By Randy Becker, CISO & VP, Network and Security Consulting
I am often asked by customers, “If you could only do one thing to improve your security posture right now what would it be?” That’s an easy answer: implement immutable backups to protect against a ransomware attack. So, what exactly is an immutable backup? Simply stated, it is a backup that is read-only and cannot be deleted by anyone, including an administrator, threat actors, or, you know, the “bad guys.”
Now being able to implement immutable backups assumes of course that you have a comprehensive security program in place already. This includes:
• Asset management
• A vulnerability program
• A strong Managed Detection & Response and Endpoint Detection & Response solution
• Multi-factor authentication for your facing applications and services
• Proper next generation firewalls
• Principal of least privilege in use
• Passphrases vs. passwords in use
• and of course, security awareness training for end users
We all know the drill here. With the current nefarious activity around ransomware I thought I would take the time to explain why I feel immutable backups are so important given the current threats facing organizations.
Assume the Breach and Zero Trust
If you’re asking “Why would a security team immediately go to recommendations for recovery from ransomware by stating that you must have immutable backups? Isn’t that admitting defeat?” I insist, no we have not given up. Security professionals are paranoid by nature. They believe in zero trust, and say crazy things like “assume the breach,” and think security is about defense in depth, belt, and suspenders, and always have a plan A, B, and C.
In the last year we have established that a persistent threat actor can defeat the most secure organization’s security controls. We also know very well that prior to encrypting all data, several things may happen: one of those is most certainly to delete and encrypt any backup repositories and snapshots. This can be devastating to a company if all their data has been encrypted and there is no means to recover. Frankly, this could put a company out of business. I will leave out the data exfiltration (and double extortion) for now. Having an immutable backup that has been tested is critical to your organization’s overall security posture. In my opinion this is not an option in today’s security landscape—it is a “must have” and needs to be incorporated into an overall security program. Now that we have established it as a “must have,” what do you do next?
New Solutions on the Market with Baked in Protection
A few years ago, our options were limited, but a quick web search will show you lots of solutions that exist today from backup vendors, cloud providers, and backup storage companies. Vendors in this space are integrating immutable backups into their solutions and we are also seeing “air gap” capabilities in storage devices for file shares. This is not an exhaustive list of vendors, but here are a few that I have run into that all play in this space: Cohesity, Commvault, Dell, HPE, Rubrik, Unitrends, Veeam, and Exagrid.
Some of these solutions are excellent and now include options for local site hardened repository (immutability) with replicated to a cloud with immutability using something like AWS and S3 Compatible Object storage using the Object Lock API. Does this mean we should be looking at bringing tape back? Well, I hope not; I cannot think of anything worse than dealing with backup tapes again!
How Do I Develop and Implement an Immutable Backup Plan?
My goal with this blog is to raise awareness so you can start asking questions about what the next steps are to determine your business and technical requirements then develop a solution that meet the needs of your business. Immutable Backups are not a one-size-fits-all solution and will require you to put some thought and effort into the architecture, implementation, and testing of your solution.
Finally, you will need to test this on a regular basis and integrate into your tabletop exercises. If there’s further interest in this topic I might be able to persuade Tim Ferris (Our datacenter SME who specializes in designing immutable backups) to host a webinar with me on this topic to discuss real implementation solutions, best practices, and what we have seen work best.
Randy is responsible for GreenPages’ overall cyber security strategy, including developing comprehensive policies and procedures to protect critical applications while ensuring business agility and velocity. With more than 30 years in the IT industry, Randy has strong expertise in cyber security and risk management; security operations and optimization; infrastructure modernization; and hybrid cloud architecture, design, and implementation. Randy is also a HITRUST Certified CSF Practitioner (CCSFP) which ensures clients have access to the highest level of expertise related to privacy, security, compliance, and risk management.