Start Where You Are to Build Ransomware Resiliency
In this article
As Ransomware gets more sophisticated, it continues to be a major concern for organizations. The bad guys are still getting in and doing more damage than ever, with various research studies finding that 37-51% of organizations worldwide experienced ransomware attacks in the prior year. (1,2,3)
Data protection plays a critical role in addressing ransomware in a resilient way. This resilience is not based on prevention, but rather ensuring there is a protected copy for the business to recover from.
The problem of protecting your business from ransomware through your data protection solution can be daunting, overwhelming many organizations as a complex, multi-year project. Instead of trying to boil the ocean, organizations should consider identifying and addressing the most important business outcomes first and building from there.
A data protection model is a great framework to help you achieve your desired outcomes, starting where you are and layering on capabilities that could include Software-as-a-Service (SaaS) solutions. Increasingly, organizations are turning to cloud-centric models including SaaS solutions to address data protection and ransomware. In fact, "IDC predicts that by 2025, 55% of organizations will have migrated their data protection systems to a cloud-centric model." (5)
A leading example is Cohesity FortKnox, a software as a service (SaaS) data isolation and recovery solution, part of Cohesity's Data Management as a Service portfolio of offerings. Cohesity FortKnox gives you ransomware resiliency with highly-secure, SaaS-based isolation. It provides an additional layer of off-site protection while dramatically simplifying operations and lowering costs compared to magnetic-tape and self-managed data vaults.
How to build ransomware resiliency one step at a time
Here are some incremental steps you can take today, starting with your current data protection environment and improving it to meet your cyber resiliency objective.
Start where you are
Enhancing your data protection to protect your data from ransomware does not necessarily mean you need to overhaul everything or acquire a major new platform. In fact, it makes sense in most cases to start with the platform you already have. WWT uses a framework to determine where you are today with your current backup approach and what steps you can take to get to your desired outcome. The framework centers on five main areas, in sequential order and order of importance.
1. Platform hardening
The vast majority – nearly 95% – of ransomware attacks are preventable, according to Gartner, because organizations have not prepared for attacks well enough in terms of instituting basic controls.(6) In fact, because of recent high-profile attacks in which attackers exploited the lack of basic controls, many organizations are "finally dedicating time to basic cyber hygiene."(7)
Improving your posture within your Data Protection environment can start with one simple step: hardening the platform that you are already using to provide backups.
Make sure you're doing everything right and are using all the existing capabilities you currently have. Comb through your security guide to validate that you have incorporated best practices and are utilizing your capabilities, including:
Access and alerts: You'd be surprised at how many organizations have not set up proper account access controls or have set up logging and alerts to a central log management system.
Encryption in-flight and at rest: If you have the capability to use encryption in flight as well as at rest, make sure you are using it. Integrate your Data Protection solution with your Enterprise KMIP solution.
Ports & Protocols: Make sure you disable any ports that shouldn't be open and leveraging most secure protocols for all inbound and outbound traffic.
Physical / logical separation of your backup network: Segment and isolate your backup network to limit the attack surface. Lots of problems come from those basic areas. It's the little things, and it's crucial that IT folks do their due diligence in terms of maintaining the environment.
Make sure you follow the industry concept of "3-2-1": This means you have: 3 copies of your data in 2 different locations with 1 copy off-line.
Cohesity Fort Knox is a solution that can help you with the 1.
2. Immutability
Next, you need to layer in immutability, which are backups that cannot be altered by anyone whether that is to expire or delete. It is crucial that your solution prevents any expiration or deletion of critical backup sets. This can be a difficult task as it may require awareness of the application and data that supports your crucial business processes. It's also important to understand if the immutability of the software is integrated into the underlying storage platform.
Cohesity's Data Lock feature provides immutability on their platform as well as extending that to offsite repositories.
3. Zero Trust
Zero Trust is a security framework and approach that assumes the network is always at risk, continuously verifies identity and assesses system security. Incorporating proper access controls is important everywhere but is sometimes overlooked when it comes to your Data Protection environment.
This can be incorporated within your solution stack today, with vendors supporting third party MFA integration and TOTP capabilities. You can also leverage multi-person approvals that require approvals for certain operations to be completed within your backup solution, while still maintaining least privileged principles.
Cohesity's MFA and Quorum features aligns with Zero Trust, as Quorum enables multi-person approval for operations.
4. Isolation
Isolation of your backups can be as simple or as complex as you need, based on your overall Cyber Resiliency strategy and capabilities you want to leverage within this program. You have a multitude of options, such as logical and physically separated infrastructure, building out of a clean room, how to manage network traffic for ingress and egress activities. This can be consumed as a managed service for both on-premises or hyperscaler deployments.
With Cohesity, you have achieved isolation as it is hosted and managed by Cohesity and is not maintained within your production environment.
5. Analysis and recovery
Anomaly detection and the depth to which your backup sets are analyzed is going to play a crucial role in your recovery efforts. In the backup space, these tools are not meant to prevent ransomware from occurring, but rather to recognize when the data is exhibiting ransomware-like properties. The recovery of this data, and your Cyber Resiliency strategy will help you determine what point in time to recover from.
Cohesity Fort Knox provides:
- Anomaly detection with Helios (SaaS solution) that Cohesity maintains
- Recovery capabilities
- Cyberscan (Cohesity Marketplace App)
The journey continues
When you're hit with ransomware, your backup and recovery capability should ensure you have intelligence to help you see quickly that an attack may have or has already happened, and to maintain a data protection environment that is also protected as best as possible. By hardening your current data protection environment, then layering in immutability, zero trust and intelligent recovery, you can achieve your organization's most pressing outcomes – and build from there.
Learn more about WWT and Cohesity's joint capabilities.
References
- IDC Survey Finds More Than One Third of Organizations Worldwide Have Experienced a Ransomware Attack or Breach, IDC, August 2021.
- Cyber Resilience is Critical as Risks to Business Keep Growing, CIO.com, January 2021.
- The year of ransomware: Don't be the next victim, CIO.com, July 2021.
- Cyber Resilience is Critical as Risks to Business Keep Growing, CIO.com, January 2021.
- Worldwide Data Replication and Protection Software Market Shares, 2021: Steady Growth," IDC, June 2022.
- Ransomware Attacks: Prepare, Plan and Respond, Gartner Webinar, November 2021.
- Are You Prepared for 2022's More Destructive Ransomware? | SecurityWeek.Com, February 2022.