Iron Man may have killed James Bond; Is Cyber Crime doing the same to your Backup Regime?

Growing up in the 1960’s and into the 1970’s, in cinematic terms there was nothing more escapist than James Bond.?Suave, sophisticated and tech savvy, he had all the best gadgets at his fingertips.

For example, that Aston Martin was followed by a submersible Lotus and even a drive-by-phone BMW; a Geiger Counter watch superseded by a magnetic chainsaw version and even one with a built-in laser.?A cigar tube sized aqualung, jet backpack, helicopter in a suitcase.?The list went on and on.?All well and good on the fantasy front then.

However, as the plots became more and more fanciful, so the spy sleuth strayed into the pure world of fantasy.?Plots to sever vast swathes of California, space duels with NASA Shuttles. That is the point when the franchise became its most vulnerable.

On the one hand undercut by the grittier Jason Bourne franchise, which harked back to those more basic Bond days, Bond was similarly out-fantasied by the Marvel Cinematic Universe which was embodied in a man whose wardrobe was not laden with gadgets – his suit itself WAS the gadget.?Enter Iron Man, slayer of the Bond-style fantasy.?

As a Comic book hero rather than Novel-based character, all bets were off; story lines could go in every direction feasible, even embracing a multi-verse concept which would not be tenable in the pseudo-normal world of the post-war spy thriller.?Bond was stabbed in the back by Bourne, but through the heart by Iron Man.

As the controversial film maker, Paul Verhoeven said in a recent interview when asked what he would do with the James Bond franchise, responded, “I’d go back to reality,” he says. “Cars that don’t leap up into the sky.”[1]

?So, how does this relate to Cyber criminals and your backup regime?

?In the ‘good old days’ Backup was something done, traditionally to tape, to take copies of a point in time to protect against Fire, Flood or Foe and occasionally friends with fallible fingers.?When a natural disaster struck, or someone maliciously attacked your systems, or someone accidentally deleted something vital or otherwise, backups could get you back to whenever they we last taken, usually back 24 hours, or so.?

Of course, like Bond, over time backup systems got more sophisticated – they got ‘gadgets’.?Open files at back up time??We have a feature to cover that.?Backing up constantly open databases? We found a way to get you covered.?Tape taking too long or requiring too much manhandling? Disk-based systems…with compression …and deduplication, came to save the day.??

But today’s Cyber-attacks come from a multi-verse of angles.?

·??????Infiltrate but lie dormant for an average of 287 days before the “BOOM”[2]

·??????attack the backups FIRST so they are no longer the first line of defence but the battleground of attack.?

·??????Extend Ransomware to everywhere – from the largest data centre to the home network

·??????Exploit the trifectas of:

o??Scrambling Data with encryption to make it unusable and held to ransom

o??Stealing personal data for exploitation – maybe even decades later, long after the event itself is forgotten

o??Obliterating data as part of a campaign of blatant business destruction – remember businesses that take more than 6 weeks to recover are seldom in business a year later.

Recovering from a Cyber-attack can take on average 21 days using those trusted traditional backup tools.?Even then the software and hardware alone only give you copies of your data that may have been infected long before the actual attack - whether announced by ransom or just maliciously by stealth.?Hence taking a further 75 days to contain the breach.

?Data protection on its own is not enough. Copies of data, if accessible, can be corrupted. Remember replication between systems or sites, replicates everything, including malware.

?This requires security teams to wade through the backup copies looking for a good set of data to restore before you can even think about recreating the lost data in between that point and the point of the attack.

?Doing things the old way just doesn’t cut it in a world of Cyber criminals, the like of which were the stuff of Hollywood but now are today’s reality.

?Assuming businesses already have an infrastructure that uses some of the current data protection techniques such as backups, snapshots, and replication, the next step is to expand that current infrastructure to add the necessary cyber resiliency focus.

?Isolation can be either a logical or physical separation. Air gap represents one example of separation. Generally, the greater the separation, the greater the protection, but the longer it would take you to get back up and running. ?Remember those age-old backups to Tape? – they WERE air gapped! ?Maybe it is time to re-evaluate the role of Tape in your data centre.

