Friday, April 16, 2021

Disaster Recovery to Cyber Recovery--What is the New Best Future State?

A transcript of a discussion on new ways of protecting data backups first and foremost so that safe cyber recovery becomes an indispensable tool in any IT and business security arsenal.

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: Unisys and Dell Technologies.

Dana Gardner: Hi, this is Dana Gardner, Principal Analyst at Interarbor Solutions and you’re listening to BriefingsDirect.

The clear and present danger facing businesses and governments from cybersecurity threats has only grown more clear and ever-present as we enter 2021.

As the threats from runaway ransomware attacks and state-sponsored backdoor access to networks deepen, too many businesses have a false sense of quick recovery using traditional business continuity and backup measures.

That’s because the criminals are increasingly compromising vulnerable backup systems and data first -- before they attack. As a result, visions of flipping a switch to get back to a ready state may be a dangerous illusion that keeps leaders under a false sense of business as usual.

Stay with us now as we explore new ways of protecting the backups first and foremost so that cyber recovery becomes an indispensable tool in any IT and business security arsenal. We will now learn how Unisys and Dell Technologies are elevating what was data redundancy to protect against natural disasters into something much more resilient and powerful.

To learn more about the latest in rapid cyber recovery strategies and technologies, please join me in welcoming our guests, Andrew Peters, Director of Global Business Development for Security at Unisys. Welcome, Andrew.

Andrew Peters: Hi. Thank you, Dana.

Gardner: We are also here with David Finley, Director of Information Assurance and Security in the Data Protection Division at Dell Technologies. Welcome, David.

David Finley: Thank you, Dana. I’m glad to be here.

Gardner: David, what’s happened during the last few years -- and now especially with the FireEye and SolarWinds attacks -- that makes cyber recovery as opposed to disaster recovery (DR) so critical?

Best defense is good offense

Finley: I have been asked that question a few times just in the last few weeks, as you might imagine. And there are a couple of things to note with these attacks, SolarWinds and FireEye.

Finley

One, especially with FireEye, it was demonstrated to the entire world something that we didn’t really have our eyes on, so to speak, and that is the fact that folks that have really good security -- where they sit back and the Chief information security officer (CISO) and the security team say, “We have really good security, we spent a lot of money, we have done a lot of things, we feel pretty good about what we have done.” That’s all great, but what was demonstrated with FireEye is that even the best can be compromised.

If you have a nation state-led attack or you are targeted by a cybercrime family, then all bets could be off. They can get in and they have demonstrated that with these latest attacks.

The other thing is, they were able to steal tools. Nothing worse can happen than the bad guys having new toolsets that they can actually use. We believe that with the increased threat from the bad actors because of these things, we really, really need the notion of a cyber vault or the third copy, if you will. Think about the 3:1 rule -- three copies, two different locations, one off-site or offline. This is really where we need to be.

Gardner: Andrew, it sounds like we have to assume that we are going to be or are already attacked. Just having a good defense isn’t enough. What’s the next level that we need to attain?

Peters
Peters: A lot of times organizations think their security and their defenses are strong enough to mitigate virtually anything that happens to the organization. But what's been proven now is that the bad guys are clever and are finding ways in. With SolarWinds, they found a backdoor into organizations and are coming in as a trusted entity.

Just because you have signed Security Assertion Markup Language (SAML) tokens and signed certificates that you trust, you are still letting them in. It’s just been proven that you can’t exactly trust them. And when they come inside an organization and they win, what do you do next? What do you do when you lose? The concept here is to plan to win, but at the same time prepare to lose.

Gardner: David, we have also seen an uptick in the success of ransomware payouts. How is that also changing the landscape for how we protect ourselves?

Finley: I was recently was thinking about that and I saw something written, it might have been a Wall Street Journal article, on security recently. They said CISOs in organizations have a decision to make after these kinds of attacks. The decision really becomes pretty simple. Do they pay the ransom or do they not pay the ransom?

