Ransomware groups now prioritize seeking and encrypting data in backups to make the recovery process difficult unless the ransom is paid. That’s why it’s important to realize that backups are a good start for ransomware protection. A framework proposed by Veeam might just help. The framework is described in Veeam’s recently published whitepaper titled “5 Ransomware Protection Best Practices”. This is based on the NIST cybersecurity framework (NIST CSF), which organizations widely adopt. The framework advocates the 3-2-1-1-0 Rule for immutable backups.
According to Veeam, this whitepaper is a definitive guide that educates the market about the established Cybersecurity Framework of 5 key functions that can be used to increase an organization’s resiliency to ransomware:
Veeam believes these five functions are a proven way to ensure reliability for critical IT infrastructure. This paper outlines how advanced data protection techniques are organized in this framework and provide more options than ever to ensure data recoverability. This paper also highlights Veeam capabilities in each function of the framework to provide the most options in the market.
Veeam said the Cybersecurity Framework is the way to integrate a cybersecurity practice into the daily tasks of each of the IT disciplines, and it should be widely adopted in the organization. In other words, everyone is on the cybersecurity team.
CISO MAG discussed the paper with Rick Vanover, Senior Director of Product Strategy for Veeam.
“This is actually the same cybersecurity framework that a lot of government organizations use. And I have a mindset that everyone in an enterprise from end users to administrators, has a role in cybersecurity. I would recommend all of the disciplines, all of the practices within an IT organization — I recommend all of them to use this type of framework. Because this is a really simple model that is very effective to deal with the threat. And the ‘how’ is by simply aligning what everyone does, from end-users, administrators, PC support people, the server administrators, and application owners. if everyone’s consistent with this framework, there’s a very good level of preparation to deal with the incident,” said Vanover.
Some of the questions addressed by this Veeam paper are:
- What immutability options are out there on the market?
- What is an air gap?
- How can ransomware be detected?
- What is the state of ransomware response plans?
- How does data become identified?
- What is the difference between the 3-2-1 and the new 3-2-1-1-0 rule?
Vanover summarized the three big takeaways of this whitepaper as:
- The world needs immutable copies of data more than ever.
- The world needs mechanisms to detect and monitor ransomware more than ever.
- Organizations need to prepare the response right now.
“I see a lot of organizations not execute the response to an incident as being one of the problems. For example, they can spend a day trying to decide what to do. They can spend a day trying to get approval on, hey, do we actually call this a disaster?” said Vanover. “If we don’t have immutable copies of data, I can’t ensure recovery. If we don’t have good monitoring and alerting, that’s going to slow down our response. If we don’t have good response mechanisms, then those are the scenarios when we end up on the news.”
Vanover said there are a lot of immutable options in the market, from storage providers to cloud providers, and even hardware systems. He is sure that even yesteryears tape media is “a very resilient specimen” for mutability, especially when the tape media is removed from a library.
“The very good news is that there are a lot of options right now, if it’s the public cloud, if it’s object storage systems, on-premises, even Linux immutable file systems,” added Vanover.
The 3-2-1-1-0 Rule for Immutable Backups
For many years, Veeam has advocated for using the 3-2-1 Rule as a general data management strategy. Digital photographer Peter Crowe created the 3-2-1 Rule for storage media. The Rule recommends that there should be at least three copies of important data, on at least two different types of media, with at least one of these copies being off-site. The 3-2-1 Rule is hardware agnostic and is versatile enough to address nearly any failure scenario.
However, as the threat of ransomware has advanced, Veeam has now emphasized that the “one” copy of data be ultra-resilient (i.e., air-gapped, offline or immutable). This recommendation is imperative to becoming resilient against ransomware and to create immutable backups.
This is reflected in the 3-2-1-1-0 Rule, which addresses this ultra-resilient copy requirement for immutable backups. So, the 3-2-1 Rule has advanced to recommend that one copy of your data be immutable, offline, or air-gapped, which means zero backup errors with Veeam’s industry-leading SureBackup® automated recovery verification.
“The 1-0 is the new twist Veeam added, and it addresses additional threats with data, namely ransomware. The additional advice is to have one of these copies be immutable, offline or air gapped. And then the zero is to have automated recovery verification. So, knowing that your backups are recoverable, that’s an additional important check to have,” said Vanover.
Veeam Software is a privately held US-based information technology company owned by Insight Partners that develops backup, disaster recovery and modern data protection software for virtual, physical, and multi-cloud infrastructures.
The paper can be accessed here.