IBM Support

#Dataprotection in the age of ransomware

Technical Blog Post


Abstract

#Dataprotection in the age of ransomware

Body

“Strategy without tactics is the slowest route to victory. Tactics without strategy is the

noise before defeat.”  - Sun Tzu, Art of War

 

While #ransomware is a threat to all business sectors, #IT, business and professional service firms lead the way followed by government and #healthcare agencies. Just as no sector is immune, business organizations of all sizes are falling prey to these attacks and the cost is not purely financial; it also can include IT consequences and damage to the company brand.

 

The threat of ransomware is increasing daily and getting even more dangerous. The programs are becoming more complex and target specific data endpoints such as database centers, #IoT units, and even #mobile devices.

 

What sets ransomware apart from other malware is that it’s all about #storage.

 

There are a few key areas to consider for data protection in ransomware detection and prevention:

  • Data security plan
  • Detecting ransomware and alerting
  • Airgap storage of data copies

 

Dynamic prevention is the best defense

Now more than ever, in this current business climate, the need to be proactive in your observance of safeguarding your valuable data is imperative. At the forefront of this defense is an intelligent and effective overall data security plan that includes a sophisticated security infrastructure and education.

 

Educational awareness requires inter operable security measures and training to be in place in order for the network protection to stop ransomware threats before they happen and reduce the critical business impact (costs of unplanned system downtime) of any attacks that persist.

 

The participants in the security plan must be aware of the responsibilities and what is expected of them. To this end, the data must be categorized so that each member of the business organization knows the differences and how to handle each type accordingly.

 

Some data types include:

  • Confidential
  • Internal
  • General

 

Once a data security plan is in action, it should be reviewed at least a couple times a year and definitely upon an upgrade to the network infrastructure. This constant vigilance ensures that you are serious about preventing cyber crime and gives your organization confidence that you know how to safeguard their entrusted data.

 

Automated detection of ransomware

While having a proper data security plan is your first line of defense, examining the behavior of potential ransomware infiltration of your backup data is also very important. Once a ransomware occurrence is detected, having the ability to be alerted and then respond instantly to limit the damage is crucial to any data protection strategy.

 

IBM Spectrum Protect V8.1.5  introduces a new Security Notifications page for detection of potential ransomware attacks. This page is accessed from Operations Center >Overviews >Security.

 

After every client backup session, statistics are analyzed for signs of a ransomware infection. If any signs are present, a warning message is displayed in the Operations Center.

 

Some types of abnormalities can be a large increase for data that is being backed up or if there is a large decrease in the dedupe ratio for the storage container pools.

image

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

At the top of the security dashboard, you can see the number of unacknowledged notifications as well as the number of acknowledged notifications and, the number of notifications that were generated within the last 24 hours.

 

Alongside the notification numbers is a two-week graph that shows the number of notifications for the Operations Center and all the servers that it reports information on.

image

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

As an IBM Spectrum Protect administrator, you can:

  • View notifications in the Operations Center, including 2 week graph
  • Drill down for more detailed ransomware detection information
  • Mark the notification as acknowledged
  • Assign the notification to a particular administrator
  • Reset the baseline for backup and dedupe ratios
  • Manage alerts in Operation Center, Overviews and Alerts section

 

See the following video to learn more about IBM Spectrum Protect V8.1.5 and what it can do to help you detect potential ransomware attacks:

Airgap storage of data copies

Another important technique to keep your systems secure and your information free from ransomware infections is air gapping your backup copies.

 

By using air gap, a business organization can isolate its most valuable data from the rest of the network. If the network is under attack, you can easily recover any instances of the data.

 

One segment of data prevention where you can use air gapping is to protect backup data.

While air gapping is less expensive and a highly effective portion of your backup strategy, it’s important that you have either your offsite backup or your physical media not be remote accessible. In addition, your backup and disaster recovery software  must back up to multiple types of media.

The tape solution of IBM Spectrum Protect provides storage to tape media, which is a flexible and affordable option for long-term data retention and protection.

image

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Some backup and recovery software have tapes that just sit in libraries. They are not used on a regular basis and ultimately expire. With IBM Spectrum Protect, the tapes are always highly optimized enabling the valuable data to be stored efficiently ensuring the tape restore process and media handling is performed at an optimal level.

 

IBM Spectrum Protect backs up incremental bits of data so dedupe numbers appear low; it enables you to back up your data efficiently.

You don’t have to worry about ransomware corrupting your dedupe pool. You can air-gap the pool to tape and restore any corrupt extents.

 

In the latest version of IBM Spectrum Protect, you have air gapping and faster alerting to any potential ransomware infection. You can now respond promptly to a ransomware event and recover any airgap copies of your data.

 

Proactive prevention and protection

Ransomware is gaining more sophistication every single day.

In order to protect or minimize any intrusions, if an attack does occur, data protection is vital. Backing up your data on a regular basis, verifying the integrity of the backups, and securing the backups is still an essential way to recover from ransomware.

While prevention is the key, a proactive approach in your data protection is imperative to dealing with ransomware now and in the future.

Stop ransomware in its tracks!

Protect your data endpoints!

 

 

 

For continuing information on IBM Spectrum Protect, IBM Spectrum Protect Plus, IBM Spectrum Control, IBM Storage Insights and entire IBM Spectrum Storage Suite,  View Bob Graczyk's profile on LinkedIn or Twitter, @bobby_gratz

[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"HW206","label":"Storage Systems"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"","Edition":"","Line of Business":{"code":"LOB26","label":"Storage"}}]

UID

ibm16165375

Page Feedback