airgapped backups - follow-up

Availability for the Always-On Enterprise

airgapped backups - follow-up

Veeam Logoby alesovodvojce » Thu Feb 16, 2017 11:05 pm

Following the excelent Gostev's post this week about Ransomware as a service
here: https://www.veeam.com/blog/ransomware-as-a-service-threat.html

At the end of this post there is a proposed solution to this threat: air-gapped backups.

But what if the problem is not in remote vs local access to backups? What if the problem is in trust we put in one person?
How about putting more (different) people in the scheme.
The temptation of money in Ransomware as a service scheme, and hence morally failing IT administrator, can be mitigated by putting the responsibility for backups onto more people:
Primary backups administered by one person, but secondary (or every second backup) administered by different entity (outsourced / Veeam partner / etc.). This way there has to be too many different people involved in troubles, not just one person from IT department with bad day.

For some environments backing up 10's of TB's daily this would be much more practical solution than air-gapped backups. What do you think?
Don't hesitate to share your proposals too.
alesovodvojce
Enthusiast
 
Posts: 27
Liked: 2 times
Joined: Tue Nov 29, 2016 10:09 pm

Re: airgapped backups - follow-up

Veeam Logoby Andreas Neufert » Thu Feb 16, 2017 11:22 pm

You speak about segregation of duty.
Many customer do this today even with their normal backup targets.

Group 1 runs the backup software and administrate the primary backup targets, group 2 the secondary backup targets. Group 2 create storage snapshots so that Group 1 can delete all backups on primary and secondary, jobs, VMs whatever by mistake or willful, there is a copy of the data protected in the snapshot. Even if ransomware encrypted the data. Some of our Cloud Connect Partner offer such services as well.
As well a good idea is to offload to tape and vault them to a external organisation by manual movement.

We have a customer that had a huge fire and fire service capped all power connections. He was not able to open the tape library. Luckily he was able to take the disk backup storage out of the rack before the flames destroyed everything to not loose all data. A external copy is pretty important even if you have 2 fire sections. If the fire is big enough...
Andreas Neufert
Veeam Software
 
Posts: 2249
Liked: 374 times
Joined: Wed May 04, 2011 8:36 am
Location: Germany
Full Name: @AndyandtheVMs Veeam PM

Re: airgapped backups - follow-up

Veeam Logoby Gostev » Fri Feb 17, 2017 1:24 am

alesovodvojce wrote:How about putting more (different) people in the scheme.
The temptation of money in Ransomware as a service scheme, and hence morally failing IT administrator, can be mitigated by putting the responsibility for backups onto more people:
Primary backups administered by one person, but secondary (or every second backup) administered by different entity (outsourced / Veeam partner / etc.).

Correct, and this is exactly what I have proposed as the solution in my post too ;) have your off-site backups sitting at a partner, with a copy of them air gapped - isolated from your IT staff so that they cannot delete them without obtaining physical access to the service provider infrastructure.
Gostev
Veeam Software
 
Posts: 21503
Liked: 2379 times
Joined: Sun Jan 01, 2006 1:01 am
Location: Baar, Switzerland

Re: airgapped backups - follow-up

Veeam Logoby tqmbill » Wed Apr 19, 2017 1:55 am

Any thoughts on including an auto-eject USB drive feature in Veeam B&R, like this? --
"Veeam Endpoint Backup FREE 1.5 includes:
CryptoLocker protection for USB Storage: Protect USB-based storage targets from potential CryptoLocker threats by automatically ejecting them after a successful job run"

And would it be possible to then reconnect prior to the next backup? Maybe even automatically alternate between 2 USB drives that remain physically connected but only one at a time would be logically online.

This wouldn't help with the single IT person vulnerability, but it would avoid the hassle of physically swapping out drives.
tqmbill
Novice
 
Posts: 5
Liked: never
Joined: Sun Jan 29, 2017 12:15 am
Full Name: Bill Cox

Re: airgapped backups - follow-up

Veeam Logoby Mike Resseler » Wed Apr 19, 2017 5:44 am

Hi Bill,

If we would be able to "reattach" the USB device, after that it was ejected, wouldn't that mean that the attackers can do the same and still erase the backups from disk?
Mike Resseler
Veeam Software
 
Posts: 3342
Liked: 379 times
Joined: Fri Feb 08, 2013 3:08 pm
Location: Belgium, the land of the fries, the beer, the chocolate and the diamonds...
Full Name: Mike Resseler

Re: airgapped backups - follow-up

Veeam Logoby tqmbill » Wed Apr 19, 2017 11:47 am

I guess so. Does this mean the Endpoint functionality is not effective, or is there a way to avoid the attackers reattaching the drive?
tqmbill
Novice
 
Posts: 5
Liked: never
Joined: Sun Jan 29, 2017 12:15 am
Full Name: Bill Cox

Re: airgapped backups - follow-up

Veeam Logoby Gostev » Thu Apr 20, 2017 12:59 am

There's no reliable way to do this (we actually had the feature request to automatically reattach storage before next backup and so investigated/tested the process before). And in any case, ransomware would have to know the drive is actually there before trying to re-attach, but it cannot know this.

tqmbill wrote:is there a way to avoid the attackers reattaching the drive?

There's one 100% reliable way that will work no matter what ;) just pull the storage out of the computer, air gap ftw!
Gostev
Veeam Software
 
Posts: 21503
Liked: 2379 times
Joined: Sun Jan 01, 2006 1:01 am
Location: Baar, Switzerland


Return to Veeam Backup & Replication



Who is online

Users browsing this forum: nunciate and 80 guests