and reliable, actionable insights.


Rapid containment is predicated upon understanding the root cause of the attack. National and regional surveys across the GCC have shown that it is common for ransomware victims to be reinfected by the same ransomOps gang. What use is it to clean house only to have threat actors muddy the floors again the following month? To restore normal business operations by simply containing an endpoint, stopping a process, or restoring from backup invites instability and uncertainty.

Teams must forage for facts. What was the gap in coverage? Where was the misconfiguration? Use EDR’s advanced visibility and control to understand the scope, track the cause, and plug the leak. Be sure you have access to forensic data like suspicious files and histories for browsers, command shell executions, and deleted files.


Regarding security, extended detection and response (XDR) is today’s de facto gold standard. Not surprisingly, according to the same Trellix research I cited earlier, 56% of organisations across the UAE and KSA already have XDR as part of their security strategy. It meets the requirements for management and protection before, detection and investigation during, and response after attacks on endpoints. Endpoint security is a significant part of XDR, which also looks at emails, applications, networks, clouds, and others. And so, XDR, supported by strong, integrated EDR, delivers the fundamental capability to minimise the costs and risks associated with protecting that which matters most.

We all want a safer digital world. We spend a lot of time there—working, playing, and socialising. By considering the before, the during, and the after, enterprises can strengthen their security posture and finally outmanoeuvre the ransomware actor.