Storage Engineer
Ransomware
Ransomware has been around for more than a decade. However, it has really taken its toll on the US Critical Infrastructure this year (Oil and Gas delivery and Food Industry are just a few public examples.) Know, it’s not a matter of IF, but WHEN you are attacked!
According to Gartner, by 2025, at least 75% of IT organizations will face one or more ransomware attacks.1 What’s worse – it is not uncommon for an attacked Enterprise to be hit by another attack, perhaps via a different uncovered exploit. Ransomware attacks were up 700% in ’20, and we expect to see these attacks rise as Digital Transformation efforts increase attack surfaces and potentially unsecured offerings.
Fourth Industrial Revolution
Data is powering the Fourth Industrial Revolution. Are you playing data-driven defense or are you guilty of not modernizing your data protection offering and architecture? Stealthy attackers will take their time and probe until they gain the right access.
Are you still utilizing the old 3-2-1 data protection methodology to protect your data? Are you aware that the Data protection model has been updated to 3-2-1-1? This translates to 3 copies of data, 2 media types, 1 copy off-line and 1 copy off-site in an immutable state. How many of these methods are being successfully performed each day/week/month for your enterprise to ensure data recovery?
I would add one more: You need to audit your online backups to make sure they are secured and have not been modified. When was the last time they were validated by performing a data restore operation?
Effective Protection
A layered defense against attackers has always been the rule for IT security, and it applies to ransomware defense too. How many layers of defense do you have applied to your enterprise data? Does your data protection methodology apply to all your data or just SAP, Oracle, and SQL data?
Are you leveraging Pure Storage data protection layers for your data? If not, you should be. They have a series of storage capabilities that put them in a leadership position for companies offering effective protection for your workloads against ransomware threats.
Here are the basic data protection foundations offered by Pure:
» Data Encryption at Rest (aka D@RE) protects data so that if it is exfiltrated, it cannot be directly read by anyone. Pure’s D@RE function is always on, and it auto-regenerates keys every 24 hours. More importantly, any time a drive failure occurs or a drive is pulled, a key change event takes place. Pure Storage FlashArray deploys industry-leading AES-256 standard for data-at-rest encryption. All the algorithms used for data encryption, key generation and key protection are NIST certified. Additionally, the FlashArray’s crypto module is FIPS-140-2 certified. It also supports KMIP (Key Management Interop Protocol), so it works with your external Key Manager if you choose.
» Immutable Snapshots are essential for protecting data from modification and deletions. These point in time (PiT) recovery points can be leveraged for rapid restores for mitigating business or disaster scenarios. The Snapshots are thin provisioned (TP) as well and consume no space until the primary data is deleted and only a pointer remains. Then it starts consuming capacity. Another use case of immutable snaps is restoration to other volumes instead of source volume for further forensic analysis, which is critical after a ransomware attack.
» Replication – As you know, replication is table stakes for all storage vendors at this point in the IT industry. However, sending your data to a disaster recovery or colocation is vital to protecting enterprise data. I would add, ensure you are using a set of restricted user IDs only for replication, and turn on auditing for replication too.
» ActiveCluster (aka Metro Cluster) – is a Sync replication offering within a metro area that provides a local set of copies in the same geographic area although off-site from the primary copies. Perhaps the metro cluster is the hub for your replication strategy out of the region to another power grid. Or you leverage these copies for Dev/Test operations. The flexibility is nearly limitless.
» Snap to FlashBlade – Sending Snapshots to the Pure Storage’s Unified Fast File and Object platform is a great landing zone for warm or cold data storage. Again, copies are off the primary storage on another target.
» Snap to NFS – is another Pure tiering function allowing data tiering to S3 target(s) or Pure Storage FlashBlade. Supporting NFS V3 and V4 brings another layer of security to NFS offerings from the tested Network Lock Manager (NLM) feature.
» CloudSnap is a self-service cloud offering allowing you to send data to the Cloud quickly. Copying your snapshots in the Cloud(s) equates to off-site data storage and adds another layer of security to your protected copies, as they are typically sent via a different protocol and credentials. Also, it is important to point out that Cloud snaps are sent to the Cloud in an encrypted format and thus not directly readable by anyone without the keys.
Pure Storage Ransomware Protection – SafeMode
What is SafeMode?
