5 Ways to Prevent Data Loss & Mitigate Ransomware Attacks
Ransomware attacks are one of the most profound threats facing enterprises today, and they continue to dominate headlines and businesses discussions. Ransomware is a type of malware that prevents users from accessing their internal data, applications, and systems that businesses depend on, ultimately extorting companies for financial gain. While many companies have put a working disaster recovery plan in place, it’s not sufficient enough to provide protection for all data residing across multiple systems and environments.
In the age of sophisticated markets where bad actors will sell exploits and stolen data to the highest bidder, your defense strategy against data extortion must yield same day detection, response, and correction—if your business is going to survive.
It must address a wide range of threat vectors such as: data encryption, backup corruption, blocked app/data access, data extortion, large-scale or surgical data exfiltration or corruption, purposeful erasure, and business disruption. Further, security professionals need the capability to conduct root cause analysis, especially on data, to uncover issues and prove culpability.
Data is the lifeblood of a business. It matters because our systems do not operate without it, and not caring for it properly violates the trust we have with our clients. For every positive story we hear about data recovery, we hear 10 stories of data violations. Why? Data gravity. Data is the choke point of the digital assembly line, slowing innovation, degrading quality, stifling performance, threatening resiliency, and preventing forensics. Ransomware outfits are exploiting this data gravity and, in turn, using a company’s data against it.
Data is a Blessing and a Curse
Protecting your data will require digital capabilities that can thwart encryption-based ransoms, automate sensitive data protection at the speed of software delivery, reduce root cause analysis to minutes not weeks, restore data at the touch of a button, and reduce data exposure time through high-speed revocation and restoration.
It’s no longer enough to simply lock-up copies of your data in a vault. Businesses today have no tolerance for that to be the only method of protection and the preferred method for recovery. The physics of data gravity have forced us to think in new ways.
Data needs to be as agile as the services we spin up in our clouds—data needs to be ephemeral and immutable.
At Delphix, we’ve helped dozens of customers defend against data corruption, extortion, and exfiltration. Let’s look at five essential capabilities that will help protect your company from the rising threat of data terrorism.
1. Pushing the Encryptor off Script
The threat that ransomware can take down your company is very real. An Arkansas telemarketing firm, The Heritage Company, was forced to cease operations in December last year. Similar stories abound. And in many of these stories, it’s recoverability, cost, and especially the speed of recoverability that matter.
Both large scale and small (surgical) data encryption attacks rely on one of more of the following presumptions:
- That your data recovery strategy isn’t quick or easy (or maybe even possible),
- That you don’t notice when data is being encrypted (when done in small doses),
- Or that it would be a lot more expensive in resources and time to recover/rebuild your data than it would be to just pay.
Being able to resurrect a business system from the point in time before the ransom-seeking encryption is critical to business recoverability.
The speed and cost of that recovery is critical to business survivability. The Delphix platform provides a write once architecture with a separate, immutable copy of your dataset (and every change to your dataset) combined with an ability to rapidly restore the whole dataset down to the second in just a few minutes.
Delphix is a powerful weapon against encryption havoc, and a way to write encryption villains out of your script.
Suppose a sophisticated attacker acquires access to your entire network, including your backups. And instead of exfiltrating your data, they simply tumble your encryption keys. They wait for that new encryption key to pervade your backups as well. Then, they erase the encryption key, and suddenly you have no data and no backups and the key you thought you had just doesn’t work. That can be a company-ending event.
Imagine, instead, if Delphix were maintaining an immutable data time machine and feeding telemetry-like sudden spikes in the way you’re storing data to an APM tool that is monitoring for a ransomware attack. Suddenly, you’ve got a ransomware attack early warning system.
2. Finding the Devil in the Details
For large systems architectures, it can be painfully expensive to spin up even one environment to try to track down where an infiltration occurred. Moreover, as most root cause analysis is highly time sensitive when it comes to ransomware, a six day cycle to spin up a dataset can leave your business vulnerable at its worst moment. This high mean time to investigate (MTTI) is a major factor for CISOs and CIOs who are opting to just rebuild datasets.
Being able to reproduce not just one but many copies of a complex, composite environment to locate the exact point of failure is a key capability in the fight against bandits. But, this capability also has to be timely for it to have worth—every second counts when production is down. Even if you have a great AI tool to conduct event correlation, that doesn’t mean that you can recreate the environment and the condition it was in. Knowing and solving are two different things.
