Backup: more than mere ransomware insurance

Editorial Type: Feature Date: 2020-06-01 Views: 1,640 Tags: Storage, Backup, Ransomware, Data protection, Strategy, Cloud, Cohesity PDF Version:
A backup is a vital tool when recovering from a ransomware attack, explains Andrew Fitzgerald, Sales Director, UK & Ireland, Cohesity, but as part of a more extensive data management solution, can also help stop this and other malware in its tracks

When it comes to cyber-crime, one of the most worrying developments has been the spread of ransomware, with foreign exchange service Travelex just one of many businesses targeted in recent months. These days you don’t have to be a big name to be attacked, we’re all potential targets, and protecting our data against ransomware should be a crucial part of any malware strategy, as should a robust backup regime to allow for speedy recovery should the worst happen. However, don’t assume that just because you’re taking backups, you can rest easy at night: it’s not that easy.

They know where your data lives
The bad guys aren’t stupid. They know that companies routinely backup their data and that most see this as the best way of ‘insuring’ against malicious data encryption. They also know that a lot of organisations now store backups online, often on public cloud platforms and, just as often, using cloud syncing services such as Dropbox, OneDrive and Google Drive.

Similarly, many disaster recovery solutions rely on active/active replication to networked data stores to work. But ransomware will now routinely target all these resources, as well as live data, making it increasingly common for victims to discover that, when they need them the most, their backups and DR systems are also encrypted and of no use.

The knee-jerk reaction to this trend will be for companies to review their backup policies and in the UK many will follow recently updated guidance from the National Cyber Security Centre, emphasising the need to make offline backups to mitigate against ransomware attacks. Which is all very well except, as with a lot of ransomware advice, the assumption is that backup is a tool of last resort, only of use when recovering from attacks when it can, in fact, be used to help prevent them.

Prevention is better than cure
When it comes to putting this into practice, the best approach is to always include both backup and anti-malware protection as integral components of an overarching data management strategy. And not, as commonly happens, bolting them on as an afterthought.

Equally, it’s essential to understand that the required data management products have varying capabilities which, in some cases, will limit how far you can go beyond the backup/restore basics. That doesn’t mean you shouldn’t try – there’s a lot at stake – and if the tools at your disposal aren’t up to the job, it’s worth looking around for alternatives.

The question is: what sort of functionality, beyond simple backup and restore, do you need? Unfortunately, there is no magic formula, although those drawing up a shopping list could do worse than think about these three questions:

Can you scan your backups?
Proactive vulnerability scanning is the first line of malware prevention, but scanning live production systems and shared assets (such as NAS appliances) across an extensive distributed infrastructure is far from easy. Scanning backups is a lot less problematic as it can be done without impacting on system availability and, because backups are more likely held centrally, without having to manage scanning at scale across multiple endpoints.

Importantly, however, we’re not just talking here about tools to simply scan backups and bin them if they contain malware, but as a means of ringing alarm bells and taking pre-emptive action when malware and potential vulnerabilities are detected.

Can you lock down your backups?
The days when backups were taken to tapes and stored in offsite vaults are over. Ransomware prevention requires a multi-layered approach that balances speed and ease of recovery against security. So, as well as offline copies, companies will likely take snapshots, typically using automated replication tools. Criminals have advanced their methods and now look to target backups, removing or encrypting them as part of the attack. However, there is a way past this.

Your backups need to be stored in an immutable (locked) state that can’t be mounted, modified or deleted and while not all backup programs support this, a lot do, and it can also be implemented using more extensive data management platforms.

Can you recover easily, quickly and at scale?
Recovery is a complex and lengthy process, especially where an organisation is dependent on a large hybrid infrastructure spanning multiple clouds and on-premise data stores. Tools that can be used to recover at scale and focus both on rapid Recovery Point Objectives (RPOs) and fast Recovery Time Objectives (RTO) are crucial here and should be prioritised as without them, recovery can take days - or longer - potentially leading to business failure.

Of course, there are lots of other factors to consider and answers to find, especially with ransomware attacks becoming ever more ingenious, making it essential to keep data management strategies under constant review. Moreover, while there is no one-size-fits-all solution, whatever approach you take, it should always be based on sound data management hygiene and, as already stressed, the application of multi-layered defences capable of isolating backups from production data stores.

Or you could just pay the ransom - but we all know that isn’t solving the core problem; instead, you’re just funding more ransomware initiatives later down the line.

More info: