Post on 26-Jun-2020
transcript
GLOBAL SPONSORS
Protecting Your Business From A Ransomware & Cyber Attack
Syed Saleem
Advisory Systems Engineer
© Copyright 2017 Dell Inc. 2
Disruption and Transformation
Infrastructure
Transformation
Mobile Cloud
Less Control Over Access
Device And Back-end
Infrastructure
Threat Landscape
Transformation
APTs Sophisticated
Fraud
Fundamentally
Different Tactics, More
Formidable Than Ever
Business and Legal
Transformation
More Hyper-extended,
More Digital
Extended Workforce
Networked Value
Chains
Big Data
© Copyright 2017 Dell Inc. 3
Cyber Attacks Evolving
Theft Denial of Service Ransomware Destruction
Traditional Threats Emerging Threats
© Copyright 2017 Dell Inc. 4
Nature of the Cyber Attacks On The Rise
• All industries and organizations
are vulnerable
• No system is 100% secure.
Understanding the threats you
face will help you improve your
preparedness.
• The attacks are getting more
sophisticated
• Insider access is a contributing
factor in 25% of the cases
• The majority of attackers are still
entering via email
© Copyright 2017 Dell Inc. 5
With serious stakes
―A Fortune 1000 company will fail because of a cyber breach‖
―In 2017, the basic fabric of trust is at stake as CEOs
grapple with how to defend against escalating, dynamic security and privacy risk.‖
© Copyright 2017 Dell Inc. 6
True Costs of Ransomware
Lost Revenue 2,500,000
Incident Response 75,000
Legal Advice 70,000
Lost Productivity 250,000
Forensics 75,000
Recovery & Re-Imaging 60,000
Data Validation 25,000
Brand Damage 500,000
Litigation 200,000
Total Costs of Attack $3,785,000
Ransom: $30,000
© Copyright 2017 Dell Inc. 7
Regulatory Guidance
―... It is vital for state insurance regulators to provide effective
cyber-security guidance regarding the protection of the
insurance sector’s data security and infrastructure.‖ ~NAIC
© Copyright 2017 Dell Inc. 7
Another control for consideration is an "air-gap,― a security
measure in which a computer, system, or network is physically
separated from other computers, systems, or networks. An air-
gapped data backup architecture limits exposure to a cyber
attack and allows for restoration of data to a point in time before
the attack began.‖ ~FFIEC
―Best practices to protect information systems and
networks from destructive malware attack include ...
Segregate network systems‖ ~NSA
―Financial institutions should consider … logical
network segmentation, hard backups, air gapping
[and] physical segmentation of critical systems‖
~Federal Reserve
―Competent authorities should assess whether the
institution has comprehensive and tested business
resilience and continuity plans in place‖
~European Banking Authority
— NIST CSF
Identity Respond Protect Recover Detect
© Copyright 2017 Dell Inc. 8
NIST Cybersecurity Framework [CSF Draft v1.1]
Dell Technologies Aligned Services
Risk Management
RSA Incident Discovery Identity Management
RSA NetWitness®
security analytics for
early detection
Security Hardening
Services
Event Logs
Monitoring (ESRS)
Isolated Recovery
Solutions
Isolated Recovery Governance &
Measurement Program
• Asset Management
• Business Environment
• Governance
• Risk Assessment
• Risk Management
Strategy
• Supply Chain Risk
Management
Protect
• Access Control
• Awareness and
Training
• Data Security
(Integrity Checking)
• Information Protection
Processes and
Procedures
• Maintenance
• Protective Technology
• Anomalies and Events
• Security Continuous
Monitoring
• Detection Processes
• Response Planning
• Communications
• Analysis
• Mitigation
• Improvements
• Recovery Planning
• Improvements
• Communications
• Validation
Identify Detect Respond Recover
Measurement Program
RSA NetWitness® Forensics / RSA Archer Recovery Management
Focus
Incident Response Retainer
Advanced Cyber Defense
© Copyright 2017 Dell Inc. 9
Not preventative against
attacks
Hacktivists can encrypt your
encrypted data
For data protection, not
recovery
Potential negative impacts on
cost to store, replicate and
protect
Traditional Strategies Are Not Enough
Data Encryption Tape Backups Cyber Insurance
Too long to recover
Difficult to validate data
Requires backup infrastructure
to recover
May not protect:
Backup Catalog
PBBA [Data Domain]
Tape Library Meta Data DB
All breaches may not be
covered
Policies have baseline security
requirements
Monetary limits may not cover
all damages
Does not protect:
Patient needs
Brand
Lost trust
© Copyright 2017 Dell Inc. 10
Advanced Protection Services
Additional Hardening and
Protection Features
Traditional Data Protection
Best Practices
Level of Protection
Good Better Best
Layered Cyber-Security for Data Protection
© Copyright 2017 Dell Inc. 10
© Copyright 2017 Dell Inc. 11
Environment hardening
© Copyright 2017 Dell Inc. 11
Inactivity
timeout
Deny
consecutive
login
attempts
Password
aging/rotatio
n
Password
complexity
Disable
default
accounts
Communi-
cation port
disable/chan
ge
Restrict
hosts
access/IP
Use of SSH
and
certificates
1. Examples
Disable
HTTP, FTP,
telnet, etc.