Delphix provides for rapid, synchronized recovery of groups of datasets across one or many points-in-time, and can tear down and build up these collections of datasets in minutes. Thus, it’s possible to rapidly narrow down the window where an infiltration occurred, spend more time fixing the problem than finding it, and get back to production availability faster.
3. Data is the Skeleton Key to Digital Reassembly
Triage and recovery time are always top of mind. Protecting your application after an attack often comes down to how fast you can revoke data access. Reincarnating your application after an attack often moves at the speed with which your data becomes usable. Even if we effectively block encryptors and root cause attacks quickly, little of that matters if we can’t recover quickly. The speed and agility of your digital assembly line are key factors in your recoverability.
Being able to both revoke and provision many copies of datasets rapidly and simultaneously are crucial capabilities for protecting vulnerable data that might have gotten out when it shouldn’t have, and for keeping the software pipeline running.
Using Delphix’s powerful data version control features—which are part of our suite of programmable data infrastructure APIs—high-speed, automated, systematic data control becomes real. Triage happens faster, sensitive data is revoked sooner. Developers work on the best data, fixes reach production faster, and you're back in business faster.
4. Guarding Against the Evil of Exfiltration
Suppose your data bandit is more sophisticated. Smart bandits know how to cover their tracks, infiltrate slowly, attack at the weak point (usually non-production), corrupt in depth, and wait out sophisticated intrusion detection systems. Their success is easy to see by visiting any of the illicit auction sites on the dark web. We need access to a set of reliable point-in-time versions of those datasets, so bandits can’t cover their tracks. Even sophisticated attacks can be met with even more powerful data countermeasures that can repair surgical changes from malicious actors, revoke data access quickly, and get everyone back to work just as fast as we took our datasets down.
A tamper-proof record of the changes to an underlying dataset means we can trace and discover the actions of these bad actors. And they can’t say they didn’t do it, meaning they can’t repudiate it. Using thin, agile clones of datasets, we can revoke datasets for one or many endpoints almost instantaneously. Regardless of how fragmented your infrastructure is, or the size of the datasets in your data fabric, you have a point of control that can plug the leak right now by revoking the datasets in their entirety. Attacks utilizing bad data can rapidly be repaired at all entry points—without compromising the code/feature delivery chain in the IT shop.
Delphix allows you to plug the weak links with tactics to avoid data breaches, minimize the time to investigate, reduce the time that data is at risk, and, doing so in a way that does not slow down the feature delivery pipeline because that itself is a threat. Further, the platform lets you root cause quickly and respond quickly to sophisticated attacks that might otherwise be undetectable, cost prohibitive to investigate, unprovable, or just uncorrectable.
5. Mastering the Magic of Misdirection
One of the most powerful tools in any data protection arsenal is data masking. By transforming data in a way that makes the data still useful to your business but useless to a data bandit, companies yield the twin benefit that most of their “real” data will live in the most secure (and most backed up) perimeter. The rest is unimportant. A data bandit who surgically removes bad data and tries to sell it will have problems of her own.
Rapidly distributing masked data to less secure perimeters (while maintaining its business value) means that you can tell bandits won’t know the data is masked when they steal it because it looks that real. And you can tell them to go break rocks if they try to ransom you for it.
Delphix allows you to mask and distribute data at the speed of code. And with intelligent masking that preserves business value, bandits won’t even know that the data they’ve stolen is fake because they can’t tell the difference. Good luck getting any ransom for an empty purse!
The Future of Data Security Hinges on Programmable Data
Underlying all of these threats to data is the stark reality that our data is nowhere near as automated as our code. In fact, data is the last frontier of automation. To defeat the looming and growing threat of data for ransom, we need our data and our data security to be programmable.
Automating the rapid provision of an immutable copy of your dataset pushes the would-be encryptor off script. Provisioning rapidly to a specific point in time lets us conduct root cause analysis much faster, closing the vulnerability window. Revoking and/or replacing datasets quickly and with high confidence gives us a way to rapidly stem data exposure. Fine-grained control and reproducibility also means you can defend your data against even the most sophisticated data attackers. Lastly, masking your data delivers the death blow to ransomware bandits: no one’s paying them for masked data. If they release worthless data, they look like a fool.