Rubrik Zero Labs Report 4: "Measuring Your Data's Risk"
In this blog
"Measuring Your Data's Risk" is a new Rubrik Zero Labs report released in May 2024. This article will provide a brief overview of the report and highlight some key themes. There is a lot more useful information and data in the report than we can cover here. We connected with Rubrik and they identified three key themes:
- Not every organization is the same. Healthcare is an example of a unique vertical.
- Organizations can mitigate risk. The best time for that is during the 'recovery' and 'reset' portions of the risk cycle.
- There are two factors that will reduce the impact of a ransomware event:
- Ensure access to recoverable backups.
- Limit the impact of data theft.
- Steven Stone, Head of Rubrik Zero Labs
Rubrik
Rubrik is a cloud data management and data security company based in Palo Alto, California, United States. Founded in January 2014, Rubrik provides a platform for data protection, threat analytics, data security, and cyber recovery across enterprise, cloud, and SaaS environments.
Zero Labs
Rubrik Zero Labs is Rubrik's cybersecurity research unit. It was launched to analyze the global threat landscape, report on emerging data security issues, and provide organizations with research-backed insights and best practices. The first Rubrik Zero Labs report titled "The Human Impact of Cybercrime" spoke to how humans make decisions and how this affects cybersecurity thinking. Their newest report "Measuring your Data's Risk" looks at risk, especially from ransomware, and how organizations can examine and better manage it.
In This Report:
"Measuring your Data's Risk" is delivered in a shiny infographic style, and it is chock-full of useful facts and statistics. These bits come together to paint an up-to-date, if unoptimistic, picture of the cyber threat landscape and how it impacts customers, especially customers in the healthcare vertical. Much of the article focuses on the unique challenges that make healthcare IT such a popular target for cyber attacks.
Rubrik Zero Labs deserves recognition for delivering a data driven report. They are not shy about drawing conclusions but there are a lot of statistics sourced from their own telemetry, as well as partners and other sources provided, which keeps the presentation grounded.
Not Every Organization Is the Same: Healthcare
One of the biggest throughlines of this report is around how, as an industry, healthcare presents unique challenges around data security and preservation. While every industry presents unique risks and problems, healthcare sits at the intersection between high-rate data growth and extreme privacy concerns.
External to the report, one needs to look no further than Change Healthcare's 2024 breach to understand what a worst-case scenario in healthcare can look like. Change Healthcare, a subsidiary of UnitedHealth Group, was breached in late February and services were offline for weeks. Considering that Change Healthcare processes half of the prescription drug payments in the United States, this was a massive impact. They paid the ransom and the ransomware group promptly folded up shop and disappeared. The group failed to pay their affiliates, some of whom had exfiltrated and were holding patient data, resulting in a data breach that could touch nearly half of the U.S. The overall cost of the breach to UnitedHealth is expected to easily exceed $1 billion.
The report provides easy to digest information supporting these concerns:
- Healthcare far surpasses the global average in sensitive data.
- Healthcare organizations secure 22 percent more data than the global average.
- The typical healthcare organization saw their data estate grow by 27 percent last year.
- A typical healthcare organization has more than 42 million sensitive data records — 50 percent more than the global average of 28 million.
- Sensitive data records in healthcare grew by more than 63 percent in 2023 — far surpassing any other industry and more than five times the global average (13 percent).
Ransomware produces outsized impacts against healthcare.
- Ransomware attacks against healthcare organizations impact almost five times more sensitive data than the global average.
- This equates to 20 percent of a typical healthcare organization's total sensitive data holdings impacted every time there is a successful ransomware encryption event, compared to 6 percent for an average organization.
- Virtualization really matters for healthcare and ransomware. 97 percent of all encrypted data in healthcare organizations last year occurred within virtualized architecture compared to 83 percent across all industries.
Organizations Can Mitigate Risk
"Measuring your Data's Risk" also talks a lot about risk mitigation. Rubrik outlines what they call the risk cycle: Assess -> Crisis -> Recovery -> Reset.
Through the cycle, organizations assess and accept their perceived risk when a crisis, such as a breach or attack, occurs. Services are restored and the organization rebuilds, the lessons learned are incorporated and the organization resets back to the top of the cycle.
This maps well to the NIST Framework "Anticipate -> Withstand -> Recover -> Adapt." Rubrik notes that the best opportunities for organizations to make changes and improvements in their cyber resiliency posture take place during the 'recovery' and 'reset' portion of the cycle ('recover' and 'adapt' from the NIST framework).
The report provides plenty of interesting data points:
How should we think about risk, specifically data risk?
- There's a recurring risk cycle that occurs in a predictable manner. There's the risk all organizations have accepted in their day-to-day operations. Then this risk is challenged and re-evaluated during a crisis (like ransomware). Then, coming out of the crisis, an organization's risk is effectively reset as the new normal. This reset risk is now the daily risk in front of the next crisis and the process repeats itself.
- The most effective time to address your risk is immediately following a crisis.
- Data is inherently risky. The more you have, the more risk you accept. There is always risk resident in the data. Then there's risks to the data (attackers).
