Creating Secure Backup for Ransomware Defense

People have asked what we mean when we say, “secure backup is your last line of defense.” Over the last ten years, the security industry has realized modern ransomware protection requires an integrated security architecture from endpoints to network and cloud to detect, correlate and remediate attacks completely. In the case of ransomware, your options for remediation are usually to recover from a backup or pay the ransom. The challenge is, saying “restore from backup” oversimplifies the process and causes many organizations to make assumptions about their backup and recovery capabilities. As is the nature of assumptions, they often prove false, leading to either data loss or the ransom still having to be paid. To avoid the worst-case scenario, you need a plan in place that includes verified, tested and secure backups that can be restored quickly.  So, we want to remind ourselves and everyone we interact with that your backup infrastructure is part of the overall cybersecurity defense plan and can be the final option for getting back to, or staying in, business. 

The evolution of attacks like ransomware has pushed people who have not traditionally been thought of as part of security, such as the disaster recovery and backup teams, to the center of the response and recovery operations. We see in Veeam’s 2023 Data Protection Trends report that 88% of the respondents have business continuity and disaster recovery were either mostly or totally integrated with their cybersecurity strategies. It’s a strange place to be when the backup team were historically worried about users deleting small numbers of files, and you’re now responsible to prove you can recover every piece of data in your company because of a cyberattack. 

Recovering from a breach, and proving you have not lost data, should mean there’s no need to pay a ransom. Unfortunately, the 2022 Data Protection Report shows us that only 36% of organizations were able to recover more than 80% of their data after a ransomware attack. This statistic is frustrating because it’s not too much of a leap to think that these organizations either considered paying or did pay a ransom to get their data back.

Creating a secure backup for ransomware recovery 

So, what do we have to do to ensure we can confidently get operations back up and running? Here at Veeam, we believe the answer is a combination of product features and procedural best practices that ensure you can detect workloads as they come online, protect the data in a verifiable manor, and recover at scale in a way that doesn’t reintroduce threats to the environment.  

On the backup side, it’s all about protecting the data and making sure the backup job is working as expected. There are also the best practices which ensure when everything has gone horribly wrong you will still have a copy of your data to restore. During recovery, we want to focus on speed, which ties into automation and orchestration. Once again, a combination of product and process. Finally, we need to ensure the data that is recovered won’t re-introduce a threat to the environment. Let’s look at some of the reasons why this is important. I’ve also included links to articles from our technical experts for even more information.

Trusted immutability

Veeam has always been a software-first company. This means you are in control of the storage configurations and are not limited to the configuration we choose. It also means you can create multiple layers of immutable storage both in the cloud or on premises based on your network design. This flexibility also lowers operational costs and increases security since you’re using your existing storage platforms. There’s a great article on the options for what we like to call “double-play” immutability that you should read to learn more.

Backup verification

How do you prove your backup was successful? In our upcoming ransomware research report, we found most organizations either rely on the job completion logs or have built their own scripts to verify the integrity of the backup. The challenge is relying on backup job logs only shows the job completed, without proving the data can be recovered. The people who create their own process on the other hand are taking a step forward but are adding to their workload by maintaining scripts or trusting they’ll have time for a manual, and arguably mundane, process.

For us, backup verification is part of the feature set we call SureBackup. Simply put, SureBackup is the Veeam technology that allows you to run multiple tests on your backups to confirm the data is malware free and that the data can be recovered. The process can be as simple or in-depth as you need and can be run manually or be scheduled as part of your disaster recovery preparations. For more details on what SureBackup can do, click here.

3-2-1-1-0 Rule

When I first joined Veeam, I met with members of our amazing customer support organization and asked what the one thing was they wished customers would do. They said the 3-2-1-1-0 Rule. Modern malware is known to attack the backup layer, so you need to have a process in place to ensure resilience.

The 3-2-1-1-0 Rule says there should be at least three copies of important data, on at least two different types of media, with at least one of these copies being off site. As the threat of ransomware has evolved, we recommend at least one copy of data be resilient either through being air-gapped, offline, or immutable. This is imperative for effectively defending yourself against ransomware. We’ve also added a zero, for zero backup errors, to the rule because automated backup verification ensures your data is valid and usable for recovery. You cannot recover data that has been captured incorrectly, so following the 3-2-1-1-0 Rule can be the difference between data loss and recovery.

Instant recovery at scale

The 2022 Data Protection Trends report shows that downtime is estimated to cost $1,467.00 per minute or $88,000.00 per hour. Combine this with the growing gap between the SLA for data recovery and the actual speed of recovery and it’s no wonder so many companies pay ransoms.

Veeam pioneered Instant VM recovery in 2010 and has refined and extended the capability ever since. Today, Veeam has multiple recovery options that allows you to optimize your recovery processes and quickly restore multiple machines simultaneously. You need granular options to recover a single file, we can do that. Application recovery, no problem. Entire volumes or servers were taken down with ransomware, we’ve got you covered. The fact that you can use the tools best suited to your needs means we’re flipping the script on bad actors and making ransomware recovery the faster, and more cost-effective option and making the mantra of “don’t pay the ransom” a reality. 

Secure Restore

Veeam was first to market with the Secure Restore capability, which scans machine data with your antivirus software before restoring the machine to the production environment. Secure Restore is simple to enable and allows you to update your preferred antivirus or antimalware software to the latest signature levels, no exclusions, and to verify in a non-production, network-isolated sandbox so you will not re-introduce threats into your data center before restoring data.

Here are a couple resources for creating the process and using the capability:

Disaster Recovery (DR) Orchestration

Hope is not a strategy, and it’s not going to help you in a disaster. And let’s agree that ransomware is a disaster. Automation and orchestration have become critical to cybersecurity defense and the same can be said for recovery. The worst thing you can hear someone say during a ransomware attack is “I think it works like this…” or “it should do that…” which is why Veeam built the Veeam Disaster Recovery Orchestrator product. Disaster recovery is only successful if you have a well-documented plan, and that plan can help organizations take their DR preparedness to the next level. Furthermore, a plan is only valid if you know it will work, and Veeam’s solution provides automated recovery SLA testing and an SLA dashboard for easy visibility of your DR readiness.

Backup and recovery are no longer a siloed piece of the infrastructure that can be assumed to work. Rapid, reliable recovery is an integral part of the overall cybersecurity incident response process and must be thoughtfully planned out just like the rest of your security architecture. At the end of the day, your data is your most valuable asset, so it must be protected with a secure backup solution that is not only flexible enough to build immutability that fits your needs, but also verifies the backup jobs to ensure the data is there and malware free when you need to restore. All these reasons and more is why when we think about ransomware, Veeam believes secure backup is your last line of defense.

For more information on how you can improve your ransomware defenses try Veeam’s Ransomware Data Recovery Solutions.

 

Related resources:

 

Exit mobile version