Dell EMC Isolated Recovery Andreas El Maghraby Advisory Systems Engineer DPS @andyem_si GLOBAL SPONSORS
Incident Response: Categories of Cybercrime Activity April to June 2016 37% 27% 12% 9% 7% 7% 5% 2 Ransomware Banking Trojan Business Email Compromise * DoS, unknown, digital currency mining and credential harvesting Web Script Adware Spam Other *
The Evolution of Ransomware Cybercrime has matured into a business sector The latest paradigm is Cybercrime-as-a- Service (CaaS) The Ransomware market, within this paradigm, is rapidly maturing Ransomware strains are being upgraded, rebranded, and sold cheaply on the Dark Web All potential targets, regardless of size, present equal opportunities 3
True Costs of Ransomware Ransom: $30,000 Lost Revenue 2,500,000 Incident Response 75,000 Legal Advice 70,000 Lost Productivity 250,000 Forensics 75,000 Recovery & Re-Imaging 60,000 Data Validation 25,000 Brand Damage 500,000 Litigation 200,000 Total Costs of Attack $3,785,000 4
NIST Cybersecurity Framework Focus Identify Protect Detect Respond Recover Asset Management Business Environment Governance Risk Assessment Risk Management Strategy Access Control Awareness and Training Data Security Information Protection Processes and Procedures Maintenance Protective Technology Anomalies and Events Security Continuous Monitoring Detection Processes Response Planning Communications Analysis Mitigation Improvements Recovery Planning Improvements Communications Validation Dell EMC IR Services for Risk Management, Governance Model, & Operating Model Isolated Recovery Solution Protective Technology, Processes & Procedures Isolated Recovery Solution Validation Servers. RSA Security Behavior Analytics Dell EMC IR Services for Response Framework for Cyber Incident Management Isolated Recovery Solution with Recovery Servers
Traditional Strategies Are Not Enough Data Encryption Tape Backups Cyber Insurance Not preventative against attacks Hacktivists can encrypt your encrypted data For data protection, not recovery Potential negative impacts on cost to store, replicate and protect Too long to recover Difficult to validate data Requires backup infrastructure to recover May not protect: Backup Catalog PBBA [Data Domain] Tape Library Meta Data DB All breaches may not be covered Policies have baseline security requirements Monetary limits may not cover all damages Does not protect: Patient needs Brand Lost trust 6
Current State: Risk Profile Summary Technical All data is currently susceptible to a cyber attack Primary storage replication can replicate corruption Backup catalog not replicated Recovery of backup catalog from tape is slow and failure prone Backup copies not isolated from network People & Process IT Engineering and Ops have access to most if not all Backup Assets Security teams not assigned to assets. Bad actors inside the firewall can create havoc. Franchise critical and non-critical data are not segregated Backup images can be expired without authorization These risks are consistent with traditional Prod/DR models. This is a different challenge and requires a different architecture. 7
Current State: What is a Business Impact Analysis? A process to understand: What is the monetary impact of a disaster of failure? What are the most time-critical and information-critical business processes? How does the business REALLY rely upon IT Service and Application availability? What availability and recoverability capabilities are justifiable based on these requirements, potential impact and costs? Composed to two components Technical Discovery Data Gathering Human Conversation Talk to People! 8
BIA Output: The Most Critical Data First Compute Protect the heartbeat of the business first Applications Validate & Store Highest Priority Data Prioritize top applications or data sets to protect Usually less than 10% of data Start with a core set and build from there 9
Layered Cyber-Security for Data Protection Level of Protection Good Better Best Traditional Data Protection Best Practices Deploy a layered data protection approach ( the continuum ) for more business critical systems but always include a point in time off array independent backup with DR Replication (N+1) Protect Born in the Cloud and endpoint Data Additional Hardening and Protection Features Product specific hardening guides Encryption in flight and/or at rest Retention lock with separate security officer credentials Advanced Protection Services Isolated recovery solution EMC/EY service offerings: assess, plan, implement, and validate Use of evolving security analytics: RSA & Secureworks 10
Isolated recovery solution how it works Critical data resides off the network and is isolated Production Apps RISK-BASED REPLICATION PROCESS Business Data (Crown Jewels) Isolated Recovery Tech Config Data (Mission-critical Data) Dedicated Connection Air Gap Corporate Network DR/BU 11
Isolated Recovery Dell EMC VMAX Primary Storage SRDF Air Gap ISOLATED RECOVERY VAULT Isolated Recovery System Restore Hosts Validation Hosts Management Host No management connectivity to IR Vault Enable data link and replicate to isolated system Complete replication and disable data link Maintain WORM locked restore points Optional security analytics on data at rest Professional Services 12
Isolated Recovery Dell EMC Data Domain DD Replication ISOLATED RECOVERY VAULT Restore Hosts Validation Hosts Create backup of data No management connectivity to IR Vault Enable data link and replicate to isolated system Primary Storage Backup Appliance Air Gap Isolated Recovery System Management Host Complete replication and disable data link Maintain WORM locked restore points Optional security analytics on data at rest Professional Services 13
Separate Copy Streams For Better Recovery Distribution Mgmt. Isolated Recovery Vault Vendor Distros Material For IR Vault OS Clean Room Change Control Process Change Control Copy OS DD MTree Replication ) ( OS Backup Process Daily Backup DD MTree Replication ) ( Malware path Production Hosts Data Domain Data Domain 14
Proactive Analytics in the IR Vault Why Analytics in the Vault? Increase effectiveness of Prevent/Detect cybersecurity when performed in protected environment. Diagnosis of attack vectors can take place within an isolated workbench. App restart activities can detect attacks that only occur when application is initially brought up. ISOLATED RECOVERY VAULT Restore Hosts Validation Hosts Categories of Data Transactional Data dynamic/large (log variances, sentinel records, etc.) Intellectual Property static/large (checkums, file entropy) Executables / Config. Files static/small (checksums, malware scans) Isolated Recovery System Management Host 15