Business Continuity Specialist, Senior Storage Solutions Architect
The frequency and intensity of cyber-attacks continues to intensify. This trend is being driven, in part, by the level of sophistication that bad actors have in executing their nefarious plans. In fact, an entire industry is being created around the development and sale of malware called Ransomware as a Service (RaaS).
The statistics regarding the economic opportunity for criminals is frightening:
- Average revenue per ransomware attack is $140,000 ($500K-800K average reported by other firms, with largest single payout being over $40M.)
- Operating cost is $2,500 per attack*
- Profit margin is 98%
- Risk of arrest is .0008**
- Almost no barrier to entry due to RaaS model (Almost zero experience to State-Sponsored groups.)
The results of this well-organized, profitable industry are even more frightening.
Incident Duration and Business Interruption of a Ransomware Attack
» On average businesses face 22 days of business interruption
80% of Companies Who Paid a Ransom Demand Experienced Another Attack Soon After
» 46% said they believed it was at the hands of the same attackers
» 34% said they believed the second attack was perpetrated by a different set of threat actors
» Only 8% of those who do pay a ransom get all their data back
Ransomware Attacks Should be Listed as a Contingency in the Business Continuity and Cybersecurity Incident Response Plans
» Cyber insurance policies often come with a team of vendors specializing in incident response (legal, IT forensics, consumer notification, on-demand call centers, and public relations)
» In the US, 69% percent of participants believe they have the right people in place, but only 58% reported having have a plan or policy
Double Extortion (Ransomware and Data Exfiltration Tactics Remain Intertwined)
» Over 80% of ransomware attacks involve the theft of corporate data in addition to file encryption
Protecting Secondary Storage
Fortunately, every major IT manufacturer has been working on solutions to combat the pernicious effects of RaaS. This is because the IT perimeter and the secondary storage environments are under constant attack now. IBM is well known for its IT security capabilities and has an industry leading technology called QRadar for threat detection. QRadar is a Security Information and Event Management (SEIM) technology that is extremely effective in helping protect the perimeter by correlating events across all systems in the enterprise.
To better protect secondary storage, which includes backup data at the production site, backup copies at a disaster recovery site; and in some cases, tertiary copies at a data bunker for enhanced cyber resiliency, IBM introduced a technology into its software portfolio in 2021 called Compass Cyber Shield™ from Cobalt Iron. Cyber Shield is built natively into Compass® from Cobalt Iron. Compass is a security and intelligent automation framework that performs enterprise data backup and recovery at scale. Compass leverages, automates, and optimizes IBM Spectrum Protect, IBM FlashSystem storage, and many other technologies to deliver an “easy button” for secure and automated enterprise backup operations. Compass uses machine learning to analyze data that is backed up by Spectrum Protect and other ingest agents.
Compass is an important addition to IBM’s arsenal to combat RaaS because when, not if, the perimeter gets compromised by malware, the last line of defense is the backup system and secondary storage. Of course, the bad actors are aware this, and often try to disable backup systems to thwart any attempt to restore data by customers impacted by malware.
The good news is Cyber Shield not only provides malware and ransomware detection with its machine learning algorithms within the secondary storage system, but it also hardens the backup application, Spectrum Protect, the compute and operating system platform it runs on, and the secondary storage itself. As result, policy driven immutability is persistent throughout the entire Compass architecture.
Additional attributes of Cyber Shield include:
- Customer data stays in customer security access zones
- Full isolation zone separation for operational independence
- No IDs, no accessibility to any backup component or data
- Comprehensive data security – encryption in-flight and at-rest
- Multiple zones of air-gap
- Immutability of backup data with policy control
- Data governance and auditing
- Data integrity checks at all steps
- Ransomware monitoring, detection, reporting, and analytics
- Containment at multiple levels and zones
- Multiple backup copies
- Cyber-attack event impact assessment
- Cyber-attack event recovery and validation
- Backup metadata and content scanning – policy-based
Data Restoration and Recovery Operations
A trend with ransomware attacks is to exfiltrate the data so that if clean data can be restored, the data can still be held hostage by threatening to release it into the public domain if the extortion demands are not met. This was the case with Broward County Public School District where their stolen, confidential data was published because they refused to pay the ransom demand. Therefore, end-to-end encryption is important, bolstered by a robust key management scheme. In some cases, encryption is being introduced at the application level, which can reduce the data reduction results from deduplication. Cyber Shield utilizes low-cost, high-performance IBM FlashSystem Storage, so even if deduplication ratios are diluted from encryption efforts up-stream, the storage economics are not greatly impacted.
The real power of Cyber Shield comes alive when the IT security perimeter is compromised, and data restoration and recovery operations are required. Because all backup systems copy any data that has changed, technologies like Spectrum Protect will backup data that is distorted by malware / ransomware. Cyber Shield will use its machine learning algorithms within its Compass SaaS platform to quickly analyze backup data and pinpoint the malware corruption within the secondary storage system as well as potentially corrupted primary data and systems. Compass ransomware analytics also identify recommended safe recovery points for data and systems so users can confidently restore to safe versions.
These capabilities enable the IT team to surgically restore data back into production, and into a clean room environment so forensics can be applied to the affected data. This is an important step when involving law enforcement and insurance companies. In fact, a lot of organizations end up paying the ransom because they don’t know what to restore, which means they need to restore everything, which would take too long, so they pay the criminals what they demand, or a negotiated amount. Conversely, when the ransom is paid, and the bad guys hand over the de-encryption keys, the data still needs to be restored because data restoration can be a lot faster than de-encrypting all the files, one-by-one. The criminals may hand over the de-encryption keys after payment, as promised, but they are certainly not promising any service levels relating to how fast the data can be de-encrypted, and useful again. Maybe performance guarantees will become an added feature, at a cost, with RaaS providers in the future.
In summary, QRadar is industry leading for threat detection at the IT perimeter, but it does not have visibility into data within secondary storage systems after it has been backed up. A comprehensive security strategy should include both perimeter and secondary storage malware prevention and detection. This is possible by using IBM Passport Advantage program to acquire both QRadar and Cyber Shield from Cobalt Iron Compass for the enterprise.
Mainline has developed solutions that have successfully allowed our customers to mitigate the risk surrounding ransomware attacks, cybersecurity, and cybercrime. For a large municipality, Mainline designed and implemented an automated backup solution that protects data, while allowing for quick restoration, if needed. In the education sector, Mainline has been on the forefront in developing endpoint security strategies for customers impacted by ransomware.
To learn more about solutions to improve cyber resilience, please contact your Mainline Account Executive directly, or click here to contact us with any questions.
You may be interested in: