Protecting Your Business From A Ransomware & Cyber Attack › content › dam › uwaem › ... ·...

GLOBAL SPONSORS

Protecting Your Business From A Ransomware & Cyber Attack

Syed Saleem

Advisory Systems Engineer

© Copyright 2017 Dell Inc. 2

Disruption and Transformation

Infrastructure

Transformation

Mobile Cloud

Less Control Over Access

Device And Back-end

Infrastructure

Threat Landscape

Transformation

APTs Sophisticated

Fraud

Fundamentally

Different Tactics, More

Formidable Than Ever

Business and Legal

Transformation

More Hyper-extended,

More Digital

Extended Workforce

Networked Value

Chains

Big Data


Cyber Attacks Evolving

Theft Denial of Service Ransomware Destruction

Traditional Threats Emerging Threats


Nature of the Cyber Attacks On The Rise

• All industries and organizations

are vulnerable

• No system is 100% secure.

Understanding the threats you

face will help you improve your

preparedness.

• The attacks are getting more

sophisticated

• Insider access is a contributing

factor in 25% of the cases

• The majority of attackers are still

entering via email


With serious stakes

―A Fortune 1000 company will fail because of a cyber breach‖

―In 2017, the basic fabric of trust is at stake as CEOs

grapple with how to defend against escalating, dynamic security and privacy risk.‖


True Costs of Ransomware

Lost Revenue 2,500,000

Incident Response 75,000

Legal Advice 70,000

Lost Productivity 250,000

Forensics 75,000

Recovery & Re-Imaging 60,000

Data Validation 25,000

Brand Damage 500,000

Litigation 200,000

Total Costs of Attack $3,785,000

Ransom: $30,000


Regulatory Guidance

―... It is vital for state insurance regulators to provide effective

cyber-security guidance regarding the protection of the

insurance sector’s data security and infrastructure.‖ ~NAIC


Another control for consideration is an "air-gap,― a security

measure in which a computer, system, or network is physically

separated from other computers, systems, or networks. An air-

gapped data backup architecture limits exposure to a cyber

attack and allows for restoration of data to a point in time before

the attack began.‖ ~FFIEC

―Best practices to protect information systems and

networks from destructive malware attack include ...

Segregate network systems‖ ~NSA

―Financial institutions should consider … logical

network segmentation, hard backups, air gapping

[and] physical segmentation of critical systems‖

~Federal Reserve

―Competent authorities should assess whether the

institution has comprehensive and tested business

resilience and continuity plans in place‖

~European Banking Authority

— NIST CSF

Identity Respond Protect Recover Detect


NIST Cybersecurity Framework [CSF Draft v1.1]

Dell Technologies Aligned Services

Risk Management

RSA Incident Discovery Identity Management

RSA NetWitness®

security analytics for

early detection

Security Hardening

Services

Event Logs

Monitoring (ESRS)

Isolated Recovery

Solutions

Isolated Recovery Governance &

Measurement Program

• Asset Management

• Business Environment

• Governance

• Risk Assessment

• Risk Management

Strategy

• Supply Chain Risk

Management

Protect

• Access Control

• Awareness and

Training

• Data Security

(Integrity Checking)

• Information Protection

Processes and

Procedures

• Maintenance

• Protective Technology

• Anomalies and Events

• Security Continuous

Monitoring

• Detection Processes

• Response Planning

• Communications

• Analysis

• Mitigation

• Improvements

• Recovery Planning

• Improvements

• Communications

• Validation

Identify Detect Respond Recover

Measurement Program

RSA NetWitness® Forensics / RSA Archer Recovery Management

Focus

Incident Response Retainer

Advanced Cyber Defense


Not preventative against

attacks

Hacktivists can encrypt your

encrypted data

For data protection, not

recovery

Potential negative impacts on

cost to store, replicate and

protect

Traditional Strategies Are Not Enough

Data Encryption Tape Backups Cyber Insurance

Too long to recover

Difficult to validate data

Requires backup infrastructure

to recover

May not protect:

Backup Catalog

PBBA [Data Domain]

Tape Library Meta Data DB

All breaches may not be

covered

Policies have baseline security

requirements

Monetary limits may not cover

all damages

Does not protect:

Patient needs

Brand

Lost trust


Advanced Protection Services

Additional Hardening and

Protection Features

Traditional Data Protection

Best Practices

Level of Protection

Good Better Best

Layered Cyber-Security for Data Protection



Environment hardening


Inactivity

timeout

Deny

consecutive

login

attempts

Password

aging/rotatio

n

Password

complexity

Disable

default

accounts

Communi-

cation port

disable/chan

ge

Restrict

hosts

access/IP

Use of SSH

and

certificates

1. Examples

Disable

HTTP, FTP,

telnet, etc.

