In last month’s story about UnitedHealth Group’s painstakingly slow recovery from a ransomware attack, we established that data protection (backup & recovery) and cybersecurity are increasingly intertwined in the context of ransomware resilience.
Here’s a quick summary of that strategic insight:
Strong cybersecurity systems and policies are often a first line of defense against ransomware, making it difficult for criminals to get into private networks, systems, and devices. However, because criminals can still “steal the keys” to the castle through vectors such as phishing and social engineering, ransomware will always remain a threat, even to organizations with excellent security postures and outsized IT expenditures.
Once ransomware sneaks through and has compromised critical systems, backup & recovery teams must take up the baton (from cybersecurity teams). If the victimized organization has its backup operations in good order, the organization can recover quickly and completely. Hence, modern ransomware resilience is a function of strong coordination between the cybersecurity and data protection functions.
Let’s explore how this modern reality is reflected in today’s landscape of commercial backup and backup monitoring software.
Built-in Threat/Anomaly Detection in Backup Products
Many modern backup products now provide built-in threat detection capabilities that enable data protection teams to spot malware, anomalies / ransomware encryption activity, and IoCs (indicators of compromise) in data that is being backed up.
This functionality can provide IT teams with early warnings about ransomware activity that could otherwise remain undetected (until applications and systems are already down).
Here are a few examples of such capabilities in backup software today:
- Veeam Malware Detection Engine
- Cohesity DataProtect (built-in ransomware detection)
- Rubrik Anomaly Detection
Backup Immutability
When ransomware gets into an organization’s IT infrastructure and begins encrypting files, it can also target backups and render them useless for recovery.
Modern backup solutions provide organizations with options to make backups immutable, or impossible to alter or delete.
Having at least one immutable backup for every protected system, for instance as part of what Veeam calls a “3-2-1-1-0” backup rule (see graphic below), can help organizations ensure successful recovery from ransomware attacks.
Source: https://www.veeam.com/blog/321-backup-rule.html
Immutable backups come in many different forms, including:
- Immutable Storage Systems: Some storage systems are designed with immutability in mind. These systems use advanced techniques to prevent data from being modified or deleted once it has been written. They often employ features such as cryptographic hashing, digital signatures, and access controls to enforce immutability.
- Write Once, Read Many (WORM) Technology: This technology ensures that data can only be written once and then read many times. Once data has been written to a WORM device or storage system, it cannot be altered or deleted. Optical discs like CD-Rs (Compact Disc Recordable) and WORM tape drives are examples of WORM technology.
- Blockchain Technology: Blockchain is a decentralized, distributed ledger technology that can be used to create immutable backups. Data stored on a blockchain cannot be altered retroactively without altering all subsequent blocks, which makes it highly resistant to tampering.
- Immutable Object Storage: Object storage systems can be configured to support immutability by enforcing strict access controls and versioning. Once an object is written to the storage system, it cannot be modified or deleted. Any changes to the object result in the creation of a new version.
- Data Deduplication and Backup Chains: Some backup solutions employ data deduplication techniques to create immutable backups. Once a backup chain is created, each subsequent backup depends on the previous one, making it difficult to alter or delete individual backups without affecting the entire chain.
- WORM Software Solutions: There are software solutions available that enforce immutability at the file or object level. These solutions typically use encryption, access controls, and auditing mechanisms to prevent unauthorized modifications or deletions.
Important: Ensuring your organization has an immutable backup copy for every system within mandated RPOs can be the difference between recovering quickly from ransomware and suffering terminal data loss.
Make sure your backup monitoring tool is capable of reporting on immutability; if it’s not, get in touch with Bocada.
Integrated solutions
While many modern backup tools have started providing the aforementioned capabilities to help data protection teams spot threats and mitigate damage from ransomware attacks, many organizations desire even more integration between their backup and security tools.
Here are a few recent market developments, for example:
- Veeam Launches Most Complete Support for Ransomware – from Protection to Response and Recovery – with Acquisition of Coveware
- Rubrik and CrowdStrike Team Up to Transform Data Security
- Commvault Joins Forces with Leading Security, AI Companies to Help Customers Stay Ahead of Bad Actors and Escalating Cyber Threats
- Cisco Transforms Crisis to Control with New Automated Ransomware Recovery
- CrowdStrike and AWS Extend Strategic Partnership to Accelerate Cloud Security and AI Innovation
Reliable backup monitoring is non-negotiable
Just as security teams rely on SIEM tools like Splunk to synthesize data across an organization’s infrastructure into security insights and reports, backup teams use backup monitoring tools like Bocada to help manage their backup environments.
Bocada provides data protection teams with single-pane backup monitoring that centralizes and automates an organization’s backup data collection, dashboards, alerting, and incident management (in ITSM tools such as ServiceNow).
With support for more than 40 popular backup, storage, and ITSM tools, Bocada allows orgs to quickly spot backup failures (on-prem or in the cloud) and automate alerting and ticket management to cut time to remediation. 70+ schedulable/on-demand reports enable backup admins using Bocada to easily support any audit or SLA reporting requirement.
Integrating backup monitoring with security monitoring (SIEM)
To better align data protection and cybersecurity, some organizations may wish to consolidate their backup monitoring and security monitoring for a more comprehensive view of their incident readiness.
With Bocada, this is supported in two ways:
- Bocada provides open-source reporting templates for Splunk, Power BI, and Tableau. Bocada customers can simply connect their Bocada database to Splunk and begin to use Bocada reports in Splunk, for example. (See details)
- Bocada has a REST API that enables organizations to integrate Bocada’s normalized backup data into any application(s) of their choosing. Contact Bocada to learn more.
Stepping up to the challenge
As we have seen in the aftermath of the UnitedHealth Group ransomware attack in 2024, cybersecurity and data protection are both critically important for ransomware resilience.
Growing awareness of this modern reality has shaped the development trajectories of both modern backup products and leading cybersecurity products, enabling better integrated solutions, purpose-built new technologies (e.g., immutable backups), and even intentional overlap in some capabilities (e.g., anomaly/threat detection) – to ensure no stone is left unturned.
As we go forward, backup operators must learn to modernize their mindsets and their systems to embrace this new reality: that they are just as important to their organizations’ cyber resilience as their security counterparts.