They know where your data lives

The bad guys aren’t stupid. They know that companies routinely backup their data and that most see this as the best way of “insuring” against malicious data encryption. They also know that a lot of organisations now store backups online, often on public cloud platforms and, just as often, using cloud syncing services such as Dropbox, OneDrive and Google Drive.

Similarly, many disaster recovery solutions rely on active/inactive replication to networked data stores. Ransomware will now routinely target all these resources, as well as live data, making it increasingly common for victims to discover that, when they need them the most, their backups and disaster recovery systems are also encrypted and of no use.

VIEW ALL

The kneejerk reaction to this trend will be for companies to review their backup policies and follow guidance such as that provided by the Australian Signals Directorate. This is all very well however, as with a lot of ransomware advice, the assumption is that backup is a tool of last resort. The perception is that it is only of use when recovering from attacks when it can, in fact, be used to help prevent them.

Prevention is better than cure

When it comes to putting this into practice, the best approach is to always include both backup and anti-malware protection as integral components of an overarching data management strategy. This is far better than bolting them on as an afterthought. 

Equally, it’s essential to understand that the required data management products have varying capabilities which, in some cases, will limit how far you can go beyond the backup/restore basics. That doesn’t mean you shouldn’t try as there’s a lot at stake, and if the tools at your disposal aren’t up to the job, it’s worth looking around for alternatives.

The question is what sort of functionality, beyond simple backup and restore, does you firm need? Unfortunately, there is no magic formula, although those drawing up a shopping list could do worse than think about these three questions:

1. Can you scan your backups?

Proactive vulnerability scanning is the first line of malware prevention, however scanning live production systems and shared assets (such as NAS appliances) across an extensive distributed infrastructure is far from easy. Scanning backups is a lot less problematic as it can be done without having an impact on system availability and (because backups are more likely held centrally) without having to manage scanning at scale across multiple end points.

Importantly, however, we’re not just talking about tools to simply scan backups and bin them if they contain malware, but as a means of ringing alarm bells and taking pre-emptive action when malware and potential vulnerabilities are detected.

2. Can you lock down your backups?

The days when backups were taken to tapes and stored in offsite vaults are over.

Ransomware prevention requires a multi-layered approach that balances speed and ease of recovery against security. So, as well as offline copies, companies will likely take snapshots, typically, using automated replication tools.

Criminals have advanced their methods and now look to target backups, removing or encrypting them as part of the attack. However, there is a way past this. Your backups need to be stored in an immutable (locked) state that can’t be mounted, modified or deleted and while not all backup programs support this, a lot do, and it can also be implemented using more extensive data management platforms.

3. Can you recover easily, quickly and at scale?

Recovery is a complex and lengthy process, especially where an organisation is dependent on a large hybrid infrastructure spanning multiple clouds and on-premise data stores. Tools that can be used to recover at scale and focus both on rapid recovery point objectives (RPOs) and fast recovery time objectives (RTO) are crucial and should be prioritised.

This is because, without them, recovery can take days, or longer and potentially lead to business failure.

Of course, there are lots of other factors to consider and answers to find, especially with ransomware attacks becoming ever more ingenious and making it essential to keep data management strategies under constant review.

Moreover, while there is no one-size-fits-all solution, whatever approach you take, it should always be based on sound data management hygiene and, as already stressed, the application of multi-layered defences capable of isolating backups from production data stores.

Or you could just pay the ransom, but we all know that isn’t solving the core problem.

Instead, you’re just funding more ransomware initiatives further down the line.

Kathryn Ramanathan is the ANZ channel and distribution manager at Cohesity.