We would all like to say, “Don’t pay the ransom.” The FBI says don’t pay the ransom, because of the obvious reasons. If you pay it, they may come back, they are going to want more, and it sets a bad precedent, all those things. But the reality is when this actually happens to a company, they have to sit down and make the hard decision: Do I pay or do I not pay? It’s based upon getting the business running again.

We want to position ourselves together with Unisys to create a cyber vault that is secured in a way that our customers will never have to pay the ransom.

If we have a protected set of data, and it's protected in a vault secured by zero trust, to be able to get it back into play -- that's the best answer. It means not paying the ransom.

If we have a protected set of data that is the most important data to the firm – the stuff that they have to have tomorrow morning to actually run the business -- and it’s in a protected vault secured by zero trust, through Unisys Stealth software, to be able to secure it and get it back out and put it back into play, that’s the best answer.

So that means not paying the ransom and still having the data available to bring the business back into play the next day. A lot of these attacks, as we know, are not only stealing data, like they did recently with FireEye, but also encrypting, deleting, and destroying the data.

Gardner: Another threat vector these days is that more people are working remotely, so there are more networks involved and more vulnerable endpoints. People are having to be their own IT directors in their own homes, in many cases. How does the COVID-19 work-from-home (WFH) trend impact this, Andrew?

Work from home opens doors

Peters: There are far more points of entry. Whereas you might have had anywhere from 10 percent to 15 percent of your workforce remotely accessing the network, and that access was fairly controllable, now you have up to 100 percent of your knowledge workers working remotely and accessing the network. There are more points of entry. From a security perspective, more rules need to be addressed to control access into the network and into operations.

Then one of the challenges an organization has is that once they are on the inside of these big, flat networks the bad guys can map that network. They learn the systems that are there and they learn the operations extremely well and manipulate them, taking advantage of zero-day vulnerabilities in the systems and so operate within that environment without even being discovered. Once again, going back to the SolarWinds, they were operating for about eight months before they were eventually discovered.

Gardner: And so are we at a point going on 30 years of using wide area networks (WANs), and we are still under a false sense of security. David, do we not understand the threats around us?

Finley: There is the notion within our organizations and within the public sector that we believe what we have done is good enough. And good enough can be our enemy. I can’t tell you the number of times I have spoken with folks during incident response or after incident response from a cyberattack where they said, “We thought we were secured. We didn’t know that this could happen to us, but it did happen to us.”

That false sense of security is very real, evidenced by these high-level attacks on firms that we never thought it would happen to. It's not just FireEye and it's not just SolarWinds. We have had attacks on COVID-19 clinical trial providers, we have had attacks on our own government entities. Some of these attacks have been successful. And a lot of these attacks don’t even get publicized.

The most dangerous thing is a false sense of security. A lot of times these attacks happen and get swept under the rug. They quietly get cleaned up. That leads to a false sense of security.

Here is the most dangerous thing in this false sense of security we are talking about. I ask customers what percentage of the attacks do you actually believe you have visibility into within your own region? And the answer, the honest answer, is usually probably less than 20 percent.

But because I do this every day for a living, as does Andrew, and we probably have visibility to maybe 50 percent, because a lot of times these attacks happen and they get swept under the rug. They quietly get cleaned up, right? So we don’t know what’s happening. That also leads us to a false sense of security.

So again, I believe that we do everything we can upfront to secure our systems, but in the event that something does get through, we need to make sure that we have a secure offline copy of these backups and of our data.

Be prepared to resist ransom

Peters: An interesting dynamic I have noticed since the pandemic is that organizations, while they recognize it’s important to have that cyber recovery third copy to bring themselves back from the brink of extinction, say they can’t afford to do it right now. The pandemic has squeezed them so much. 

Well, we know that they are invested in backup. We know they are invested in DR, but they say, “Okay, we may table this one because it’s something that is a bit too expensive right now.”

However, on the other side, there are organizations that are picking up on this at this time, saying, “You know what? We see this is way more critical because we know the attacks are picking up.”

But the challenge here is the organizations that are feeling squeezed, that they can’t afford to invest in a solution like this, the question is, can they afford not to invest in this given all the exposure of the threats to their organizations. And we keep going back to SolarWinds, which is a big wake-up call.

But if we go back to other attacks that happened to organizations in the recent past -- such as the WastedLocker backdoor and the procedures the bad guys are using to get into organizations to learn how they operate, to find additional backdoors and operate within that environment, and to even learn to avoid the security technologies that were put in there specifically to detect such breaches – they can operate with impunity within that environment. Then they eventually learn that environment well enough to shut them down enough so that the company has two choices. That company can either pay the ransom or go out of business.

And if you are a bad guy, what would be your goal? Do you want to expose the company’s information and embarrass them? No, you want to make money. And if they are in the process of making money, how do they do it? You have to squeeze an organization as much as possible. And that’s what ransomware and these backdoors are designed to do -- squeeze an organization enough to where they are forced to pay the ransom.

Gardner: So we need a better, fuller digital insurance policy. Yet many organizations have insurance in the form of DR designed for business continuity, but that might not be enough.

So what are we talking about when we make this shift from business continuity to cyber recovery, David? What are the fundamental challenges organizations need to overcome to make that transition? 

Cyber more likely than natural disaster

Finley: The number-one challenge I have seen over the past four or five years is that we need to realize that DR -- and all the tenets of DR -- will not cover us in the event of a cyber disaster. So those are two very different things, right?

Oftentimes I challenge people with the notion of how they differ. And just to paint a picture, we have been doing DR basically the same way for many decades. The way it normally works is we have our key systems and their data connected to another site outside of a disaster radius, such as for earthquakes, floods, tornados, and hurricanes. We copy that data through a wide-open pipe to the other side on a regular basis. It’s an always-open circuit to the other side, and we have been doing it that way for 40 years.

What I often ask customers is based on that, how much do you spend every year to do DR? What does it really cost? Do you test? What are the real costs for DR for you? And there is usually a tangible answer.

The probability of cyber events is much higher than disaster events.The IT infrastructure and security groups have been making cyber recovery part of DR planning -- and it's taken a long time to get there. We have to change how we approach this.

With that in mind, the next question is, “If you look at the probability of something happening in the future to you, what do you think is more probable -- a natural disaster event or a cyber disaster? What’s more probable?” And the answer is unanimously, it’s been 100 percent in recent years, it’s going to be a cyber disaster.

Of course, the next question is, “How do you deal with cyber recoveries and is it a function of DR within your organization?” And the answer usually is, “Well, we don’t deal with it very well.”

So the IT infrastructure and security groups have in the last year been making cyber recovery part of DR planning -- and it’s taken a long time to get there. When you think about that, if the probability of cyber events is much higher than disaster events -- and we spend $1 million a year on DR -- how much do we spend for cyber recovery? The answer historically has been that they spend very little on true cyber recovery.

That’s what has to change. We have to change how we approach this. We have to bring the security and risk folks into those decisions on protecting data. We need to look at it through the lens of a cyber event destroying all of the data, just as a hurricane may destroy all of the data.

Peters: You know, Dave, in talking to a lot of organizations on what exactly they are going to do if they have a ransomware meltdown, we ask, “How are you going to recover?” They say, “We are going to go to our DR.” 

Hmm, okay. But what if you discover in your recovery process those files are polluted? That’s going to be a bad situation. Then they may go find some tapes and stuff. I ask, “Okay, do you have a runbook for this?” They say, “No.” Then how will they know exactly what to do?

And then the corollary to that is, how long is this recovery going to take? How long can you sustain your operations? How long can you sustain your company, and what kinds of losses are you prepared to sustain?

Wow, and you are going to figure this all out when you are going through the process of trying to bring your organization back after a meltdown? That’s usually the tipping point where you are going to say, like other organizations have said, “You know what? We are just going to have to pay the ransom.”

Finley: Yes, and that also begs the question that we often see folks miss. And that is, “Do you believe that your CEO and/or your board of directors -- the folks who don’t do IT as an everyday job, the folks who are running the business -- do they understand the difference between DR and cyber recovery?”

If I were to ask people on the board of any organization if they were secure in their DR plans, most of them would say, “Yes, that’s what we pay our teams to do.”

If I were to ask them, “Well, do you believe that being able to recover from cyber disasters is included in that and done well?” The answer would also be, “Yes.” But oftentimes that is simply not the truth.

They don’t understand the difference between DR and cyber recovery. The data can all be gone from a cyber event just as easily as it can be gone from a hurricane or a flood. We have to approach it from that perspective and start thinking through these things.

We have to take that to our boards and have them understand, “You know what? We’ve spent a lot of money for 40 years on DR, but we really need to start spending money on cyber recovery.”

Yet we still get a lot of pushback from customers saying, “Well, yes, of course making a third copy and storing it somewhere secure in a way that we can always get it back -- that’s a great idea -- but that costs money.”

Well, you have been spending millions of dollars on DR, so make cyber recovery part of that effort.

Gardner: To what degree are the bad guys already targeting this discrepancy? Do they recognize a capability to go in and compromise the backups, the DR, in such a way that there is no insurance policy? How clever have the bad guys become at understanding this vulnerability?

Bad guys targeting backups

Peters: What would you do if you were the bad guy and you wanted to extort money from an organization? If you know they have any way of quickly recovering, then it’s going to be pretty hard to extort from them. It’s going to be hard to squeeze them.

These guys are not broke, they are often professional organizations. There’s a lot of focus on the GRU, the former KGB operation that’s in Russia, and Cozy Bear and a number of these different organizations are well-funded. They have very clever people there. They are able to obtain technologies, reverse engineer them, understand how the security technologies operate, and understand how to build tools to avoid them. They want to get inside of organizations and learn how the operation runs and learn specifically what’s key and critical to an organization.

The second thing, while they want to take out the primary systems, they also want to make sure you are not able to restore them. This is not rocket science.

So, of course they are going to target backups. Are they going to pollute the files that you are going to actually put in your backups so if an organization tries to recover, they can create a situation that is bad, if not worse, than it was previously? What would you do? You have to figure that this is exactly what the bad guys are doing in organizations -- and they are getting better at it.

Finley: Andrew, they are getting better at it. We have been watching this pretty closely for the last year now. If you go out to any of the pundits or subscribe to folks like Bleeping Computer, Security Today, CIO.com, or CISO, you see the same thing. They talk about it getting worse. It’s getting worse on a regular basis.

They are targeting backups. We are finding it actually written in the code. The first part of what they are going to do when they drop this on the network is they are going to go seek out security tools to disable them. Then they are going to seek out shadow copies to link to them and seek out backup catalogs and link to them.

And this is the one that a lot of people miss. I just read this recently, by the FDIC, and they are publishing this to their member banks. They said DR has been done well for a number of decades. You copy information from one bank to another or from one banking location to another and you are able to recover from disasters and spin up applications and data in a secondary location. That’s all great.

But realize that if you have malware attacking you in your primary location, it very often will make its way to your DR location, too. The FDIC said this pointblank, they said, “And you will get infected in both locations.”

A lot of people don’t think about that. I had a conversation last year with a CISO who said that if an attack gets to your production environment they can manage to move laterally and get to your DR site. And then the date is gone. And this particular CISO said, “You know, we call that an ‘Oh, crap’ moment because there is nothing we can do.”

That’s what we now need to protect against. We have to have a third copy. I can’t stress it nearly enough.

Gardner: We have talked about this third copy concept quite a bit. Let’s hear more about the Dell-Unisys partnership. What’s the technology and strategy for getting in front of this so that cyber recovery becomes your main insurance policy, not your afterthought insurance policy?

Essential copy keeps data dynamic

Finley: We want everyone to understand the reality. The bad guys can get in, they can destroy DR data, we have seen it too many times. It is real. These backups can be encrypted, deleted, or exfiltrated. And that is the fact, so why not have that insurance policy of a third copy?

There’s only way to truly protect this information. If the bad guys can see it, get to the machines that hold it, and get to the data – whether the data is locked on disk or not – they can destroy it. It’s a real simple proposition.

