The Role of Immutable Storage Services in Ransomware Protection

The threat from increasingly sophisticated ransomware attacks continues to grow. Unfortunately, no single solution can completely protect an organization from ransomware attacks. In this piece, we look at the role immutable storage services can play in a ransomware protection strategy. 

IREs and Immutable Storage 

An isolated recovery environment (IRE) is a dedicated, secure recovery environment equipped with resources to verify and recover data from an immutable backup copy. Immutable data architecture means that data, once written, can never be changed, and so it cannot be encrypted by ransomware. An IRE with immutable storage does not replace a traditional backup but is meant as a tertiary solution for critical data. 

IREs with immutable data vaults (IDVs) provide the highest level of security and recovery against a  ransomware attack, but they also come with the highest cost and complexity. An IRE solution will rarely replace your full backup solution, so this is an additional recurring cost generally calculated per gigabyte of data. Costs for even moderately sized firms can add up to hundreds of thousands of dollars a year, in addition to other backup and recovery costs. 

A wide range of on-site and cloud storage technology providers offer immutable storage products and services, including NetApp, Cisco Systems, Amazon Web Service (AWS), Microsoft Azure, Dell EMC PowerProtect Cyber Recovery and IBM Services Cyber Vault. 

When investing in any form of backup solution, cloud or on-prem, organizations should consider: 

• Cost: This is generally calculated by the amount of data stored, which can add up quickly in the cloud, depending on your needs. 
  
• Recovery time: This is the amount of time it takes to restore services from backup. While this can vary quite a bit depending on the physical location of servers, cloud recovery can be comparable to on-prem. However, businesses that need ultra-fast, recurring backup and recovery services tend to prefer on-prem for both cost and speed of recovery. 
  
• Security. Security can be viewed from two different perspectives. While some companies prefer to keep all their sensitive data on-site and under their control, the whole reason for looking at an IRE is to move critical data off the corporate network entirely so that it’s safe in the event of a ransomware attack. Despite cloud solutions offering high security and end-to-end encryption, some prefer an on-site solution that ensures data is never sent out over the internet. Organizations should weigh their individual needs carefully and do a cost/benefit analysis. 
  

When investigating immutable backup solutions, keep in mind that: 

• They require considerable investment: The cost and logistical challenges of creating and restoring known good backups with these solutions can be expensive and time consuming. They also require an investment in training people and defining recovery processes. 
  
• Their benefits may not justify the investment: Modern backup and recovery solutions offer many of the benefits offered by IREs, but IREs offer additional physical security and recovery features. The term “immutability” is used differently by vendors and varies in implementation and effectiveness. You need to understand what each vendor means by “immutable“ and how this is better than your existing recovery solutions. 
  

Immutable storage may make sense in some scenarios, beyond your standard backup solution. For example, financial companies and highly regulated industries may feel the added security and peace of mind is worth the investment. Other companies may feel the ever-increasing cost of paying a ransom more than justifies the additional investment in a tertiary recovery solution. 

Ransomware Prevention Strategy 

However, immutable storage is not a ransomware prevention strategy; it is a recovery strategy. Whether or not you decide to employ it, many other steps can and should be taken to build a ransomware defense-in-depth strategy. Make sure you cover these basics first. For example, typical security controls like keeping up-to-date on system patches is the first step to minimizing the risk that ransomware will be successful. Other controls to consider include: 

• Conducting regular training and awareness: Training and awareness and end-user phishing simulations can help employees understand their role in protecting against ransomware attacks. 
  
• Eliminating typical network copying protocols: Avoid the use of simple network-sharing protocols, such as Common Internet File System (CIFS) or Network File System (NFS) when implementing storage for backup data. These protocols are notoriously insecure, as evidenced by WannaCry and other crypto-malware. 
  
• Protecting the backup system itself: Protection of both the backup administration console and copies of backup data ensures usable backups are always available. Putting the backup systems behind a firewall, jump box or otherwise segmenting the network can help isolate backup systems without the inconvenience of a fully air-gapped solution. 
  
• Using multifactor authentication (MFA): Using MFA for all backup administrator accounts can make these critical accounts much harder to compromise. 
  
• Using secure DNS services: Many ransomware programs attempt to “phone home” to let the attacker know a system has been compromised. Using a secure DNS service can help stop obvious and known bad addresses from resolving in the first place. Vendors in this space include Akamai and Infoblox. 
  
• Creating your own IRE: You can gain much of the benefit of an IRE service at a fraction of the cost by copying backups to external media or write once, read many (WORM) device and simply storing it offline. However, you should weigh the effort involved in taking this approach with the cost of an IRE service. IRE services offer a much easier to deploy recovery scenario and check for known ransomware being replicated. In addition, cloud storage is a more robust alternative to WORM devices from a hardware failure perspective.  
  

Ransomware Recovery and Data Restoration   

Regardless of what solution you use, recovery strategies can go wrong in many ways. Restoring from backup can be time-consuming. Whatever strategy you select, make sure your recovery time objectives (RTOs) and recovery point objectives (RPOs) are sufficient for your business needs. Immutable storage isn’t that useful if it takes you a year back in time on a system restore or if it takes weeks to restore from backup. 

Other ways backup and restore strategies can go wrong include: 

• Restoring infected backups: Many times, ransomware software sits dormant for a period until activated. Backups can inadvertently become infected, and once restored, can kick off a vicious cycle of reinfection. 
  
• Storing encrypted backups: Even though IRE services claim to make sure they are not backing up ransomware, once systems are encrypted, these services cannot distinguish whether files are infected or not. 
  
• Spending more on a solution than the problem warrants: While we never advocate paying the ransom, you still don’t want to spend more on a recovery strategy than the ransom would typically cost. Average costs of a ransom for most companies can be between $150,000 and $1.4 million, depending on the size of the organization. 
  

Considerations for Setting Up an IRE 

Few organizations can afford the cost of backing up all their data to an IRE service. While putting only your most critical data in an IRE backup is a good alternative to minimize costs, there are steps you can take to harden your existing environment and gain many of the benefits without paying for a service.  

Here are a few key points to remember before considering an IRE service: 

• The term “immutable” is open to interpretation, but essentially is just a golden source of data that can’t be changed. Make sure you understand exactly how an IRE solution is protecting your data and how it’s better than your existing solutions before adding the cost and complexity to your strategy. 
  
• There is no magic bullet for ransomware. A layered defense with multiple controls along with early detection and a thorough ransomware response plan is still the most effective strategy. 
  

IRE services are a developing segment of the security market. However, their cost and complexity will continue to play a large role in the overall decision process for years to come. 

Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.