There was a time—just a decade ago—when backup was backup, and security was security. Businesses knew they needed both, but they were completely separate disciplines, run by different teams, using different technical solutions. Fast-forward to today. Backup and security are now inextricably intertwined, and there is no going backward.
The symbiotic link between backup and cybersecurity today is due to one thing—creative, hungry, often nation-state-sponsored hackers, who have found ways to hold backups hostage. During the past few years, attacks on backups have skyrocketed. Some of the most famous are SamSam, which resulted in hackers extorting $30 million from healthcare organizations, and Ryuk, whose attacks were customized based on the victims targeted and cost companies nearly $4 million in ransom payments.
To hold backups hostage, hackers often attack the backup administration console, which allows them to turn off or change backup jobs and retention policies. Many also are using artificial intelligence and machine learning to get what they need. Once inside, hackers either find directories and delete them or insert a virus into a backup. When an organization attempts to restore its environment from a backup, it is actually restoring the virus into its production environment, causing it to detonate.
The typical response for companies is to look for a backup far enough back for a clean restore, but because hackers can delay detonation for months, companies end up having to either lose months of work or pay the ransom.
And it’s a moving target, as hackers continue to get more clever. One of the more recent advances is an immutable subversion attack, which targets the backup administrator or storage administrator. Attackers can change the retention rate without anyone knowing it, which can cause big problems. Changing the retention rate from 90 days to two hours, for example, would be just enough time for backups to show that they have been completed successfully before they disappear.
Two Means to an End
There are two basic approaches organizations can take to address these issues: either integrating security into an existing backup solution or starting over with a backup solution designed with security in mind. Both are legitimate solutions, but both have caveats. Here’s the rundown.
Adding security into an existing backup solution can make sense, but only if it’s well-thought-out, the company makes it a priority, and the security and backup teams work together.
For example, a company familiar with and using multifactor authentication for other applications can work to extend that to the backup realm. The same is true for micro-segmentation. “The idea of setting aside your crown jewels in special enclaves that you can apply differentiated controls to can make a lot of sense,” said Gil Vega, chief information security officer at Veeam, a leading backup vendor. “You may spend a lot more money protecting that enclave than you would for your team’s conversations, for instance.”
Adding layers of protection also works at the backup layer. A product like Macrium Image Guardian, for example, protects against unexpected backup set access. That makes backups less vulnerable to both false positives and false negatives, and less resource-intensive than generic anti-malware techniques. However, it can’t provide alerts for non-activated ransomware.
If you are going the route of adding security to your existing backup software, Gartner recommends taking these steps:
- Integrate backup and storage. Doing this right can really improve the security of backup, but choosing the wrong components and failing to secure the environment can cause backups to be destroyed during a ransomware attack, Gartner says.
- Use immutable file storage. Data stored on standard file systems can be deleted or overwritten by someone with the right privileges. That’s unacceptable in this case. Immutable storage is the answer. Once data has been written, it can only be deleted based on a set of policies, including retention periods. “Immutability provides assurances that nobody can go in and monkey around with your backed up data, whether it’s from earlier in the day or a historical backup,” Vega notes.
- Eliminate network sharing protocols. While protocols like NFS and CIFS are well-respected, even small mistakes in read/write permissions can lead to data being exposed. It also means that most servers or PCs on the network can discover the backup storage, giving attackers an easy way to attack the backup store.
- Use multifactor authentication for administrative accounts, and separate administrative roles.
- Use multi-person authorization workflows. Gartner calls this the “Four-Eyes Rule.” Essentially, it’s the idea that the backup platform enables you to define workflows for changes to backup configurations. That way, penetration of one administrative account won’t bring the whole house of cards down.
The second option—switching to a backup platform that has built security in from the beginning—is growing in popularity. The idea, says Marc Staimer, president of Dragon Slayer Consulting, is that data is scanned as it is being backed up and scanned again when the data is recovered. This makes catching hacking attempts more likely. If something is identified as suspicious, it is immediately quarantined, giving organizations the opportunity to understand the nature of the threat, where it was found, what files were affected and where it came from.
Today, there are two major backup vendors that provide this type of software: Cobalt Iron and Asigra.
“Backups are sort of like a centralized meeting point for all the data of all the servers everywhere, so it’s a nice natural place to catch and filter things,” explained Eran Farajun, executive vice president of Asigra.
In addition to scanning data on the way in and out of backups, these newer types of backup solutions also work hard to keep up with changing attack methods. That means building many of the things into the backup solution that Gartner recommends for bolt-ons—multifactor authentication, for example. Asigra approaches multifactor authentication in a very modern way, integrating a passwordless solution from an Israeli company called Secret Double Octopus. With this solution, users can simply hold a screen to their face or use a finger swipe. Administrators use these methods to log into their backup software.
No matter which approach you take, the stark truth is this: Nothing is 100% foolproof.
“The idea is to make it as difficult as possible for the bad guys,” Staimer said. “The more time they have to spend breaking through you, the less time they have making money. The more hurdles you put them through and the more expensive you make it for your adversaries, the more likely they are to just give up and move on to someone else.”