We all know that cyber threats are getting increasingly more complex and more dangerous, especially with ransomware continuing to affect millions of devices and systems around the world and causing major data loss and crashes.

Earlier in August, the Azure Sentinel and Microsoft Threat Intelligence Center teams announced the new Fusion Detection Feature for ransomware, and made it publicly available in efforts to stop ransomware attacks and detect threats earlier.

So, what is Fusion Ransomware Detection and How Does it Work?

Fusion Ransomware Detection is a newly added feature to Azure that uses machine learning to spot potential attacks. This feature sends alerts to customers whenever it observes actions that are potentially associated with ransomware activities.

These alerts will inform users of what has been detected and on which device, with the system correlating data from other Azure services like Azure Defender, Microsoft Defender for Endpoints, Microsoft Defender for Identity, and Azure Sentinel scheduled analytics rules.

Once the ransomware activities are detected and correlated by Fusion’s machine learning model, a high severity incident with the label “Multiple alerts possible related to ransomware activity detected” will be triggered in the customer’s Azure Sentinel workspace. Afterwards, Microsoft will send a recommendation to the user to check the affected device or host to make sure that the behavior detected was indeed “unsuspected”.

If so, then the user must treat the device as “Potentially compromised” and take immediate and necessary actions:

• beginning with isolating the device or the host from the network
• running a full anti-virus scan
• and finally investigating the rest of the network for similar behavior.

Why Opt for Fusion Ransomware Detection?

When it comes to ensuring security and spontaneous ransomware detection, no tool is ever too much because privacy and keeping devices, data, and transactions safe together are a priority for any enterprise.

However, it’s normal to ask why opt particularly for this tool? Here are the reasons:

• This tool's basically made to make the lives of security analysts easier with the use of AI features in everything
• The automation and collection of out-of-the-ordinary events helps security analysts identify potential attacks as quickly as possible and act to stop them
• Furthermore, Fusion gives analysts a complete picture of detected activity on the host or the device, plus collecting several signals from various Microsoft products and the network cloud.
• It supports the following data connectors:
  - Azure Defender (Azure Security Center)
  - Microsoft Defender for Endpoint
  - Microsoft Defender for Identity
  - Microsoft Cloud App Security
  - Azure Sentinel scheduled analytics rules

Improving Fusion machine learning model

Machine learning and its set of tools and algorithms help majorly identify potential risks, but actions taken by individuals help in improving the way algorithms process events.

Therefore, If Fusion found a multi-stage event in Azure Sentinel, then the analysts must ask the user if the behavior or action taken was intentional. if not, then the device is assumed to be compromised and must be isolated from the network.

So, providing feedback to Microsoft after such attacks or suspensions work a great deal to improve the whole operation and the more information Microsoft can collect about incidents, the better it can train the Fusion machine learning model.

What about the time?

Every Cyberattack goes through stages, and ransomware attacks are no different. That’s why Fusion was designed to detect malicious activities at the defense evasion and execution stages.

Fusion ransomware detection allows analysts to access the information they must understand as quickly as possible and act to stop the attack in their tracks.

Furthermore, it stops ransomware from spreading to multiple devices in a single network.

Conclusion

In a report published by PurpleSec, recent ransomware attacks have cost organizations and enterprises around the world about 23 times more in 2020 compared to 2019, with a total of 20$ billion.

Those numbers raised the concerns of enterprise owners and security teams, since all the data where critical or private were totally encrypted and locked away.

Therefore, and we can’t stress this enough, when it comes to security actions must be taken and tools must be used to keep the enterprise data safe and sound.

Here at Ctelecoms, we are proud to be partners with Microsoft, working to provide the best-in-class services for our clients. Let us support you with more information by getting in touch with our expert team.