We identified many years ago that the only way to really, truly protect against that is to make a copy of the data and get it offline. That is evidenced today by the guidance being given to us by the US federal government, Homeland Security agency, and FBI. Everybody is giving us the same guidance. They are saying take the backups, the copies of your data, and store them somewhere away from the data that you are protecting – and ideally on the other side of an air gap and offline.

When we create this third copy from our Dell solution for cyber recovery we take the data that we backup every day and move that key data to another site, across an air gap. The idea is the connection between the two locations is dark until we run a job to actually move the data from production to a cyber recovery vault.

With that in mind, there is no way in until we bring up that connection. Now, that connection is secured through Unisys Stealth and through key exchanges and certificate exchanges to where the bad guys can’t get across that connection. They can’t get in. In other words, if you have a vault that’s going to hold all your important data, the bad guys can’t get in. They can’t get through the door. Even though we open a connection, they can’t use that connection to ride into our vault.

And with that in mind we can take that third copy and store it in this cyber vault and keep it safe. Now, getting the data there and having the systems outside the vault communicate to the machines inside the vault – to make sure that all of that is secure – is something we partnered with Unisys on. I will let Andrew tell you about how that works.

Secure data swiftly in cyber vault

Peters: Okay. First off, Dave, you are not talking about putting all of the data into the vault, right? Specifically people are looking at only the data that’s critical to an operation, right?

Finley: Yes. And a quick example of that, Andrew, is an unnamed company in the paint industry. They create paint around the world and one of their key assets is their color-matching databases. That’s the data they put into the cyber vault, because they have determined that if that proprietary data is gone, they can lose $1 million per day.

We can take a third copy and store it in the cyber vault and keep it safe. We have partnered with Unisys on getting the data there and making the communication with all of the machines secure.

Another example is an investment firm we work with. This investment firm puts their trade databases inside of the cyber vault because they have discerned that if their trade databases are infected, affected, or deleted or encrypted – and they go down – then they lose multiple millions of dollars per hour.

So, to your point, Andrew, it’s usually about the critical business systems and essential information, things like that. But we also have to be concerned with the critical IT materials on your networks, right?

Peters: That’s right, other key assets like your Active Directory and your domain servers. If you are a bad guy, what are you going to attack? If they want to cripple you so much that even if you had that essential data, you couldn’t use it. They are going to try and stop you in your tracks. 

From a security perspective, there are a few things that are important – and one is data efficacy. First is knowing what I am going to protect. Next, how best am I going to securely move that critical data to a cyber vault? There is going to be automation so I am not depending on somebody to do this. This should happen automatically.

So, to be clear, I am going to move it into the secure vault, and I want that vault to be air gapped. I want it to be abstracted from the network and the environment so bad guys can’t find it. Even if they could find it, they can’t see anything, and they can’t talk to it.

The second thing I want is to make sure that the data I’m moving has high efficacy. I want to know that it’s not been polluted because bad guys are going to want to pollute that data. Typically, the things you put into the backup – you don’t know, is it good, is it bad, has it been corrupted? So if it’s going to be moved into the vault, we want to know if it’s good or if it’s bad. That way, if we are going to be going into a recovery, I can select the files that I know are good and I can separate them from the bad.

This is really important. That’s one of the critical things when you’re going into any form of cyber recovery. Typically you aren’t going to know what’s good data unless you have a system designed to discern good from bad.

You don’t want to be rebuilding your domain server and have the thing find out that it’s been polluted, that it’s locked, and that it has ransomware embedded in it. Bad guys are clever. You have to ask, “What would I do if I were a clever bad guy?” Sometimes it’s hard to think like that unless you put your bad guy hat on. 

There’s another important element here, too. The element of time. How quickly am I going get to this protected data? I have all of this data, these files and these applications, and they’re in my protected vault. Now, how am I going to move them back into my production environment?

But my production environment actually might still be polluted. I might still have IT and security personnel trying to clean up that environment. At the same time, I have to get my services back up and running, but I have a compromised network. And what’s the problem? The problem is time.