Disable

unused

services

Apply latest

security

patches

Use

SYSLOG

server/preve

nt audit log

roll over

2. Review the latest respective EMC Product

Security Guides for Hardening Guidelines


Infected from

website, email,

sync and share

Sync infection

to cloud

Sync infection

to NAS

Sync infection to

rest of users

Sync infection

to rest of users

Protect endpoints and cloud data

Recover

Recover

Non

-Exe

cu

table

Po

int in

time

ba

cku

p


MIND THE AIR GAP


Isolated Recovery Production Apps

Business Data

Tech Config Data

(Mission-critical Data)

Isolated recovery solution – how it works Critical data resides off the network and is isolated

Corporate

Network

RISK-BASED REPLICATION PROCESS

Dedicated Connection

Air Gap

DR/BU


Dell EMC Isolated Recovery Solution

Network isolation

+ air gap

Dedicated network

link

Enable link ->

replicate ->

disable link

Automated and

scripted

2

Validate copy

after replication

Store trusted

copies with

versioning

Dell EMC &

customer tools

used to validate

3 4

Dynamic

procedures to

recover

destroyed data

Leverages

investment in DR

application

recovery

procedures

Identify business

critical

applications &

dependencies

Identify systems

involved

Develop a

strategy with

objectives

1

Plan & Design Isolate &

Replicate Validate Data Restore &

Recover


Isolated Recovery – Dell EMC Data Domain

• Create backup of data

• Enable data link and

replicate to isolated

system

• Complete replication and

disable data link

• Maintain WORM locked

restore points

• Enable Link and initiate

restore

Primary Storage Isolated Recovery

System

Backup Appliance

DD

Replication

Management

Host

Recovery

Test Hosts

ISOLATED RECOVERY VAULT

Backup

App Hosts

Air Gap


Isolated Recovery – Dell EMC VMAX

• No management

connectivity to IR Vault

• Enable data link and

replicate to isolated

system

• Complete replication

and disable data link

• Maintain WORM

locked restore points

• Optional security

analytics on data at

rest

• Professional Services

Primary Storage Isolated Recovery

System

SRDF

Management

Host

Validation

Hosts


Restore

Hosts

Air Gap


Proactive Analytics in the IR Vault Why Analytics in the Vault?

• Increase effectiveness of Prevent/Detect cybersecurity when

performed in protected environment.

• Diagnosis of attack vectors can take place within an isolated

workbench.

• App restart activities can detect attacks that only occur when

application is initially brought up.

Categories of Data

• Transactional Data – dynamic/large (log variances, sentinel

records, etc.)

• Intellectual Property – static/large (checksums, file entropy)

• Executables / Config. Files – static/small (checksums, malware

scans)

Isolated Recovery

System

Management

Host

Validation

Hosts


Backup

App Hosts


Compute

Applications

Validate & Store

Highest Priority Data

The Most Critical Data First

• Protect the ―heartbeat‖

of the business first

• Prioritize top

applications or data sets

to protect

• Usually less than 10% of

data

• Start with a core set and

build from there


Isolated recovery complements disaster recovery

Recovery

&

Remediation

Procedures to perform

recovery/remediation

after an incident

Integrity

Checking

& Alerting

Workflows stage

copied data in the

isolated recovery zone

and perform periodic

integrity checks to rule

out that it was affected

by malware

Periodic

Data Copy

Software automates

data copies to

secondary storage

and backup targets

Systems

Are Isolated

Environment is

disconnected from

the network and

restricted from users

other than those with

proper clearance


Why Us?

Corporate initiative

• >2 years in

• Dozens of people, thousands of hours

Real-world, deployed customers

• Transactional Data – dynamic/large (log variances, sentinel

Data Domain characteristics make IR better

• De-dupe

• Hardening: Ports, devise-based replication, Retention lock

Date post:	26-Jun-2020
Category:	Documents
Upload:	others
View:	3 times
Download:	0 times

Protecting Your Business From A Ransomware & Cyber Attack › content › dam › uwaem › ... ·...

Documents