The concept of having a “Clean room” recovery strategy seems like a trending topic in the enterprise cybersecurity space, but it certainly isn’t new. The concept itself is well over a decade old (possibly two). You probably heard it first referred to as a sandbox, and then later as an “Isolated Recovery Environment” (IRE), and now like most things what is old is new again in the era of ransomware, and this old concept has been dusted off and given a new face: The Clean Room.
Now, don’t get me wrong, clean rooms, sandboxes, and IREs are important for a variety of different testing, analysis, and more recently forensic investigation use cases, but they come at a price. The price of infrastructure to set up the test environment itself, the costs for standing up the backup and recovery components to actually get the data into that environment to conduct the tests, and most importantly the time costs associated with the effort. So, if you’re depending on a “clean room” to figure out what data is good and what data is corrupt then you’re going to be having a bad day indeed. Hence these isolated testing environments are most useful for post-mortem cyber investigations, testing changes outside of production, and similar sorts of activities that aren’t going to be slowing you down when you’re trying to get back to business following a cyber incident like ransomware.
In those cases time is your enemy – you need your latest data back, fast, and it has to be clean. So, if a “clean” room isn’t the right tool for this, then what do you do?
When it comes to ransomware recovery, 2 out of 3 IS bad
As I said, Clean Rooms, Isolated Recovery Environments, and Sandboxes all have their place in the overall cyber strategy. But they aren’t the best option for recovery because of the time factor. When it comes to incident response and recovery (IRR) the ideal tools for the situation provide you with the following three things when getting your data back:
You need the latest data – Without the most recent copy of your data, you’re facing the risk of data loss. What files are missing? What data is not current? This can become a very arduous and time-consuming effort to roll forward for each and every file to verify you’ve got the latest and greatest data. So, you need to get the most recent data back in place.
The recovered data must be clean – Getting just the latest copy of the data back is useless if that data is corrupt or otherwise infected. So, you need to make sure that whatever data you are getting back is not only the most recent, but it must be the most recent clean version of your data. Otherwise, you’re just reinfecting the environment and adding more time and effort into the mix.
You need that data back fast – Sure, there are manual methods to step through your entire data landscape to find each individual file and verify if it’s good or bad, but by the time you finish that task it will be far too late. Beyond getting the latest clean copy of your data back, you need to get that data back quickly.
Most tools in the market can do 2 out of these 3 pretty easily…
You can get the latest data back fast, but it won’t be clean.
You can get the latest data back clean, but it won’t be fast.
You can quickly get the data back clean, but it won’t be the latest.
You get the picture. None of these are ideal, but what if you could get all 3?
Enter Druva Curated Recovery
Like I said before, other backup solutions fall short of being able to deliver all 3 in terms of recovering your latest clean data fast. That’s mainly because they start by looking for the most recent backup copy that is 100% clean. In the extreme case where there are a million files, and only 1 is “bad,” those vendors will consider the whole backup unusable - throwing out the good data with the bad. They then keep going back in time until they find that 100% clean backup. This could mean going back days, weeks, or even months depending on the dwell time of the ransomware/malware in your environment, and as you can see in our example below that could mean a lot of outdated or missing data. If you otherwise want to granularly extract only the latest clean data, then it becomes a manual task of stepping through each backup to piece together file by file the latest.
However, Druva’s unique Curated Recovery capabilities provide an alternative.
Druva Curated Recovery is capable of quickly, and automatically, stepping back in time through the various backup jobs and extracting only the latest clean copy of the data - compiling them into a brand new composite “GOLD” copy of your data. Thus you get 3/3 in terms of the ideal incident response and recovery scenario:
The latest copy of your data.
That data is clean.
And you get it all back fast.