Amit Rawlani, Director of Solutions & Alliances, Cloudian
This blog addresses the topic of the year and, frankly, one that will be with us for the foreseeable future: ransomware protection.
Specifically, we will look at some of the misconceptions and myths regarding ransomware protection solutions and how IT departments around the world are implementing such solutions.
Myth 1: All ransomware protection solutions are built the same
To understand this myth, let’s look at the responses of various organizations to the question, “What solution does your organization implement for ransomware protection?” and consider the breadth of answers.
1. Answer: It won’t happen to me!
During a security conference last year, an FBI analyst asked a room filled with CIOs of companies from across the U.S., “Which of you have been attacked or dealt with the threat of ransomware over the past year?” About 20% of the audience raised their hands.
He then turned to the other 80% and said, “Well, those of you that have their hands down may just be asymptomatic”.
Here are just some of the statistics that highlight the prevalence and cost of ransomware:
a. 4,000 attacks per day (US FBI, 2016)
b. 97 percent increase past two years (Source:Sophos)
c. 51% of companies pay the ransom (Source:Sophos)
d. $20 billion cost to businesses forecasted for 2021 (Source:Cybersecurity Ventures)
e. $133,000 average cost per attack (Source:Sophos)
f. Average ransomware payment amount increased 104% in Q4 of 2019 (Source: Coveware Q4 marketplace report)
2. Answer: We religiously back up!
Backup as a solution for ransomware protection is a start – but ultimately insufficient by itself. If you have a clean backup – typically you are able to recover. However, hackers are also privy to this information.
75% of organizations attacked last year had up-to-date endpoint protection in place, but rogue actors have become more sophisticated and go after the backup systems. It starts with a phishing attack, which allows the rogue actors to circumvent security systems in place. Data systems, including backups, then become one of the primary targets, bringing organizations to their knees.
Backup by itself is not enough to thwart a sophisticated ransomware attack.
3. Answer: I back up to tape!
Tape is a whole different conversation. In fact, I have a myth below dedicated to tape. But suffice to say, those of us who have been in the storage industry long enough to have had the privilege of working with tape know the pit falls and challenges — especially the difficulty of retrieving data from tape. Any solution where your data is “so protected” that it becomes difficult to retrieve is not a solution at all.
4. Answer: We have a proprietary solution
Many data protection vendors offer a ransomware protection solution based on their own backup software paired with their own storage boxes or bricks — i.e., it’s not standards-based and will lock you into their products. These solutions work until you hit a wall with their products and need to look at more scalable/economical/versatile options.
As can be seen above, there are a variety of solutions and all are not built to provide the same level of protection. What you choose for your organization will determine how protected your data really is.
A solution that will actually protect organizations against a ransomware attack needs to:
a. Be implemented (“hope” is not a strategy).
b. Not leave your backed-up data vulnerable – immutability anyone?
c. Be modern, providing easy accessibility/retrieval.
d. Be based on open and industry standards – no lock-in.
With that, this Myth is BUSTED.
Myth 2: Tape is a good solution for data immutability.
Tape has traditionally been a means of ransomware protection for customers, however:
- Pitfalls and challenges of tape backups start with the accessibility to the data on tape. It is cumbersome to say the least. It is usually a physical process to retrieve — load into a reader — and can mean a matter of days/weeks to retrieve lost data.
- Tapes get corrupted. They have to be checked from time-time to ensure that you are actually protected in case of an attack or data loss. The process to retrieve and check for data veracity is time-consuming and tedious.
- Tape technology gets updated periodically. Oftentimes newer versions of readers are not compatible, so re-coding becomes necessary.
Data not retrievable is data not protected.
A modern, standards-based approach can be built around object storage and S3 Object Lock. With S3 Object Lock, you can store objects using a write-once-read-many (WORM) model. Objects are made immutable (also known as unchangeable) for a certain period of time which is defined at the time of bucket creation. An object storage platform with native S3 object support is a much better solution for ransomware protection than tape.
Cloudian HyperStore has native support for S3 Object Lock.
Two modes of protection:
1. Governance mode.
a. This is the lesser restrictive mode of data protection. Objects are locked for a certain period of time and protected against rogue actors.
b. However, privileged users/users with a certain level of admin privileges can delete WORM-protected objects.
c. This mode is to be used more during devops and maybe for internal usage.
d. Objects in this mode can be converted to compliance mode.
2. Compliance mode
a. This is for more stringent data protection, such as ransomware protection ransomware and meeting regulatory compliance requirements.
b. In this mode, root access is disabled and deletes are completely disallowed – even for privileged users.
The myth that tape backups are still the right solution for ransomware protection is antiquated and BUSTED
Myth 3: Support for the S3 Object Lock API is all that a modern storage system needs to ensure protection against ransomware
We introduced S3 Object Lock in the previous section. However, it is NOT enough to have storage locking down objects if hackers can compromise systems at the OS level — e.g., a rogue actor hacking your enterprise network could make a copy of your data, get to the system/OS level, gain root access, and delete the storage/data from the OS level.
Object Locking will do you NO good in this scenario.
There will be many software storage vendors that will implement Object Lock in the coming years. But beware – not all will be able to protect your data as you expect.
There are strict requirements on what qualifies as WORM-enabled storage, defined by regulators worldwide. SEC Rule 17a-4(f) specifies that “even a root access should not be able to delete data from the storage system to be considered WORM.”
Hardened storage solutions ship with a host of system-level security features including:
- Secure shell
- Integrated firewall
- RBAC/IAM access controls (this locks down the root access of the system)
Cloudian has been assessed as fully compliant with the US government regulations for WORM by Cohasset Associates (a third-party governmental assessment organization), certifying it for:
- SEC Rule 17a-4(f)
- FINRA Rule 4511
- CFTC Regulation 1.31
- Common Criteria
It is clear that Object Lock or any software-only feature by itself is not enough to protect you against ransomware. System-level security matters as much/more for security, data protection and ransomware protection. This myth is Busted.
Forrester Report: 4 Technologies Combine to Protect You from Ransomware Attacks
Cloudian HyperStore SEC17a-4 Cohasset Assessment Report