21 Mar More tiers for you means more tears for the attackers
In the ‘Age of Ransomware’, plenty has already been said about prevention, but far less attention has been paid to what can be done in the aftermath of an attack, says Omar Akar, Regional Vice-president, Middle East & Emerging Africa, Pure Storage.
In a recent survey of UAE organisations, 59% said they had been hit by a cyberattack in the past two years, and of those hit by ransomware, more than a quarter paid more than US $250,000. Indeed, paying out is still perceived by some as the best route to recovery: grit your teeth, swallow your pride, pay out, and move on. The reality is, it’s not that straightforward. To attackers, payment is an incentive, an encouragement to keep doing what you have been doing by going back to the status quo. Paying a ransom once increases the chances of being struck again, and then comes the question of recovery. In the case of the Colonial Pipeline in the US, for example, the victim paid. But the decryption tool that Colonial’s IT team received was reportedly so slow that they had to resort to using their own backups anyway. Delays ensued and this caused anxieties that business operations will not be restored swiftly.
Avoiding tears
What if there were a way to avoid such panic? To recover within hours and, as an added bonus, be in a position to send the digital bandits scuttling away? This latter point is not trivial. RansomOps groups want easy money. Once word gets around that your organisation is a poor prospect for a payday, they are much less likely to target you again. All of this is possible, through tiered backups and data bunkers. Risk managers are starting to realise that prevention is only part of the problem. Today, a cybersecurity plan has a far greater stress on the post-incident playbook. If the worst happens, stakeholders are not content with eventual recovery. They demand immediate recovery. Air-gapped storage solutions, where backups are kept offsite and offline, are certainly good for ensuring that ransomware cannot infect the means of recovery. But that recovery may be slowed if an air-gapped vault is not easily accessible. So, to deliver the ideal scenario of payment denial plus turnkey continuity, we need to look at an organisation’s underlying infrastructure and ask if it can deliver the accessibility and speed that delivers no-waiting recovery. Which brings us to tiered backup and data bunkers. Multi-tier backup architectures use data snapshots and multiple geographic locations to deliver a wide range of backup-and-recovery use cases. Here are some of the most common architectures– organisations can use these in a combination that best suits their unique business needs and budget.
Tier1: Active failover
We can think of this tier as a kind of non-recovery recovery, in that the primary resource is replaced by its backup automatically and instantaneously, with no data loss. The latency involved is so low that most users would not even notice any performance degradation, much less have to deal with a change in the way they work. While the failure of the primary node would still need to be addressed, IT admin teams would never have to accessor activate snapshots or backups.
Tier2a: Local snapshots
If an organisation has large volumes of business-critical or sensitive data, taking regular snapshots of the data at intervals of anywhere between 15 minutes to a matter of hours, ensures highly up-to-date data is available, should things go wrong. Stored locally for three to seven days on the organisation’s primary storage array, these immutable snapshots provide near-instant recovery in the event the Tier-1 failover is compromised, or if immediate rollback is required following an administrative error or bugs in development. The read-only design of a snapshot makes it impossible for an attacker to encrypt or delete it, while leaving it entirely usable for the purposes of system recovery.
Tier2b: Local snapshot protection
Several organisations would prefer not to use their primary storage capacity for these local snapshots, or might want to store the snapshots for longer than the three to seven days. In this case, the local snapshots can be offloaded toa secondary storage array and stored for anywhere from 14 to 30 days. This frees space on the primary system while providing extremely high-speed restores.
Tier3: Primary data protection site (aka DR site)
Now we move from acts of digital sabotage to physical disasters such as fires, floods, storms, widespread power outages, and other events that could take an entire on-premise data centre or cloud location offline and compromise Tiers 1and 2. This is where a disaster recovery (DR) site might make sense for an organisation. This Tier-3 site is physically and geographically separate from all other sites. Every 30 days, the backup snapshots from Tier 2 can be replicated to the disaster recovery site, for up to 360days’ worth of snapshots. And if called into action, the data can be restored to the primary storage within a matter of hours.
Tier4: An optional data-only bunker
For organisations that require the absolute highest level of data recovery, a Tier 4 ‘data bunker’ can be implemented. This is a long-term data retention site where tape backups would traditionally have been used, although this is no longer common practice. A Tier 4 data bunker is an additional, one-way-in data lake for mass storage but is instantly accessible should the need arise. Such sites serve as robust defences against the modern threat landscape, waiting in the wings behind primary and secondary tiers and DR sites to offer one more layer of durability. The bunker can also host critical workloads in the event of a disaster until higher-tier architectures have been rebuilt. Bunkers are fast, and because they only allow inbound communication, they are highly secure. Data is accessible and usable, albeit as part of a relatively slower-performance user experience. And bunkers make long-term, mass data storage affordable by using a mixture of data reduction and the highest capacity flash storage technology. The presence of a data bunker is also good for the purposes of analytics and compliance.
A sturdier estate
Cybersecurity professionals have long pointed out that attackers are using more sophisticated methods to deploy their payloads. Ransomware now extends its reach to any backups it can find. And given that most industry professionals will admit that being hit by a ransomware attack is a matter of ‘when’ not ‘if’, having the security defences to thwart a ransomware attack is not enough. It is critical that organisations also have the storage infrastructure in place to ensure data can be recovered without much, if any, downtime. Multi-tier data protection — some combination of Active Failover, Local Snapshots, Disaster Recovery Site and a Data Bunker — is the only answer to keeping an organisations’ data secure in the event of a ransomware attack. Threat actors will be frustrated by the new architecture. Put another way, more tiers for you means more tears for them.