Op-Ed: Shaving time and complexity off ransomware recovery

/in


We often hear when Australian businesses are ransomwared, but what happens next? The incident response, forensic investigation, and system recovery processes are often never revealed or told.

There are likely multiple reasons why this is the case. One is that recovery from these incidents is often gruelling, with one in four teams needing a month or more to get back to business as usual.

Around-the-clock efforts to get back online are often part and parcel of the post-incident period. It’s an experience security teams are likely to be in no hurry to retell or relive.

It is worth examining why recovery from a ransomware attack takes so long, and in particular, whether architectural changes and/or additional tooling at an infrastructure level might help businesses to get back on their feet faster.

From a local data storage perspective, many businesses have similar infrastructure set-ups, where production servers talk to primary storage, and that data is replicated elsewhere for backup purposes. The backups may be point-in-time snapshots or it may be that data is actively replicated and synchronised between two sites that operate in an active-active configuration.

From a backup perspective, the most important thing is to have an immutable copy with data retention of that copy of the primary storage environment set for a specified period of time such that it cannot be deleted. This is the secure copy of data the business can restore from in the event of a cyber attack. For added safety, it’s also important to put some sort of air gap between the backup and the primary storage environment.

Immutability is an important principle to consider when looking at the cyber resiliency of data infrastructure. The idea is to take a volume of data and make it immutable in such a way that if the business is hit by ransomware, that data cannot be altered by anyone, under any circumstances.

Air gapping is another important security principle. An air gap can be logical or physical; in a traditional infrastructure set-up, point-in-time backups may be stored on tape, which acts as a physical air gap to the primary storage environment. However, tape has its own challenges, and it may be that a…

Source…