Ultimately, all of this comes down to business continuity and time. How quickly can I continue my critical operations? How quickly am I going to be able to get them up and running – despite the fact that I still have a lot of issues with ransomware and with hackers inside my IT operations?

From a security and rapid recovery perspective, there are some unique things that we can do with a cyber recovery approach. A cyber recovery solution automates the movement of your critical data into a secure vault, then analyzes it for data efficacy to determine if the data has been compromised. It also provides you with a runbook so you know how you’re going to get that data back out and get those systems operating so you can get users back online.

So even with a zero-day attack, by being able to use things like cryptography, cloaking, and basically hiding things from the rest of the network, I can get cryptographic micro-segmentation to restore the operations of critical services and get users back up on those services. Even if my network is compromised, I can start doing that very, very quickly.

When you put the whole cyber recovery solution that we have together – with automation, the security built in, to get to the critical data on a daily basis, move it into a vault, analyze it, and then obtain a runbook capability – you can quickly move it all back out and get those critical services back up and running. 

Manage, monitor, and restore data

Finley: One of the things that I hope everyone understands is that we can create a secure vault, put information in it, and do that all securely. But as Andrew was saying, most folks also want the ability to monitor, manage, and update that secure vault from their security operations center (SOC) or from their network operating system (NOS).

When we first began our relationship with Unisys, around the Stealth software, I was very excited. For a couple years before that, we were working with folks to show them how to use firewalls to protect information going in and out of our cyber vault, or how to configure virtual private networks (VPNs) to make that happen.

But when we got together and I looked at the Unisys Stealth software a few years ago, from a zero trust networks perspective – instead of just agents on the machines – it becomes invisible.

When I saw the tunnels that Unisys creates to our Dell vault I realized it not only allows us to have a new way to manage everything from the outside, it allows us to take clean data inside the vault and restore it quickly through the secure tunnels back to the outside.

When I first saw that those tunnels Unisys creates to our Dell vault are as secure as they are, I quickly realized that not only did it allow us to have a new way to manage everything from outside – we can also monitor everything from outside. It allows us to take what we know is clean data inside the vault and be able to restore it quickly through one of those secure Stealth tunnels back out to the outside.

That is hugely important. We all know there are various ways to secure communications like this. Probably the least secure nowadays are VPNs, or remote access, if you will. The next secure, quite frankly, is viral access, or import access, and then the most secure is, I believe, zero trust software like we get with Unisys Stealth.

Peters: It’s not that I want to beat down on firewalls, because firewalls and ancillary technologies are very effective in protecting organizations – but they’re not 100 percent effective. If they were, we wouldn’t be talking about ransomware at all. The reason that we are is because breaches occur. The bad guys go after the low-hanging fruit, and they’re going to hit those organizations first. Then they’re going to get better at their craft and they’re going to go after more-and-more organizations.

Even when organizations have excellent security, you can’t always prevent against the things that people do. Or now, with SolarWinds, you can’t even trust the software that you’re supposed to trust. There are more avenues into an organization. There are more means to compromise. And the bad guys can monetize what they are doing through Bitcoin in these demands for ransoms.

So, at the end of the day, the threats to organizations are changing. They’re evolving, and even with the best defenses an organization has, you’re probably going to have to plan on being compromised. When the compromise happens, you have to ask, “What do we do now?”

Gardner: Are there any examples that you can point to and show how well recovery can work? Do we have use cases or actual customer stories that we can relate to show how zero trust cyber recovery works when it’s done properly?

Get educated on recovery processes

Finley: Sure, one happened not too long ago. It was a school system in California. And that particular school system worked with us to procure the cyber recovery solution, created a cyber vault, the third copy, and secured all of that. We installed it and got it all up and running and moved data into the vault on a Thursday of a particular week. And then they had a cyber event happen to the school system. This is one of the biggest school systems in that part of California. They had a cyber event over the weekend in that school system, and they had just gotten the vault up and running and had copied all of the critical data into it.

The data in the vault was secure. They were able to recover it as soon as they forensically could, according to the FBI, because the data was secure. It saved a bunch of time and a lot of effort and money.

