Early in the year, I wrote about NAS systems being a high impact target for ransomware. I called NAS a goldmine for ransomware. This is still very true because NAS systems are the workhorses of many organizations. They serve files and folders and from it, the sharing and collaboration of Work.
Another common function for NAS systems is being a target for backups. In small medium organizations, backup software often direct their backups to a network drive in the network. Even for larger enterprise customers too, NAS is the common destination for backups.
Ransomware is obviously targeting the backup as another high impact target, with the potential to disrupt the rescue and the restoration of the work files and folders.
It’s so dusty!
My apartment is always dusty. It is an never ending chore to sweep and dust. The analogy is the same for ransomware in your organization. The ransomware situation has become so rampant that it is new normal now. And organizations must play a disciplined role to continuously and continually apply the required policies, processes and people education to be aware to reduce the presence of ransomware in the company’s network. Technology will be part of the company’s sanitization cadence to combat ransomware.
This means that it is 99.9% that there is ransomware in your network. There are end points anti-malware solutions to detect and quarantine ransomware. There are also malware protection for NAS servers as well. But backup is the weak spot.
Breaking the loop
The photo above says it all. Backing up data and files and then restoring them is really perpetuating the longevity of ransomware in your organization. It is a never ending loop of propagating the ransomware problem, reintroducing the threat over and over again. Unfortunately, many backup and data protection vendors are touting ransomware protection but if the backup data sets have been infected, what good does that do? Restoring from an infected data set would do more harm than good.
One thing is clear – Break the loop.
The Backup & Security Convergence
Several vendors have introduced the immutable backup method. Rather than backing up at .zip, .tar, tgz, or .cpio or some typical format, the data set backed up are still “files”. Ransomware in the network are trained to go after these type of files and encrypt them. Immutable backups are kept often kept as object storage, which is by nature, immutable. Every little change, every delta results in a new object and thus the object cannot be modified without rendering it useless. This is a form of protection against ransomware and malware but unfortunately, the object can be deleted with the right level of privileges, unless it is placed under a periodic compliance lock.
At the same time, these vendors uses the snapshot mechanism. A sudden anomaly in the rate of change or the size of the snapshot would trigger an alert, signally a possible application of the ransomware on the files being backed up. A well documented piece of this method is found in Rubrik®’s blog, with the introduction of the Radar application within their Polaris SaaS platform.
Cohesity, employs an almost similar method detecting anomalous patterns when executing its back to its Cohesity Data Platform. Check out the video below:
Cohesity also introduced CyberScan, a partnership with Tenable™ which assess the vulnerabilities and risks of the datasets in the Cohesity Data Platform. In Cohesity SmartFiles NAS, the backed up files can be scanned by ClamAV, a popular open source anti-virus software. Both Cyberscan and ClamAV are available in Cohesity Market Place.
Asigra, a long time cloud backup vendor, is one of the early proponents of the this backup-security convergence. It has partnered with several unnamed security vendors to create what it calls Attack Loop™. It is a “bi-directional malware detection” which performs real-time scans of both the backup streams as well as the restore streams. This essentially “breaks the loop” as I have alluded to earlier. Here is a look at the Asigra dashboard:
At the same time, Asigra employs a 2FA (2 factor authentication) to make it difficult for backup datasets deletions and also a variable naming mechanism for backup datasets. Both will make it harder for ransomware to execute its damaging payload.
Following along with Asigra, Acronis® has Cyber Backup, ArcServe® has a partnership with Sophos and Unitrends™ has ransomware detection and recovery assurance several of its backup and recovery solutions. Here is a Unitrends™ demo video:
Last week, Druva and FireEye™ tied up with tighter integration with the FireEye™ Helix Security Platform.
The burgeoning threat of ransomware has stirred up the convergence of the backup and cybersecurity solutions integration, and banded the alliance of data protection (data) and data protection (security) into a super Data Protection segment.
However, at present, I still see a few of these integrations as 2 distinct solutions. It is the duty of this blog to encourage the end users and potential customers to see past the marketing messaging and the technology rhetoric. The integration of scanning and detection of malware in backups and restores data sets are not 100% frictionless. The understanding of the processes of backups and restores is important and must be baked into the RPOs (recovery point objectives) and the RTOs (Recovery Time Objectives) of the organization’s policies.
The list I have shared is by no means comprehensive, and I did not go deep dive into a few of the technology. Given the meteoric rise and the destruction of ransomware, this backup and cybersecurity technology convergence and integration will get better and the technology will become more pervasive. And it is time for every organization, large, medium and small, to build their cyber resilience defense against ransomware.