Data Protection offerings alone are not enough to stop ransomware. You need a powerful tool in your toolbox. SafeMode is that tool!
- SafeMode is a separation of control functions (aka Permissioned Air-Gap) necessary for a defense in-depth strategy.
- SafeMode works by preventing rogue admins and attackers from deleting backups, snapshots. Another huge benefit is that SafeMode prevents attackers from encrypting backups, snapshots, or logs to cover their tracks while making your life miserable.
- Put another way, SafeMode is an Out of Band (OOB) management construct empowered by Multi-Factor Authentication (MFA) access for up to five (5) enterprise IDs and restricted access to your backed up and snapped data sets, combined with an additional layer of control.
- The additional layer of control comes from restricting access to these data points by requiring direct assistance from Pure Storage Support. Pure Support can enable restore or delete efforts in conjunction with your approved IDs.
- SafeMode is built into FlashArray and FlashBlade platforms and available at no additional cost. Additionally, it is one less skill to develop while managing day-to-day operations and protecting enterprise data from ransomware attacks.
How does SafeMode work?
- Working together via two (2) enterprise IDs and Pure Support concurrently to perform any actual delete functions against backups or snapshots. Think of the military requiring two sets of keys to turn on nuke silo functions.
- Manual eradication is disabled, preventing attackers and rogue admins from hiding their tracks.
- Under the covers in SafeMode, the native Pure Storage eradication timer is configurable, allowing extension from 24-hours all the way out to 30 days.
» Backups – integration with most modern data protection solutions.
» Snapshots and snapshot retention
» FlashArray Files (recall as of V6.0 Purity OS enabled multi-protocol support (SMB and NFS) on FlashArrays.
» ProtectionGroup targets (pgroup targets)
- SafeMode is integrated with backup and snapshot functionality and has fully customizable values for your enterprise requirements.
- If a restore is required, rest assured restores will be fast for reduced downtime, as it’s all designed and integrated into the Pure Platforms and will take place at Flash speeds.
How to manage SafeMode?
- Manage SafeMode from Pure1 console. No need for additional tools or skills, reinforcing Pure Storage simplicity from Day 1.
SafeMode Best Practices?
- I highly recommend you keep the five (5) enterprise IDs ultra-secret as well as their assigned pins, as I would not overlook hackers seeking out this information to try and spoof your identities and attempt to work with Pure Support and gain delete rights over your protected data.
- Recall, enabling SafeMode does not eliminate the need for basic data protection layers. SafeMode is an additional layer of protection for your data.
What is the cost of inaction?
A recent industry survey shows that the average cost for ransomware recovery is $1.85M in 2021 (up 2x from 2020 costs of $761,106). So, the cost of doing nothing is immense. Understanding your enterprises per minute or hourly outage costs is essential for your enterprise to fully prepare and plan for restore timeframes. If a restore event takes you months, your enterprise might not recover due to damage to reputation, lost opportunities, etc. How long is too long for you to be down just recovering data? Did you know, the average ransomware attack restore timeframe is 16.2 days long? How will your enterprise handle that length of down time? Pure Storage data protection and ransomware mechanisms are vital to protecting your backup data sets and your enterprise in a rapid and simple manner.c
Summary
These forms of attack require planning and preparation, and your approach must be the same in order to protect corporate Gold: your data! Having the ability to rapidly restore clean and protected data (immutable) is essential in today’s fast-paced business environment. Pure Storage and their ransomware protection, combined with their data protection methods, provide you with the layers of protection to be successful in the battle against ransomware. How many critical points did you learn from this piece today? How long before you adopt them for your Ransomware plan?
More Information
Reach out to your Mainline Account team to start a discussion about adding Pure Storage to secure your data enterprise. Why Mainline? Mainline offers a comprehensive portfolio of data management, data protection, and backup and recovery solutions. Mainline has been in business for 32+ years and is a Pure Storage Elite Partner, one of only a few nationally. For more information, contact your Mainline Account Executive directly or click here to contact us with any questions.
You may also be interested in:
VLOG: Pure Storage: The Modern Data Experience
BLOG: Cybersecurity in 2022 – 5 Priorities for Business Leaders
1 Gartner, How to Protect Backup Systems From Ransomware Attacks, Nik Simpson, 21 September 2021.