The solution to ransomware is real-time data protection. The moment data changes it needs to be copied to a secondary storage system and sequestered from primary storage. Then, if a ransomware virus attacks, the last known good copy can be accessible from secondary storage, the moment IT stops the virus is stopped. The problem is developing a process to provide this real-time protection without breaking the bank.
What Data is at Risk?
The first step in beating ransomware is understanding what data is at risk and more importantly what servers can be compromised to allow the virus in. The reality is that all data is at risk, but most high-profile servers like databases are well protected. They are patched frequently and have their own frequent backup techniques. At risk are file servers and network attached storage systems. These are not updated as frequently and users are constantly interacting with them. Also, backup for these systems are typically done once per night. So, even if that night’s backup is successful, the organization exposes a full day’s worth of work to an attack.
Protecting from the Ransomware Attack
Of course patching servers and user devices is critical, so is training users not to click on suspicious links. But eventually a mistake will happen and the virus will get through. When it does, the virus spreads very quickly. The organization needs tools to identify massive changes to files occurring over a short period of time.
Once identified, the organization needs to recover data that has been encrypted. The problem is in most cases, many, if not all, files are affected and that means a long and onerous recovery.
The solution is to implement a system that can monitor itself and the moment a file changes or is added, the file is copied to a secondary storage target. That data should be stored “read-only” so the ransomware can’t encrypt it. It also should be sequestered with limited access. Basically, access should come from only a few users with unique logins and the agent that is sending changed files.
Recovering From an Attack
Once the attack is identified and stopped, IT needs to restore access to the data. Considering the ransomware can impact millions of files, copying all this data back may take too long. But it does not make sense to provide direct access to the secondary storage system either, since the virus could still be somewhere in the network. Instead, the secondary system should restore stub files back to the primary data store. These are small 4k files IT can restore quickly.
Then, as users access these stub files, the file is copied back from the secondary storage to primary storage. While these users might (but probably won’t) notice the few milliseconds of delay in access, this process keeps the copy on secondary storage secure. Over time all the files are moved back to primary storage as the user accesses them.
Protecting Against Theft
Another aspect of this solution is that it also protects against another type of attack, where instead of encrypting the data for ransom, the attack steals the data for release to the public and potential embarrassment to the organization. The dual storage solution allows the organization to quickly move data from primary storage to secondary storage which is sequestered. If the organization is breached the available data is limited. In most cases less than 15 percent of data needs to be on primary storage.
Driving Down the Cost of Primary Storage
Another benefit to this dual storage system approach is it drives down the cost of primary storage. By moving less active data to more secure secondary storage, the organization can reduce the capacity and performance requirements for their primary storage tier. The cost savings realized in that movement could pay for the entire investment. Essentially, the organization gets ransomware protection for free.
The three benefits of a dual storage system strategy are the real-time protection from ransomware, the protection against data theft and the ability to drive down the cost of primary storage. These three benefits should have organizations running toward these solutions.
Sponsored by Nexsan