Now, I contrast that to a couple other major attacks on other companies that happened in the last 120 days. One where they had no cyber vault, the customer data was attacked in production and a lot of DR was attacked. That particular set of events was done through a whole series of social engineering, but they were taken down encrypted and a lot of the data was destroyed.

It took them days, if not weeks, to begin the recovery process because of a lot of things that we all need to be aware of that happen. If you don’t have data that you know is secured somewhere else and that is clean, you’re going to have to verify that it’s clean before you can recover it. You’re going to have to do test recoveries to systems and make sure you’re not restoring malware. That’s going to take a long period of time. You’re not even going to be able to do that until law enforcement tells you that you can.

Also, when you’re in the middle of an incident response, regardless of who you are, the last thing you’re going to do is connect to the Internet. So if your data is stuck somewhere in a public cloud or clouds, you’re not going to be able to get it while you’re in the middle of an incident response.

The FBI characterizes your systems as a crime scene, right? They put up yellow tape around the crime scene, which is your network. They are not going to allow anybody in or out until they’re satisfied they’ve gathered all the date to be able figure out what happened. A lot of folks don’t know that, but it is simply true.

So having your critical data accessible offline, on the other side of the crime area, having it scrubbed every day do make sure it is absolutely clean, is very important.

In a case of a second company, it took days if not weeks before they could recover information.

There is a third example. The IT people there told me the cyber vault saved their company, and “saved our butts,” they said. In this particular case, the data was encrypted in all of their systems. They were using backup software to write to a virtual client and they were copying that day from virtual clients into our cyber vault.

They also had our physical clients, called Data Domain from Dell, in production and writing into the cyber vault. They did not have our analytics software to scrub and make sure it was clean because it was an older implementation. But at the end of the day, everything in production was gone. But they went to the vault data and realized that the data there was all still good.

The bad guys couldn’t get there. They couldn’t see the cyber vault, didn’t know how to get there, and so there was no way they could get to that information. In this case, they were able to spin up and restore it rather quickly.

In another incident example, in the cyber vault, they had our CyberSense software, which does cyber analytics on the data being stored. We can verify the data is clean at a 99.7 percent effective level to tell the customer the data is restorable and clean. In this case the FBI got involved.

The FBI actually used the information from our CyberSense software to help them to ascertain the who, what, when, and where of what happened. Once they knew who, what, when, and where, they knew the stored data was clean and we were able to do a more rapid rescue.

Plan ahead with precise processes

Peters: What’s important too is knowing what to do. For example, what applications are you going to recover first? What do you need to do to get your operations running? Where are you going to find the needed files? Who’s going to actually do the work? What systems you are going to recover them onto?

Have a plan of action versus, “Okay, we’re going to figure this out right now.” Have a pre-prescribed runbook that’s going to take you through the processes, procedures, and decisions that need to be made. Where is the data going to be recovered from? What’s going to be determined? How is it recovered? Who’s going to get access to it?

This is different than DR. This is different than backup, it's way different. It's its own animal. You can define the runbook so that you can recover fully.

All of these things. There’s a whole plan that goes into this. This is different than DR. This is different than backup, it’s way different, it’s its own animal. And this is another place where Dell expertise comes in, being able to do the consulting work with an organization to define the plan or the runbook so that they can recover.

Finley: I wanted to also point out a consideration about ransomware payments. It’s not always a clean option to actually make the payment because of the U.S. Treasury Office of Foreign Assets’ controls. If an organization pays the ransom, and the recipients of that payoff are considered a threat to the United States, they may be breaking another law if you pay them the ransom.

So that needs to be taken into consideration if an organization is breached for ransom. If they pay the ransom off, they may be breaking a federal law.

Gardner: Do the Dell cyber recovery vault and Unisys Stealth technologies enable a crawl, walk, and run approach to cyber recovery? Can you identify those corporate jewels and intellectual property assets, and then broaden it from there? Is there a way to create a beachhead and then expand?