?Immutability is largely defined by how easy it is to corrupt or destroy your data. Can one modify your snapshots and how easily can they do that? Do you have one system administrator with access to all copies of your data? Or have you enabled the equivalent of multi-factor authentication by allowing separate access rights to your secure copies?

?Granularity is referring to the amount of data loss as well as the amount of downtime your business can afford. Do you want your system to be back online in hours, days or weeks? ??How much data can your business afford to lose without client impact??What systems, applications and data could you afford to sacrifice for the good of the rest of the business??What would the total loss of access to certain systems, applications and data do for your business??Start with those because that is the first place the Cyber-criminals will start too!

?Cloud storage.?Putting your data IN the cloud seemed like a good idea – let someone else worry about – but what if the Cloud is attacked??Do you have another copy you can use in such circumstances??And if you are restoring a backup from Cloud, what about the costs of that in terms of TIME to restore as well as EGRESS charges?

?Protection should be as simple as 1,2,3,4

?Firstly, start with the creation of those immutable copies.?Without them your data is vulnerable.?Storage the immutable copies on the same medium as the primary copies, but shielded from access by the primary systems, ensures the fastest response times.?Today that is easily implemented using IBM Flash systems, even if your primary copies are on another vendor’s platform.?

?Secondly, enable Proactive Monitoring.?An organization’s cybersecurity strategy comprises many components, but an effective SIEM solution plays a vital role. A SIEM solution helps security teams accurately detect and prioritize threats across the enterprise. It provides intelligent insights that enable teams to respond quickly to reduce the impact of incidents.

?Thirdly, a rapid recovery platform is required.?Intelligent insights and quick response times are only possible though when adequate compute and storage resources are provided. Effective SIEM solutions need to ingest vast quantities of data, often from complex operating environments spanning on-premises and cloud resources. The complex analytics required to gain better insights requires accessing vast quantities of data. In these environments fast response times are only possible using high-performance, low latency storage.

?Fourthly, is the Test and Validation of Data Copies to enable early detection. It can help to dramatically limit the amount of time necessary to find a viable copy of data. This process is all spelled out for clients in IBM’s Cyber Vault for FlashSystem.

?The IBM Cyber Vault solution is a blueprint/template, not a single ‘thing’ or part number a customer will buy. It builds on the Safeguarded Copy function, that delivers immutable copies of data on the primary storage array, that can then be recovered expeditiously.

?Cyber Vault is about building a sandbox environment and automated processes where you can test the copies of data when an event occurs.?This enables the Security team to perform the necessary forensics to understand the cause of the event and look for the last valid copy of the data. ??Perhaps more importantly it enables proactive checking of the Safeguarded Copies to provide a worse case Recovery Time Objective (RTO) well before a cyber event actually occurs.

?With automation, with authorized personnel approvals where required, that ensures the recovery is both simple and expedient.

?In summary, Business Continuity and Disaster Recovery share a common goal of protecting your data. However, when you add additional focus on Cyber Resiliency, you will then have confidence that the copy of your revenue producing data has not been modified since it was ingested and that it can be reliably used to restore your business should a cyber incident occur.

Of course, as every cinema fan knows, James Bond will return.

?He might be played by a different actor, with different gadgets, and maybe eventually even an electric car.?Perhaps only then will he be able to face up to the modern threats he faces.?

?Will you?

?Sources:

https://www.ibm.com/downloads/cas/OJDVQGRY

https://www.ibm.com/case-studies/data-action/

IBM Security X-Force Ransomware Readiness Assessment Services?

[1] Paul Verhoeven interview in the Times, https://www.thetimes.co.uk/article/benedetta-director-paul-verhoeven-were-scared-of-sex-q2jlvt7wq?utm_source=Twitter&utm_campaign=Paul&utm_medium=branded_social

[2] "Cost of a Data Breach 2021"?report released?by IBM and Ponemon Institute.