Disable
unused
services
Apply latest
security
patches
Use
SYSLOG
server/preve
nt audit log
roll over
2. Review the latest respective EMC Product
Security Guides for Hardening Guidelines
© Copyright 2017 Dell Inc. 12
Infected from
website, email,
sync and share
Sync infection
to cloud
Sync infection
to NAS
Sync infection to
rest of users
Sync infection
to rest of users
Protect endpoints and cloud data
Recover
Recover
Non
-Exe
cu
table
Po
int in
time
ba
cku
p
© Copyright 2017 Dell Inc. 13
MIND THE AIR GAP
© Copyright 2017 Dell Inc. 14
Isolated Recovery Production Apps
Business Data
Tech Config Data
(Mission-critical Data)
Isolated recovery solution – how it works Critical data resides off the network and is isolated
Corporate
Network
RISK-BASED REPLICATION PROCESS
Dedicated Connection
Air Gap
DR/BU
© Copyright 2017 Dell Inc. 15
Dell EMC Isolated Recovery Solution
Network isolation
+ air gap
Dedicated network
link
Enable link ->
replicate ->
disable link
Automated and
scripted
2
Validate copy
after replication
Store trusted
copies with
versioning
Dell EMC &
customer tools
used to validate
3 4
Dynamic
procedures to
recover
destroyed data
Leverages
investment in DR
application
recovery
procedures
Identify business
critical
applications &
dependencies
Identify systems
involved
Develop a
strategy with
objectives
1
Plan & Design Isolate &
Replicate Validate Data Restore &
Recover
© Copyright 2017 Dell Inc. 16
Isolated Recovery – Dell EMC Data Domain
• Create backup of data
• Enable data link and
replicate to isolated
system
• Complete replication and
disable data link
• Maintain WORM locked
restore points
• Enable Link and initiate
restore
Primary Storage Isolated Recovery
System
Backup Appliance
DD
Replication
Management
Host
Recovery
Test Hosts
ISOLATED RECOVERY VAULT
Backup
App Hosts
Air Gap
© Copyright 2017 Dell Inc. 17
Isolated Recovery – Dell EMC VMAX
• No management
connectivity to IR Vault
• Enable data link and
replicate to isolated
system
• Complete replication
and disable data link
• Maintain WORM
locked restore points
• Optional security
analytics on data at
rest
• Professional Services
Primary Storage Isolated Recovery
System
SRDF
Management
Host
Validation
Hosts
ISOLATED RECOVERY VAULT
Restore
Hosts
Air Gap
© Copyright 2017 Dell Inc. 18
Proactive Analytics in the IR Vault Why Analytics in the Vault?
• Increase effectiveness of Prevent/Detect cybersecurity when
performed in protected environment.
• Diagnosis of attack vectors can take place within an isolated
workbench.
• App restart activities can detect attacks that only occur when
application is initially brought up.
Categories of Data
• Transactional Data – dynamic/large (log variances, sentinel
records, etc.)
• Intellectual Property – static/large (checksums, file entropy)
• Executables / Config. Files – static/small (checksums, malware
scans)
Isolated Recovery
System
Management
Host
Validation
Hosts
ISOLATED RECOVERY VAULT
Backup
App Hosts
© Copyright 2017 Dell Inc. 19
Compute
Applications
Validate & Store
Highest Priority Data
The Most Critical Data First
• Protect the ―heartbeat‖
of the business first
• Prioritize top
applications or data sets
to protect
• Usually less than 10% of
data
• Start with a core set and
build from there
© Copyright 2017 Dell Inc. 20
Isolated recovery complements disaster recovery
Recovery
&
Remediation
Procedures to perform
recovery/remediation
after an incident
Integrity
Checking
& Alerting
Workflows stage
copied data in the
isolated recovery zone
and perform periodic
integrity checks to rule
out that it was affected
by malware
Periodic
Data Copy
Software automates
data copies to
secondary storage
and backup targets
Systems
Are Isolated
Environment is
disconnected from
the network and
restricted from users
other than those with
proper clearance
© Copyright 2017 Dell Inc. 21
Why Us?
Corporate initiative
• >2 years in
• Dozens of people, thousands of hours
Real-world, deployed customers
• Transactional Data – dynamic/large (log variances, sentinel
Data Domain characteristics make IR better
• De-dupe
• Hardening: Ports, devise-based replication, Retention lock