Build the beachhead first

Finley: Yes, we like to protect what we call critical rebuild materials first. Build the beachhead around those critical materials first, then get those materials Active Directory and DNS zone tables in the vault.

Next put the settings for networks, security logs, and event logs into the vault -- the stuff in your production environment that you could get out of the vault and make everything work again.

If you have studied the Maersk attack in 2017, they didn’t have any of that, and that was a very bad day. They finally found those copies in Africa, but if they hadn’t found them it would’ve been a very bad month or year. So with that kind of a thing in mind, it has happened to many folks besides just them where this had to be most publicized.

So with that in mind, get those materials into the vault as a beachhead, if you will. Let’s build together the notion of this third location, let’s secure it with Unisys Stealth, and let’s secure it with an air gap that’s engulfed in Stealth, and with all of the connections in and out of the vaults protected by Stealth using zero trust. Let’s take those critical materials and build that beachhead there. Ideally, I’ve seen great success when I was doing that, and then gathering maybe total of three to five of the most critical business applications that a firm may have and concentrating on them first.

Here’s what we don’t want to do. I see no success in sitting down and saying, “Okay, we’re going to go through 150 different applications, with all of their dependencies, and we’re going to decide which of those pieces go into the cyber vault.”

It can be done, it has been done, and we have consulting that can help do that between Dell and Unisys, but let’s not start that way. Let’s instead start like we did recently with a big, big company in the U.S. We started with critical materials, we chose five major applications first, and for the first six months that’s what we did.

We protected that environment and those five major applications. And as time goes on, we will move other key applications into that cyber vault. But we decided not to boil the ocean, not look at 2,000 different applications and put all that data into the vault.

I recently talked to a firm that does pharmaceuticals. Intellectual property is huge for them. Putting their intellectual property into the cyber vault is really key. It doesn’t mean all of their systems. It means they want intellectual property in the vault, those critical materials. So build the beachhead and then you can move any number of things into it over time.

Peters: We have a demonstration to show what this whole thing looks like. We can show what it looks like to make things disappear on your network through cloaking, moving data from a production environment into a vault, and in-retention locking that, analyzing the data, and finding out if something is bad on it, and being able to select the last known good copy of data and start to rebuild systems in your production environment. 

If somehow you had an environment you’re recovering and malware manages to slip inside of that we can detect that and we can shut it down in about 10 to 15 seconds. For organizations interested in seeing this working in real-time, we have a real live demo.

Finley: That’s a powerful, powerful demo for all of the folks who are listening. You can see this thing work from beginning to end to see how the buttons are put in and how the data essentially moves out of scrubbing of the data to make sure it’s clean. It was fascinating for me the first time I saw this. It was great.

Gardner: I’m afraid we will have to leave it there. You’ve been listening to a sponsored BriefingsDirect discussion on new ways of protecting data backups first and foremost so that cyber recovery becomes an indispensable tool in any IT and business security arsenal.

And we’ve learned how a joint-solution between Unisys and Dell elevates what was once data redundancy and backup into a much more resilient and powerful cyber recovery regime.

So please join me in thanking our guests, Andrew Peters, Director of Global Business Development for Security at Unisys. Thank you so much, Andrew.

Peters: Thank you.

Gardner: We’ve also been here with David Finley, Director of Information Assurance and Security in the Data Protection Division at Dell Technologies. Thank you, David.

Finley: Thank you, Dana. Thank you, Andrew.

Peters: Hey, thank you, too, Dave. Cheers.

Gardner: And a big thank you as well to our audience for joining this BriefingsDirect cybersecurity innovation discussion. 

I’m Dana Gardner, Principal Analyst of Interarbor Solutions, your host throughout this series of Unisys- and Dell-sponsored BriefingsDirect discussions.

Thanks again for listening. Please pass this along to your IT community, and do come back next time.

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: Unisys and Dell Technologies.

A transcript of a discussion on new ways of protecting data backups first and foremost so that cyber recovery becomes an indispensable tool in any IT and business security arsenal. Copyright Interarbor Solutions, LLC, 2005-2021. All rights reserved.

You may also be interested in: 

No comments:

Post a Comment