dell emc isolated recovery...isolated recovery – dell emc vmax •no management connectivity to ir...
TRANSCRIPT
GLOBAL SPONSORS
Dell EMC Isolated Recovery Andreas El Maghraby
Advisory Systems Engineer DPS
@andyem_si
© Copyright 2017 Dell Inc. 2
Incident Response: Categories of Cybercrime Activity
37%
12% 9%
7% 7% 5%
27%
Ransomware Banking Trojan Business EmailCompromise
Web Script Adware Spam Other
April to June 2016
* DoS, unknown, digital currency mining and credential harvesting
*
© Copyright 2017 Dell Inc. 3
The Evolution of Ransomware
• Cybercrime has matured into a business
sector
• The latest paradigm is Cybercrime-as-a-
Service (CaaS)
• The Ransomware market, within this
paradigm, is rapidly maturing
• Ransomware strains are being upgraded,
rebranded, and sold cheaply on the Dark
Web
• All potential targets, regardless of size,
present equal opportunities
© Copyright 2017 Dell Inc. 4
True Costs of Ransomware
Lost Revenue 2,500,000
Incident Response 75,000
Legal Advice 70,000
Lost Productivity 250,000
Forensics 75,000
Recovery & Re-Imaging 60,000
Data Validation 25,000
Brand Damage 500,000
Litigation 200,000
Total Costs of Attack $3,785,000
Ransom: $30,000
NIST Cybersecurity Framework
• Asset Management
• Business
Environment
• Governance
• Risk Assessment
• Risk Management
Strategy
Protect
• Access Control
• Awareness and
Training
• Data Security
• Information Protection
Processes and
Procedures
• Maintenance
• Protective Technology
• Anomalies and
Events
• Security Continuous
Monitoring
• Detection Processes
• Response Planning
• Communications
• Analysis
• Mitigation
• Improvements
• Recovery Planning
• Improvements
• Communications
• Validation
Identify Detect Respond Recover
Dell EMC IR Services for Risk Management, Governance Model, &
Operating Model
Isolated Recovery Solution Protective
Technology, Processes & Procedures
Isolated Recovery Solution Validation
Servers. RSA Security Behavior Analytics
Dell EMC IR Services for Response
Framework for Cyber Incident Management
Isolated Recovery
Solution with
Recovery Servers
Focus
© Copyright 2017 Dell Inc. 6
Not preventative against
attacks
Hacktivists can encrypt your
encrypted data
For data protection, not
recovery
Potential negative impacts on
cost to store, replicate and
protect
Traditional Strategies Are Not Enough
Data Encryption Tape Backups Cyber Insurance
Too long to recover
Difficult to validate data
Requires backup infrastructure
to recover
May not protect:
Backup Catalog
PBBA [Data Domain]
Tape Library Meta Data DB
All breaches may not be
covered
Policies have baseline security
requirements
Monetary limits may not cover
all damages
Does not protect:
Patient needs
Brand
Lost trust
© Copyright 2017 Dell Inc. 7
Current State: Risk Profile Summary
© Copyright 2017 Dell Inc. 7
Technical People & Process
All data is currently susceptible to a cyber attack IT Engineering and Ops have access to most if
not all Backup Assets
Primary storage replication can replicate
corruption
Security teams not assigned to assets. Bad
actors inside the firewall can create havoc.
Backup catalog not replicated Franchise critical and non-critical data are not
segregated
Recovery of backup catalog from tape is slow
and failure prone
Backup images can be expired without
authorization
Backup copies not isolated from network
• These risks are consistent with traditional Prod/DR models.
• This is a different challenge and requires a different architecture.
© Copyright 2017 Dell Inc. 8
Current State: What is a Business Impact Analysis?
© Copyright 2017 Dell Inc. 8
• A process to understand:
• What is the monetary impact of a disaster of failure?
• What are the most time-critical and information-critical business
processes?
• How does the business REALLY rely upon IT Service and Application
availability?
• What availability and recoverability capabilities are justifiable based on
these requirements, potential impact and costs?
• Composed to two components
• Technical Discovery – Data Gathering
• Human Conversation – Talk to People!
© Copyright 2017 Dell Inc. 9
Compute
Applications
Validate & Store
Highest Priority Data
BIA Output: The Most Critical Data First
• Protect the “heartbeat”
of the business first
• Prioritize top
applications or data sets
to protect
• Usually less than 10% of
data
• Start with a core set and
build from there
© Copyright 2017 Dell Inc. 10
Advanced Protection Services
• Isolated recovery solution
• EMC/EY service offerings: assess, plan, implement, and validate
• Use of evolving security analytics: RSA & Secureworks
Additional Hardening and Protection Features
• Product specific hardening guides
• Encryption in flight and/or at rest
• Retention lock with separate security officer credentials
Traditional Data Protection Best Practices
• Deploy a layered data protection approach (“the continuum”)
for more business critical systems but always include a point in
time off array independent backup with DR Replication (N+1)
• Protect “Born in the Cloud” and endpoint Data
Level of Protection
Good Better Best
Layered Cyber-Security for Data Protection
© Copyright 2017 Dell Inc. 10
© Copyright 2017 Dell Inc. 11
Isolated Recovery Production Apps
Business Data
(Crown Jewels) Tech Config Data
(Mission-critical Data)
Isolated recovery solution – how it works Critical data resides off the network and is isolated
Corporate
Network
RISK-BASED REPLICATION PROCESS
Dedicated Connection
Air Gap
DR/BU
© Copyright 2017 Dell Inc. 12
Isolated Recovery – Dell EMC VMAX
• No management
connectivity to IR Vault
• Enable data link and
replicate to isolated
system
• Complete replication
and disable data link
• Maintain WORM
locked restore points
• Optional security
analytics on data at
rest
• Professional Services
Primary Storage Isolated Recovery
System
SRDF
Management
Host
Validation
Hosts
ISOLATED RECOVERY VAULT
Restore
Hosts
Air Gap
© Copyright 2017 Dell Inc. 13
Isolated Recovery – Dell EMC Data Domain
• Create backup of data
• No management
connectivity to IR Vault
• Enable data link and
replicate to isolated
system
• Complete replication and
disable data link
• Maintain WORM locked
restore points
• Optional security
analytics on data at rest
• Professional Services
Primary Storage Isolated Recovery
System
Backup Appliance
DD
Replication
Management
Host
Validation
Hosts
ISOLATED RECOVERY VAULT
Restore
Hosts
Air Gap
© Copyright 2017 Dell Inc. 14
Separate Copy Streams For Better Recovery
Daily
Backup
Data Domain
DD MTree
Replication
Isolated Recovery Vault
Change
Control Copy
Distribution Mgmt.
Production Hosts
Clean Room
DD MTree
Replication
Vendor Distros
Material For IR Vault
Change
Control
Process
Backup
Process
Malware path
) ( OS
OS OS
Data Domain
) (
© Copyright 2017 Dell Inc. 15
Proactive Analytics in the IR Vault Why Analytics in the Vault?
• Increase effectiveness of Prevent/Detect cybersecurity when
performed in protected environment.
• Diagnosis of attack vectors can take place within an isolated
workbench.
• App restart activities can detect attacks that only occur when
application is initially brought up.
Categories of Data
• Transactional Data – dynamic/large (log variances, sentinel
records, etc.)
• Intellectual Property – static/large (checkums, file entropy)
• Executables / Config. Files – static/small (checksums, malware
scans)
Isolated Recovery
System
Management
Host
Validation
Hosts
ISOLATED RECOVERY VAULT
Restore
Hosts