A CISOs Practical Guide to Storage and Backup Ransomware Resiliency
One thing is clear. The “business value” of data continues to grow, making it an organization’s primary piece of intellectual property.
From a cyber risk perspective, attacks on data are the most prominent threat to organizations.
Regulators, cyber insurance firms, and auditors are paying much closer attention to the integrity, resilience, and recoverability of organization data – as well as the IT infrastructure & systems that store the data.
What Impact Does This Have On The Security Of Storage & Backup Systems?
Just a few years ago, almost no CISO thought that storage & backups were important. That’s no longer the case today.
Ransomware has pushed backup and recovery back onto the IT and corporate agenda.
Cybercriminals, such as Conti, Hive and REvil, are targeting storage and backup systems, to prevent recovery.
Some ransomwares – Locky and Crypto, for example – now bypass production systems altogether, and directly target backups.
This has forced organizations to look again at potential holes in their safety nets, by reviewing their storage, backup, and data recovery strategies.
CISO Point of View
To get insights on new storage, backup, and data protection methods, 8 CISOs were interviewed. Here are some of those lessons.
|Source: CISO Point of View: The ever-changing role of data, and the implications for data protection & storage security (Continuity)|
CISOs are concerned about the rise of ransomware – not only of the proliferation of attacks but also of their sophistication: “The storage and backup environments are now under attack, as the attackers realize that this is the single biggest determining factor to show if the company will pay the ransom,” says George Eapen, Group CIO (and former CISO) at Petrofac,
John Meakin, former CISO at GlaxoSmithKline, BP, Standard Chartered, and Deutsche Bank believes that “As important as it may be, data encryption is hardly enough to protect an organization’s core data. If attackers find their way into a storage system (as data encryption alone won’t prevent them from doing so), they are free to cause severe damage by deleting and compromising petabytes of data – whether they’re encrypted or not. This also includes the snapshots and backup.“
Without a sound storage, backup, and data recovery strategy, organizations have little chance of surviving a ransomware attack, even if they end up paying the ransom.
Shared Responsibility – CISO vs. Storage & Backup Vendor
While storage & backup vendors provide excellent tools for managing availability and performance of their infrastructure, they don’t do the same for the security and configuration of those same systems.
Some storage and backup vendors publish security best practice guides. However, implementation and monitoring of security features and configurations is the responsibility of an organization’s security department.
There are, however, a number of cyber resiliency initiatives that are being carried out. These include:
Current Ransomware Resiliency Initiatives For Storage & Backup:
Air-gapped data copies
Adding an air-gap means separating backups from production data. This means that if the production environment is breached, attackers don’t immediately have access to backups.
You can also keep storage accounts separate.
Storage snapshots & replication
Snapshots record the live state of a system to another location, whether that’s on-premises or in the cloud. So, if ransomware hits the production system, there is every chance it will be replicated onto the copy.
Immutable storage & vault
Immutable storage is the simplest way to protect backup data. Data is stored in a Write Once Read Many (WORM) state and cannot be deleted for a pre-specified period.
Policies are set in backup software or at storage level and it means backups can’t be changed or encrypted.
While immutability is helpful in remediating cyberthreats, it is certainly not bullet proof.
Immutable storage can be ‘poisoned’, enabling hackers to change the configuration of backup clients and gradually replace stored data with meaningless information. In addition, once hackers gain access to the storage system, they can easily wipe out snapshots.
Storage security posture management
Storage security posture management solutions help you get a full view of the security risks in your storage & backup systems. It does this by continuously scanning these systems, to automatically detect security misconfigurations and vulnerabilities.
It also prioritizes risks in order of urgency and business impact, and provides remediation guidance.
4 Steps to Success
- Define comprehensive security baselines for all components of storage and backup systems (NIST Special Publication 800-209; Security Guidelines for Storage Infrastructure provides a comprehensive set of recommendations for the secure deployment, configuration, and operation of storage & backup systems)
- Use automation to reduce exposure to risk, and allow much more agility in adapting to changing priorities. Storage security posture management (also known as storage vulnerability management) solutions can go a long way to helping you reduce this exposure.
- Apply much stricter controls and more comprehensive testing of storage and backup security, and the ability to recover from an attack. This will not only improve confidence, but will also help identify key data assets that might not meet the required level of data protection
- Include all aspects of storage and backup management, including often-overlooked key components such as fiber-channel network devices, management consoles, etc.
NIST Special Publication 800-209; Security Guidelines for Storage Infrastructure provides an overview of the evolution of storage technology, recent security threats, and the risks they pose.
It includes a comprehensive set of recommendations for the secure deployment, configuration, and operation of storage resources. These include data and confidentiality protection using encryption, isolation and restoration assurance.