Protect mission-critical backups from accidental or malicious deletion with Continuous Monitoring and Rollback Actions

William Urban, Technical Marketing Manager

Data Protection means a lot of different things to many different members of the IT community. For some, it’s all about firewalls, black lists, and denying access. For others, it’s about making sure sensitive data is protected from misuse or unauthorized access. But when it comes to making sure your organization can recover from a malicious attack like ransomware or data destruction, it really comes down to making sure you have a fully robust backup and recovery plan. Over the years we have talked about “air-gapped” backups and how vital they are to your business. An “air-gapped” backup simply means that there is no way someone who gains access to your production environment can also simply remove or modify your backups. 

But the cloud era is upon us, and we really need a more robust and resilient backup ecosystem. When you are protecting multiple clouds, multiple data centers, and even multiple SaaS applications, it does you no good if the same malicious software or user that crippled your production environment can also target and wreak havoc on your backups. Challenges arise when trying to solve cloud era data protection with archaic backup tools. 

  • If your backup software is only updated once a quarter, how are you making sure you get new features or bug fixes in a timely manner? 
  • If your backup software sits inside the same environment you are protecting, how are you protecting that system from misuse or destruction? 
  • If your backup system is a virtual server or hardware device, what happens during an outage?
  • If the same user credentials for your organization are compromised, will your backup software be any safer?

Meet the Druva Data Resiliency Cloud

The Druva Data Resiliency Cloud

Druva meets both operational security and data integrity by being a SaaS-based backup solution offering customers the best in robust data integrity, data availability, operational security, and accelerated recovery. 

  • Each cloud-based backup is air-gapped and safe from malicious software execution. 
  • There is no access to backups, so ransomware can’t encrypt or delete.
  • The Druva Data Resiliency Cloud has a robust security model in place with continuous scanning, patching, upgrades, and is housed on the global AWS secure platform for additional security and durability.
  • The Druva Data Resiliency Cloud has full workflows for recovery in any situation.

But what about bad actors you say? Ransomware usually gets the news headlines, but what if a malicious insider has full access to your multi-cloud, and even backup environments? What about an angry or disgruntled administrator? Or, what if there’s just an accidental data issue? If someone has full access to your cloud and is able to circumvent or verify the full MFA policies put in place, all it takes is a deliberate or accidental deletion to ruin your chances of recovery.

Now that I’ve added additional stress to your security posture, how do we solve this? Well…

Continuous monitoring and rollback actions

The Druva Data Resiliency Cloud has many benefits over any classic “maintain it yourself” backup solution. But, the two we are going to focus on are Continuous Monitoring and Rollback Actions. As part of the Druva solution, our amazing 24x7x365 Cloud and Security Operations team monitors backup environment actions, and uses anomalous detection algorithms to alert us when something seems off. We aren’t just monitoring the success or failure of your backups to let you know there might be a problem, and while we don’t ever touch the backups themselves, we are also monitoring back-end data about your account and environment.

For example, someone deleted 100 users on a Monday morning and that’s never happened before? That’s a little odd, let’s reach out to you. Entire backup sets are deleted or entire swaths of devices are removed. Are you decommissioning servers? Do you need to retain that? That’s a little odd so let’s reach out. Someone who has never logged in from another country all of a sudden seems to be deleting everything you have, we should probably give you a call.

But notification and continuous monitoring are only a part of it. It does you no good if we call you and tell you that all of your backups were deleted only to find out you didn’t initiate it, so the other aspect to this is rollback actions.

Rollback actions are like a secondary safety net in the “air-gapped” aspect of your backup strategy. Within the Druva Data Resiliency Cloud, even if you are deleting objects, users, or backups, we still maintain them for several days afterward just in case. Think of it as analogous to a recycle bin. But this bin can’t be emptied by the customer or a bad actor. So if you accidentally delete the wrong laptop device and realize it after the fact, or someone goes in and starts removing users and profiles — don’t worry, we still have them and they are safe. In the case of credential misuse where a bad actor may maliciously remove endpoints, users, virtual machines, NAS or file shares, or even databases, the rollback actions feature will keep track of these and allow administrators to quickly recover not only the data from deleted backups but also environmental objects as well. This provides the administrator the ability to revert malicious or unintended actions without any loss of data, and enables the restoration of productivity rapidly.

So how does this process work? With billions of backups, of course we aren’t calling everyone every time a single device is deleted — we rely on advanced detection and alerting based on aberrant behavior. So what if, all of a sudden, we start to see hundreds or thousands of deletions? This will trigger our AI-enabled anomaly detection engine, flagging an alert to our SecOps and support team. This would then typically result in a support engineer reaching out to you to ask what’s going on. 

Continuous monitoring and rollback options workflow

If everything is exactly how you wanted it to happen, no problem, those safety net copies will age out and there will be no impact on what you were trying to do. 

This combination of continuous monitoring across all of our customers’ backups, and the ability to keep deleted objects that cannot be tampered with by anyone, gives you an added layer of protection and security when it comes to your most important failsafe — your backups.

Case study — How Druva helped a customer avoid complete data loss due to malicious access

Imagine if you will, that you are getting ready to sit down and enjoy a wonderful holiday meal with your family. Your Slack has been muted, your company is in ghost mode, and suddenly you receive a phone call from a support technician at Druva. This isn’t a sales call, and we would never want to interrupt a family holiday meal, but we are just checking to see if you are actively deleting hundreds of users and backups. A sudden sense of dread washes over you. No, that’s not you or your admin staff. So, by working with support, you see that there are thousands of devices and backups actively being deleted from your backup environment. 

This does and has happened to customers. While nobody wants to get a call during a family feast, Druva called and verified that the anomalies we were seeing were malicious in nature, which allowed the customer to deactivate compromised accounts and alert their security team. During this process, a ransomware attack was happening on certain systems, and with compromised credentials, the bad actor was able to log in and start removing the only way of recovering the data by deleting backups. Luckily the customer, after having been notified, worked with support in removing all access and restoring all of the impacted environments from the backups properly. From here, the customer was able to leverage some of our advanced ransomware recovery and monitoring tools to find out which backups were affected, where logins were coming from, and with the help of support, cleanly restore systems to their pre-attack level. 

Key takeaways

Ransomware, compromised credentials, insider attacks, or even accidental deletion of data can cause chaos in your organization. The last line of defense from a malicious attack is recovering from backups. But you may not even know something is wrong until too late, and this may affect your ability to restore. With Druva, you receive continuous monitoring and the ability to safely protect that final copy of your backups; you can feel confident that you will be notified and be able to recover your data no matter what happens. 

Read the press release to learn more about our new continuous monitoring and rollback actions features, and join us as we continue our discussion of how Druva can provide comprehensive data protection and recovery from ransomware. 

It’s not too late to register for Druva’s Cyber Resilience SummitThe event is taking place TODAY, October 13, features industry experts, like Santhosh Rao from Gartner, and includes discussions of security best practices from companies like yours. You won’t want to miss it!