Ransomware: Building Multi-Layered Defense & Accelerating Recovery

Lauren Hamilton, Director, Content Marketing

Backing up your data is only the first step in cyber resilience, while protecting your business against a ransomware attack requires a multi-layered defense approach at-scale. Druva recommends a multi-layered defense for ransomware protection to ensure that your data integrity and backups are safe, and that recovery is fast and easy to manage whenever an attack hits.

How Do You Implement a Multi-Layered Defense for Ransomware Protection?

There are three key components to multi-layered defense: 

  • Ensure Data Integrity & Availability 
  • Operationalize Security
  • Accelerate Your Recovery

Implementing these three pillars of cyber resilience will ensure you can recover effectively with minimal impact to business continuity.

How to Ensure Your Data is Safe Before an Attack

Data Integrity & Availability For Your Backups

The first thing ransomware attackers will do is try to access your environment and delete or corrupt your backups. They know secure backup data is the one way you can avoid paying the ransom. The solution? Creating an air-gap and implementing access controls that make your backups inaccessible to threat actors. 

Air-gapped data is stored in a separate environment, not connected to a business network. It’s also important to note that ransomware can’t execute in that environment. There are no persistent operations that ransomware can attach to. Ransomware threat actors can’t use compromised credentials to encrypt or delete. There’s nowhere to run.

For more about air-gapping backups, check out our recent solution brief on immutability.

Zero Trust & Multi-Factor Authentication (MFA)

Threat actors want to get control of everything in your environment. Take your communications systems and data, for example: email, phone info, Slack, messaging… the whole shebang. More control means more havoc. 

This is where the importance of implementing zero trust comes into play. Zero trust addresses the outdated assumption that the goings-on within both an organization and their vendors’ networks should be implicitly trusted, discounting the risk of malicious internal actors. Zero trust holds the vendor accountable in the same way that it does the infrastructure it protects, including limiting admin credentials, implementing strong identity verification, and monitoring and validating user behavior. Additionally, implementing MFA, SSO, and RBAC block threat actors from deleting backup data. This way, bad actors, whether internal or external, can’t gain illicit access and delete backups. Ransomware threat actors can’t use compromised credentials to encrypt or delete. Everyone has to authenticate, whether they’re on the company network or not.

Druva’s Delayed Deletion 

What happens in the worst case scenario? Even if everything else fails, your data is automatically retained for seven days in an inaccessible cache. (With customizable capabilities to extend the retention period for longer than seven days) Even if backups are deleted, they can still be restored. Your data is always recoverable with Druva.

How Can You Operationalize Your Security?

Taking care of your data is only the first step in cyber resilience. The tech stack that handles that data also needs to be secure. With that, baking security into the way you do business is a must. Make security a measurable, business-oriented part of your daily operations. 

Managing security operations for multiple solutions is difficult and complex. Almost half of vulnerabilities are exploited after a patch was already released, and attackers can gain access through unpatched and vulnerable backup systems. To combat that, look for a Software-as-a-Service (SaaS) solution that provides automated monitoring and response at-scale. 

5 Ways to Operationalize Your Security

  • Vulnerability scans and pen testing
  • Regular patching and upgrades
  • Vendors with SLAs on vulnerability resolution
  • Pick vendors who ensure developers have restricted access to their own operating environment
  • Hire or partner with dedicated SecOps personnel with 24/7/365 environment threat monitoring and response

Case Study: Operationalized Security

Restoring Critical Data After Combined Ransomware & Credential Attack

In this case study, an international jewelry retailer experienced a ransomware attack coupled with credential theft. The threat actor behind the attack, immediately prior to executing the ransomware encryption, logged in using stolen administrative credentials, deleting both the backup data and the administrative profiles. Because of this, the real administrators of this backup environment were locked out, unable to login and assess what was going on. This was particularly devastating because the deleted data was the data they needed to run payroll, and it was very close to the end of the month.

Customer Challenges

Customer: International Jewelry Retailer

  • Ransomware attack and credential compromise
  • Hacker locked out and deleted admin profiles, along with backup data
  • Deleted critical SQL data for payroll

Positive Business Outcomes

  • Druva proactively called the backup administrator, confirmed the attack
  • Fully restored two servers worth of data within hours
  • Company paid their employees on time
  • Led to MFA implementation

How Druva Resolved the Attack

  • Delayed deletion
  • Continuous monitoring
  • Multi-layer SaaS model 
  • High touch customer experience
  • Manage orchestration of recovery 

Now, Let’s Accelerate Your Recovery

Data recovery from a ransomware attack is a tedious, manual process that can take months. Even then, how can you be confident that the data is clean and complete? Below are five factors to take into account during recovery.

5 Factors That Affect the Ability to Respond and Recover

  • Lack of orchestration for Incident Response (IR)
  • Spread of contamination between systems
  • Inability to access targeted datasets for forensics
  • Reinfection due to contaminated recovery data
  • Data loss, inability to recover complete data set

Druva’s Solution for Accelerating Recovery

  • Containment: Automatically quarantine and prevent malware spread
  • Identification: Unusual data activity to identify anomalous data sets
  • Recovery: recovery scans and curated recovery automatically recovers clean, uninfected data

3 Pillars You Need to Stay Ahead of a Ransomware Attack

  • Data Integrity & Availability: Resilient Cloud operations require mature Cloud solutions
  • Operational Security: Managing security is too challenging to tackle alone
  • Accelerated Recovery: Immediate collaboration across backup and information security orchestration and automation

The Druva Data Resiliency Cloud ensures data integrity with air-gapped, immutable backups so ransomware can’t execute and you always have safe backup data for rapid recovery at-scale. It transforms every stage of the recovery process so you can get critical business functions back online in time to avoid paying the ransom. 

Learn More

Watch Druva’s Cyber Resilience Virtual Summit 2021, now available on demand. In eight 10-15 minute sessions, security leaders, Druva experts, and industry peers discuss how to ensure ransomware is no more than a minor inconvenience, rather than a business-ender. When your data is taken hostage, you need the right people on your team to get it back with confidence.