Get Aligned!

Extortionists know that the availability of backups often determines whether they can collect on their ransom demands. Those without sufficient backups are forced to choose between paying the ransom or suffering the loss of data. For this reason, business continuity, specifically backup systems, are prime targets for attackers wishing to inflict maximum damage and increase the likelihood of a payout.

Preventative controls that are implemented must be augmented with an effective recovery framework. These frameworks should address a fluid, rapidly-changing threat landscape through flexibility, integration, and agility of their own. When considering a cyber-resilient strategy, it should include three key components: isolation, orchestration, and rapid recovery.

Isolation: Physically Separate Your Back-Up Data

The last decade has seen the decline of tape as a primary backup medium while disk and cloud-based replication systems supplanted the technology. Traditional tape systems suffered from relatively slow restore capability, especially for non-sequential data, but they had one attribute that is sometimes missing from disk and cloud backup replication, namely isolation. Replication without isolation often results in encryption of both primary and replica data-sets when ransomware strikes.

Isolation can be performed through air gaps or through logical mechanisms designed to protect backup sets from being overwritten. The air gaps approach physically and logically separates data from the rest of the network. One simple example of air gaps is to back up to a removable hard disk and then store the disk in a safe. More complicated scenarios are often used in the business world, and air gaps has been a standard procedure in many government installations. However, air gaps often relies upon a human element. In the hard drive example, someone must disconnect the drive when the backup completes and move it to a safe location. A backup set mistakenly left attached to systems would lack the protections afforded by air gaps. We humans are all too frequently proven unreliable at performing such tasks consistently without robust processes and accountability. This presents a potential point of failure in the system.

The second method of isolation relies on software to implement protections for the backup sets. Such systems prevent altering of backup sets once they are written according to system policy and the policy is highly restricted, audited, and controlled to prevent unauthorized changes. This form of isolation would prevent an administrator from removing or changing a previous backup set prior to backup retention period expiration.

Orchestration: Automate Your Quarantine Controls to Reduce the Scope of Impact

Ransomware and other destructive malware are designed to rapidly propagate and then swiftly encrypt valuable data. The speed of such attacks requires that companies implement monitoring and analytics across systems to quickly identify malicious behavior.

The speed of malware far exceeds that of human response, yet the initial response to such threats is often well understood. This makes automation the ideal method to address threats in real time. Incident response orchestration uses triggers from monitoring systems to automate the execution of predetermined workflows to quarantine the threat and reduce the scope of impact. For example, Dell EMC Cyber Recovery can be leveraged to analyze data to detect activity such as ransomware. As ransomware begins to encrypt a network share, monitoring and analytics would detect the encryption and kick off workflows to attempt to stop the ransomware and isolate the system for investigation. This prevents the ransomware from impacting other systems and does so without the need to wait for human intervention.

Rapid Recovery: Invest in Protective Measures That Will Prevent Future Loss

Rapid recovery is the third key component of cyber resiliency. As mentioned earlier, IT systems are critical to business success, but in some cases, downtime of IT systems could result in loss of life, such as in healthcare and critical infrastructure. Every organization will suffer a downtime at some point and systems should be put in place to restore system or data availability according to the business need in such an event.

A benefit of rapid recovery solutions is that recovery and investigative steps can operate in parallel. In the example above, the system infected with ransomware was isolated from the network, but this prevents users and applications from accessing that data. Rapid recovery solutions may need to mount snapshots of the affected data and then remap resource pointers to the recovery location.

Implementing The Framework

Not all data requires this level of protection, so the first step in implementing this level of protection is to identify the mission critical data sets. Investing in management and automation software, like Dell EMC Cyber Recovery, can be implemented on 10-15% of an organization’s disaster recovery scope. Companies then select critical data based on its direct and indirect use, including how the data impacts systems and processes across the enterprise.

Our economy and our lives are increasingly digital. As such, the systems and data that underpin our digital economy are essential to company success. However, cyber resiliency supports the business when other controls fail. Make your company cyber resilient now to prevent future disaster.

Back to List

Related Stories

Protecting Your .UK Presence

Protecting Your .UK Presence

The clock is ticking on who can register a .UK domain in your name.

Nominet, the governing body of UK domain names, released shorter .UK …

Read Post

Checklist to Digital Transformation

Checklist to Digital Transformation

Digital Transformation is the novel use of digital technology to solve traditional problems.

It’s about finding new ways to deliver valu…

Read Post

AWS, Azure & Google: A Public Cloud Comparison Report

AWS, Azure & Google: A Public Cloud Comparison Rep…

The three leading cloud computing vendors, AWS, Microsoft Azure and Google Cloud, each have their own strengths and weaknesses that make the…

Read Post

Azure Infrastructure Cloud Migration Essentials

Azure Infrastructure Cloud Migration Essentials

To enable successful migration, it’s important to have a strong plan in place that covers the end-cloud environment, training and, most im…

Read Post

10 Steps To Cyber Security

10 Steps To Cyber Security

You can download this infographic from the National Cyber Security Centre on the link below.

How can organisations protect themselves in …

Read Post

Technology is redesigning the workplace

Technology is redesigning the workplace

We are entering a new era of IT. One that fundamentally reimagines where we work, the way we work, and how we provide the tools for work. Th…

Read Post

Moving Beyond the Perimeter

Moving Beyond the Perimeter

In this white paper, you’ll find – An overview of the new enterprise architecture, Detailed descriptions of new risks, How to protect agai…

Read Post

The headlines are clear - cyber attacks are imminent

The headlines are clear – cyber attacks are immine…

The UK’s National Cyber Security Centre (NCSC), the FBI, and the US Department of Homeland Security have issued a joint alert warning of a g…

Read Post

Paradigm Shifts - What to expect in 2018

Paradigm Shifts – What to expect in 2018

Skills and resources – these are the two elements that make up an attacker’s arsenal. An attacker, however, cannot set out to break security…

Read Post

The new breed of ransomware that's changing all the rules

The new breed of ransomware that’s changing all th…

The recent spread of WannaCry and NotPetya are rewriting the rules of ransomware, and it’s turning into something far more sinister. If thes…

Read Post