Bolster your ransomware posture with immutable storage

Immutable storage is a crucial tool in the fight against ransomware, as data can’t be overwritten, changed, tampered with, or deleted − even by someone with admin rights.
Read time 5min 10sec

Let's start by explaining what 'immutable storage' is and why it is important to adopt a holistic approach to cyber security.

Too many execs operate on the principle of “I have a firewall or an anti-virus”, and as such, I am protected − but that is not the case. If there is a breach and a hacker gets past the firewall, they pretty much have access to do whatever they want.

With immutable storage, data integrity is kept intact and cannot be altered. This is a perfect form of defence against ransomware, as the files can't be encrypted.

You'll have read much in the cyberspace about a 3-2-1 backup strategy – which means three copies of data, in two locations with one copy offsite. But the thinking has since evolved into a 3-2-1-1 process, which is three copies of data, in two different locations, one offsite and one on immutable storage.

This addition adds an air-gapped copy of the data secured offline and segregated from the company network, where ransomware can't reach. It is also regarded as a best practice approach.

Having backups replicated to the cloud can be a cost-effective and straightforward way to achieve the offsite copy required. Cloud backups, or replication, ensure uptime and availability, even when your primary backups are unreachable.

If you've been wondering where to focus your cyber security energy in 2021, ransomware protection is an excellent place to start. A recent survey of CSOs and CISOs shows that almost half of these security-conscious executives consider ransomware to be their organisation's biggest cyber threat.

The survey findings align with other security experts' predictions regarding 2021 − a very active year for ransomware attacks. Industry experts expect ransomware operators to continually improvise their tactics and technologies to make ransomware harder to detect, more destructive and punitively expensive from which to recover.

To pay or not to pay?

Media reports abound on multinational corporations, hospitals and government departments being hit by ransomware.

In South Africa, in July this year, a ransomware attack on Transnet – SA's custodian of ports, rail and pipelines – forced the body to declare a force majeure at container terminals and switch to manual processing of cargo.

The attack focused on Transnet's Durban port, which handles more than half of the nation's shipments and is the main gateway for other commodity exporters, including the DRC and Zambia. Operations were eventually restored, but mum's the official word on whether a ransom was paid.

With immutable storage, data integrity is kept intact and cannot be altered.

Ransom payment aside, one thing is guaranteed – recovery from a ransomware attack will cost your company time, money and reputation. The latter is possibly the most damaging.

Sophos research indicates that globally the average cost of ransomware recovery is $1.4 million if a business pays the ransom and $730 000 if it doesn't. This average includes the direct costs of ransomware − things like downtime, restoring operations and security audits. But when factoring in the indirect costs of cleaning up after a ransomware attack, the price tag becomes much higher.

While it's difficult to put a price on customer confidence, studies indicate today's consumers are very likely to stop doing business with a company that has experienced a data breach, and lost customers mean lost revenue.

The number of ransomware attacks is on the rise, with one global survey of 5 400 IT decision-makers across 30 countries revealing that 37% of those surveyed had been hit by ransomware in the past year.

The cost of recovery is skyrocketing, and new tactics that promise a whole new level of chaos are being introduced, making it time for businesses to get serious about devising and implementing a comprehensive ransomware protection strategy.

The latter provides multi-layer protection against ransomware by combining the latest cyber security technology with employee awareness training and exceptional data protection that includes immutable storage capabilities.

Simply put, immutable storage is a crucial tool in the fight against ransomware. Being immutable means that once the data is placed in storage, it cannot be overwritten, changed, tampered with, or deleted − even by someone with admin rights.

Backing up data in this way simplifies ransomware and other disaster recovery efforts because there will almost always be a clean, current copy of the data available that can be restored once remediation is complete.

Now for the however part: you cannot rely solely on immutable storage for ransomware recovery.

Protection of ransomware is a moving target on any day when these attacks are becoming increasingly sophisticated, making it virtually impossible to design a set-it-and-forget-it ransomware protection strategy.

While immutable storage is an essential part of the solution, IT security teams must constantly review and adapt defence techniques to keep up with rapidly-evolving ransomware strains and tactics.

For example, some newer ransomware strains target backup files and encrypt the data, rendering the backup useless for recovery. If the organisation uses immutable storage, this may not be a huge deal.

Adding another protection layer

The 3-2-1 backup strategy is a standard data protection technique these days, but as ransomware operators become more savvy, now is an excellent time to revisit and revise this approach.

This is where the 3-2-1-1 backup strategy enters the picture. This addition adds an air-gapped copy of the data secured offline and segregated from the company network, where ransomware can't reach.

Take a holistic approach to protection by providing multiple defence layers against ransomware and other cyber threats.

An effective ransomware prevention strategy should include endpoint security around the backup infrastructure, the ability to scan systems and data for malicious code proactively, and the ability to manage multiple backup copies, including offsite and air-gapped instances.

James Kloppers

Pre-sales technical consultant at Arcserve Southern Africa.

James Kloppers is pre-sales technical consultant at Arcserve Southern Africa. He has been involved in the technology sector since 2009. Throughout his career, he worked with highly-experienced engineers, which has provided him with knowledge and insight into the technology industry and the challenges faced by the sector. He started his career as a helpdesk technician and quickly moved to a backup engineer post.

Kloppers went on to become a field technician support consultant. This expanded his experience through the installation and configuration of wireless networks, establishing company networks, desktop support, upgrading and maintaining high sites, as well as the backbone network. He went on to become a backup engineer at a major ICT corporation in 2015, where he was involved in daily backup admin, creating standard operating procedure documentation, training and upskilling other backup engineers, plus creating and upgrading backup environments, including that within cloud platforms. In 2020, he was appointed pre-sales technical consultant at Arcserve Southern Africa.

See also