We know what leads to effective data risk reduction:
- Rubrik Zero Labs determined that the most impactful factors are: increasing data visibility, creating a more consistent defensive posture across a hybrid environment, understanding sensitive data and securing it to the right level, preparing for a contested recovery, and preparing to solve for increased scrutiny and effectively communicate changes across an entire organization.
- Microsoft determined that 99 percent of all intrusions can be solved with basic security practices.
- Microsoft advocates for the "Foundational Five" to increase resiliency against ransomware:
- Modern authentications with phish-resistant credentials.
- Least privileged access applied to the entire technology stack.
- Threat and risk-free environments.
- Posture management for compliance and the health of devices, services and assets.
- Automatic cloud backup and file-syncing for user and business-critical data.
How do you survive and thrive?
- Gain data visibility, especially across hybrid.
- Understand where your sensitive data is, where it is going, and how you are securing it.
- Have recoverable backups.
- Prepare for a contested recovery.
- Anticipate answering regulatory and legal data issues in the middle of an encrypted environment with attackers trying to increase pressure.
- Find ways to unify disparate teams before, during and after a cyber attack.
- Be prepared to address and capitalize on the likely outcomes
The Two Factors That Reduce the Impact of a Ransomware Event
Analyzing many ransomware events, Rubrik identifies two factors that can reduce the impact of a ransomware event: ensuring recoverable backups and reducing the impact of data theft.
Ensure recoverable backups:
This sounds like obvious advice, but there are several important factors driving it. Data protection systems and backup data are high-value targets, and threat actors prioritize compromising the data protection system to reduce a victim's options. Securing the organization's data protection application and associated data needs to be a top priority.
Next, the data protection solution needs to be architected for rapid recovery. Traditionally, data protection solutions have been architected to ensure the daily task of backing up the environment is successful and shows 'green' on the executive dashboard every day. Recovery, especially at scale, needed to look good on paper. During a cyber-attack, speed of recovery at scale can directly impact whether an organization pays a ransom. Organizations and vendors deploying backup solutions need to plan on doing multiple recoveries at scale.
Finally, this entire process needs to be planned and tested to ensure that, following restoration of the backed-up data, the environment can actually be recovered. If recovery of the environment and applications necessary for a minimum viable business operation is not planned and tested, valuable time will be lost during a crisis figuring things out. With workloads increasingly hybridized between on-prem and in cloud, recovering across hybrid cloud environments presents its own set of challenges.
Limit the impact of data theft:
Ransomware-based cyber attacks are an arms race. As organizations have become better at recovering data, threat actors have shifted strategy to data exfiltration and extortion. Before the target data is encrypted, it is exfiltrated and the target is extorted a second time: pay or the presumably sensitive data will be released or sold. The amount and sensitivity of exfiltrated data will have a direct impact on whether an organization pays a ransom.
More data points from "Measuring your Data's Risk:"
Most backups are not up to today's tasks:
- Backup is easy, recovery is hard. It's technically easy to move data and store it, however it's a fundamentally different task to keep these backups secure and effective in recovering data, apps and workflows.
- Almost all external organizations have backups today (99 percent). However, most of these organizations (93 percent) encountered significant issues maintaining or using their backups last year.
- Aon found more than 70 percent of organizations' backups are either not immutable or do not have offline backups.
- Ineffective backups were listed as the second largest observed issue for external organizations while responding to cyber attacks last year.
- Ransomware events in particular are challenging for legacy backups. The actual encryption event creates a large amount of new data, and separately organizations tend to create large amounts of data as part of the response and recovery efforts.
Only two things matter when organizations make decisions about paying ransoms:
- The single greatest factor for this decision is whether organizations have recoverable backups.
- Organizations with recoverable backups were 27.5 times less likely to pay a ransom.
- Data theft led to a higher likelihood of paying a ransom and that ransom payment was 5.5 times higher than a ransom payment involving encryption only.
- Attackers know how important backups are to their ability to get a ransom payment. They attack backups in more than 96 percent of the attacks against external organizations and were at least partially successful in more than 74 percent of these attempts.
- If you have recoverable backups and can limit or prevent data theft, your likelihood of paying a ransom drops dramatically.
Conclusion
"Measuring your Data's Risk" is a useful tool to help customers and organizations frame a data driven conversation around the risks inherent with their data. This strategy aligns closely with WWT's messaging around securing data and driving more positive outcomes in a landscape of escalating threat.
The messaging around the level of risk in healthcare — the regulatory and privacy concerns associated with patient care data — mirrors conversations WWT's healthcare practice has with clients every day. Outside of the healthcare vertical, it is still important to look at what is happening within healthcare because while threat actors are using their best tools for their highest value targets, these tools and techniques will eventually be turned towards lower value targets.
Most importantly, "Measuring your Data's Risk" does not focus on specific technology. It speaks to problems experienced by actual organizations and, where it offers solutions, they are oriented around process and best practices. Rubrik expects that adopting their technology will help facilitate these solutions, but they make the case for that elsewhere.