While many backup storage vendors now count on it almost exclusively, does immutability beat ransomware? The short answer is no. Making backup data immutable is not enough to beat ransomware. It is an important level of defense, but it is just one level of many required defenses.
Beating ransomware requires:
1. Immutability of the entire backup environment, not just the backup data
2. Rapid Recovery to eliminate the temptation to pay the ransom
3. A sterile environment that is 100% immune to the ransomware attack
4. Protection of the backup storage environment from intrusion
Requirement 1: An Immutable Backup Environment
Storing the backup data in an immutable form is critical to recovery from ransomware. Still, suppose the backup metadata (indexes and configuration files) get encrypted. In that case, the time to rebuild the configuration and recreate the indexes (if possible) will significantly delay the start of the recovery process. Most backup storage vendors avoid offering immutability for the backup software metadata because their solutions can’t meet the performance demands of the backup software. And the customer is left to fend for themselves to protect and secure the backup metadata.
StorONE’s S1:Backup is built on our Enterprise Storage Platform. We protect your backup data and your backup software’s metadata. We can deliver the performance the backup software metadata requires. Thanks to its volume isolation technology, we can ensure that the performance of updating metadata will not impact the ingesting of actual backup data.
Requirement 2: Rapid Recovery
Immutability protects your backup data while it is at rest, but at some point, you need to activate that data and restore it. One of the challenges when executing a ransomware recovery is that, unlike other disasters, there is another recovery option — pay the ransom. Paying the ransom rewards the attacker, exacerbating the problem. There is also no guarantee that they will give you the keys to your data. To remove even the temptation of paying the ransom, IT must recover data back into production quickly. Most modern backup software has an instant recovery feature which is the ability to instantiate a virtual machine (VM) or an application directly on the backup storage target. This feature should enable rapid return to operations, but most backup storage targets use hard drives exclusively and can’t deliver production VMs and applications’ performance. All-Flash backup storage targets sidestep the issue but make you pay dearly for it.
StorONE’s S1:Backup efficiently uses a small number of flash drives to speed up the ingestion rate, collapse consolidation windows, and ensure that instant recoveries are instant. The solution will dynamically reprovision some of the flash SSDs for recoveries. The patented algorithms that StorONE invented enable S1:Backup to deliver hundreds of thousands of IOPS from this small quantity of drives.
Requirement 3: A Sterile Recovery Environment
After targeting the backup environment, ransomware will then attack production data, encrypting it so you can’t access it. If you’ve ensured backup data immutability and somehow secured your backup metadata, you now have to restore into a production storage environment that is still infected. Even if your backup software product has instant recovery, you have to move that instantly recovered environment to production storage quickly. The pressure to recover quickly doesn’t provide you the time to make sure that you’ve removed all occurrences of the ransomware trigger file. There is a high likelihood that your recovery effort will be in vain since the remaining trigger files will soon re-encrypt the recovered data.
StorONE’s S1:Backup delivers a sterile, production-class environment to which you can safely recover VMs or applications. You can either promote instantly recovered instances or directly restore your workloads to StorONE volumes. The S1:Backup then employs the full power of the StorONE Enterprise Storage Platform to deliver a highly available, high-performance environment with maximum data protection. StorONE will continue to store an immutable copy of data as it changes, protecting these recovered applications from any remaining ransomware trigger files. With S1:Backup, you get the benefit of time! The time to go through your environment and remove all remaining remnants of the attack before moving these applications back to their production storage systems.
Creating a Sterile Recovery Environment requires a backup storage solution you can elevate to Standby-Storage. To learn more about Standby-Storage, register for our webinar “Beat Ransomware with Standby Storage.”
Requirement 4: Intrusion Prevention
A final level of protection ensures that a bad actor or even a rouge employee can’t compromise the backup infrastructure. This type of attack is likely what made the Kronos recovery so difficult. Their IT team counted on their backups as they should, but they couldn’t access them when they went to use them.
StorONE’s S1:Backup provides two-factor authentication, making an outside infiltration more difficult. For the ultimate security, organizations can set immutable data to only be mutable after the retention period has passed, making even a rogue attack ineffective.
Ransomware isn’t the only threat to the data center. We still have to worry about natural disasters and other artificial problems, but preparing for a ransomware attack and making sure you can recover from it also prepares you to recover from any other challenge. Developing a Ransomware Protection and Recovery Plan is a worthy exercise, and every organization should go through it. If you’d like help architecting a plan, feel free to reach out to us, and we can guide you through the process with no obligation to buy StorONE.