We discussed ransomware attacks and the first guideline to protecting your data, using Air Gaps, in Part One of this roadmap for ransomware prevention.
Monitoring
The second guideline is to monitor your systems. This service is included as part of Zadara’s Operation Policy to provide Storage-as-a-Service. Human resources used in storage management are offloaded to a staff of Zadara IT and Storage experts. The monitoring system is headed by a group of professionals dedicated to protecting your data.
Over-utilization of pools and performance are often leading indicators of infection. These indicators are monitored and can be configured for early detection of issues.
Testing
The third guideline is testing systems for security holes. Part of Zadara’s SOC2 process is to routinely use PEN Testing on cloud deployments. This ensures there are no open doors or exploits that can enable unauthorized entry.
Keep Systems Current
The fourth guideline is keeping systems current. The nature of any system is that entropy will take place. Bug fixes and security patches must be applied, otherwise protective measures become obsolete and easily exploited.
VPSAs were designed with upgradeability in mind. Zadara’s non-disruptive upgrade process takes a single failover to a renewed version with enhanced security and features. The upgrade process upgrades the standby controller with the new version, fails over from the active to the standby. Next, the previous active controller is upgraded. Actual failover time is 15-30 seconds and can be scheduled 24×7 during a quick maintenance window of 15 minutes.
Backup and Recovery
The fifth guideline is to have backup and recovery plans in place. While this appears to be an obvious practice, often it is incorrectly implemented in the case of ransomware. Most backups are implemented as 2-1-1 or two copies, one media type and one location.
In a ransomware attack, backups are overwritten or erased. Even the highly recommended 3-2-1, three copies, two media types, and one offsite location, may be inadequate. Often an Air Gapped copy is added (3-2-1-1) for complete backup protection.
Zadara’s VPSAs include backup protection which allows for rapid recovery of data in the event of an attack. Redirect-on-write snapshots provide a write-once-read-many (WORM) drive capability that inhibits ransomware from obliterating data. Employed with below file growth rate detection methods, data is protected early on and can eliminate costly recovery processes.
2-1-1 (For non-critical data)
- Copy 1: VPSA Volume or Share
- Copy 2: Local Snapshots or Backup to Object Storage
3-2-1 (For critical data)
- Copy 1: VPSA Volume or Share
- Copy 2: Local Snapshots or Snapshot Mirror to Remote VPSA, Media Type #1
- Copy 3: Backup to Object Storage, Media Type #2, Offsite
3-2-1-1 (For critical data and Disaster Recovery)
- Copy 1: VPSA Volume or Share
- Copy 2: Local Snapshots to Remote VPSA, Media Type #1
- Copy 3: Snapshot Mirror to Remote VPSA, Media Type #1
- Copy 4: Backup to Object Storage, Media Type #2, Offsite
Suspicious File Growth Rate
Zadara VPSA’s built-in system monitoring – when enabled – can provide an early warning system, sending email alerts when suspicious activity is detected. Ransomware viruses read files and rewrite them in encrypted format. This attack will have higher I/O activity and pool growth.
Two Triggers that Should be Set
- I/O’s Per Second (IOPS)
- Pool Size Utilization growth due to large Local Snapshots
Files Renamed to .LOCK
One pattern of ransomware is the renaming of files to .lock. Zadara has Docker-enabled VPSA Controllers which allow you to run apps on the VPSA. Using apps which trigger on the renaming of files provides early detection of an ongoing attack. Please visit GitHub to view our public Docker repository for a few examples.
Securing Your Data from a Ransomware Attack
It’s time to pull out your roadmap, the roadmap to protect your data against ransomware. Begin with these guidelines. Remember to highlight and make a notable stop at Zadara for your data protection needs along the way.
[LINK TO PART ONE OF THE ARTICLE]
Needs a call to action – perhaps a link to an existing resource on Data Security?
