By -

Ransomware Countermeasures Pt2. Sync to Minimize the Blast Radius.

This is a follow-on to a post I recently made about my least favorite topic, ransomware.

The FBI has created a comprehensive checklist of measures organizations should take to prevent the incursion of ransomware and recover from an incident in the event that ransomware breaches your perimeter. We’re not a firewall company, so I’ll let the security companies focus on how to prevent breaches. This post will address various considerations around how to protect data and effectively recover from a ransomware attack.

In their advisory, the Feds provide the following guidance:

  • Back up data regularly and verify the integrity of those backups regularly.
  • Secure your backup systems. Make sure they aren’t connected to PCs they’re backing up.

With all due respect to the FBI, CTERA would disagree with this argument… while we don’t disagree in principle, semantically we believe that “backup” sends the wrong message to the market. Here’s why:

Legacy Backup Software and Processes Introduce Too Large of a Recovery Point

For the last 20 years, the market has been conditioned for daily backups. Whether we’re talking server or endpoint backup, in both cases file storage systems have been built for relatively lax backup intervals because:

Eg. An HP Connected Endpoint Backup Scheduler That Offers Once-A-Day Backup Intervals Only

  • Backups have been expensive (lots of CPU, lots of storage, too time consuming).
  • Organizations haven’t had to deal with an explosion of file-locking malware attacks.

The use of legacy backup software in an organization becomes a major issue for organizations where knowledge workers are continuously storing data on PCs and file shares.

As an example:

Organization knowledge worker community:
1,000 employees (1,000 desktops)

File access by power users, IT teams:
100% of file shares vulnerable

File exposure when using legacy backup tools:
Up to 24 hours of work (default interval)

Potential lost productivity (recent file loss):
2.7 man years of cumulative lost productivity

 

Legacy backup tools can have real costs for organizations who are routinely faced with crypto-ransomware. Modern backup solutions, including CTERA’s, can enable organizations to achieve a finer degree of backup interval granularity through the use of global, source-based deduplication, incremental-ever versioning and the ability to track file changes without doing full system scans. That said – default settings for even the most efficient tools is anywhere from 4-8 hours, which is nearly a full business day. So – the same problem essentially persists.

Despite the relatively large recovery point, data protection tools (‘backup’) will always play an instrumental role as a ransomware countermeasure, in large part due to backup software’s ability to recover full systems and system profiles. The Petya virus, for example, forgoes single file encryption and will simply lock up a full desktop hard disk… these type of viruses create the need for simple tools that can help with full PC restores and backup software fits the bill.

That said – the lines of data protection are becoming increasingly blurry between NAS and Backup Software as Enterprise File Sync and Share emerges into the market a self-protecting file management and collaboration tool that provides user-level storage and file recovery tools. These tools create incremental versions of files as they are changed and updated, and are protected on an “event basis” (a file save) as opposed to a ‘scheduled’ basis (a pre-defined backup interval). This picture sums up how file sync can minimize recovery point exposure vs. traditional approaches to system and file server backup:

The result of an ‘event based’ data protection agenda is much more compelling than a scheduled backup strategy that protects user data in 24, 12, 6 or even 1 hour intervals. The nice thing about CTERA here is that our customers can apply event-based data protection policies to both endpoints and our office NAS gateway products.

 

What’s the takeaway?

Philosophically: Backup Everything.

In truth, the FBI is right. Back up your systems. You’ll want to recover desktops and servers without herculean recovery efforts, and modern backup tools can make it simple to protect systems and easy to recover full profiles, etc.

Semantically: Backup Devices To Recover From Full Drive Encryption, Roll Back To Sync’d Folders.

Semantically, “Backup Software” isn’t the best approach to minimizing your recovery point objectives. CTERA Enterprise File Sync and Share and “Sync” Cloud Storage Gateway models can publish and version file updates with less than 5 minutes. In the event of a ransomware attack, you can roll recover your desktop w/ CTERA backup software and then recover to versions of folders that were stored in CTERA Sync products to ensure you are recovering to the most recent file state.

Contact us to discuss your data protection agenda and discuss your ransomware attack readiness. We’re happy to share some best practices from the trenches of this war with cyber criminals.

Safe Keeping,
Jeff

Part One of this post can be accessed here