Tech Field Day 17 brought a presentation from Dell EMC Protect on a new solution for protecting backup data, Dell EMC Cyber Recovery 18.1. Security is top of mind these days, with big attacks making national headlines. Usually only a matter of weeks go by before the next ransomware attack hits the airwaves, and stories of weighing lost time/productivity versus the often risky move of paying a ransom to rescue your data are far too commonplace.
Dell hammered this problem home by presenting a case study of a global manufacturer that was the victim of an attack back in 2017. There was a vulnerability in the billing software this company used, and they were one of sixty other companies that were affected by this breach. Seventeen of their factories world-wide came to a standstill, 5000 servers were down and 17,000 employees were impacted. Most importantly the company lost $15 million Euros in revenue per day. Zoom out a bit from this particular case and we see that the average breach and dwell time (time before a compromise is even discovered) is 170 days, and the average incident and response time is 28 days. This means that in many cases, an attack isn’t something that is easily detectable or recoverable.
Are your backups secure?
With the rise of ransomware attacks, many backup vendors have touted their ability to safe guard from ransomware (or other modern vulnerabilities) by providing the capability to easily restore your infrastructure to a pre-compromised state. This isn’t necessarily untrue, but in some instances, how do you know what that state is? Knowing the average breach and dwell time, there certainly is a possibility that some backup data you could restore to may still contain the vulnerability. With the sophistication of attackers these days, many of the well known enterprise backup vendors are also susceptible to having their backup data/tools targeted in such a breach so that backup data can potentially be rendered useless. Once that happens, ransomware has an even tighter stranglehold on the victim.
What is Dell Cyber Recovery?
At a high level, Cyber Recovery uses a vault that contains an “air-gapped” infrastructure, including a repository for replicated backup data, creates immutable copies of that data, and uses analytics (AI/ML) to detect possible compromises within any of that data.
Being that this is a Dell EMC Protect solution, the backup target necessary to run Cyber Recovery is Data Domain. There is also a somewhat small infrastructure footprint that needs to exist within the vault to run the Cyber Recovery software and the analytics that are provided by a partnership with Index Engines. Of course, that means that unless you have extra hardware and a spare Data Domain lying around, this solution requires some new infrastructure. Dell recognizes this, and includes the Cyber Recovery software free of charge.
Confidence in your backups
The purpose of Dell Cyber Recovery is to give customers confidence that their backup data is secure, and that they can easily recover from known good backups. Access to the Cyber Recovery Vault is opened only for the purpose of replicating from the primary Data Domain to the vault Data Domain. That provides for immutable copies of your backup data to exist within the vault, and therefore inaccessible to attackers.
Once in the vault, the data is churned through the analytics provided by Index Engines. This deep level data scanning allows for the system to detect any changes from what it has seen before that could possibly be a result of some kind of compromise. As stated earlier, a system could be compromised for a long period of time before an actual attack occurs. The analytics built in to Cyber Recovery can help detect abnormalities and allow for some vulnerabilities to be dealt with proactively. It also marks backups that are known to be clean, so that should you need to recover from an attack, the guesswork as to which backup you need to restore from is removed.
Dell Cyber Recovery targets an often overlooked aspect of backup architecture. Due to the reality of the world we live in, security has to be front and center for most large companies. Attacks are coming from left and right, especially for governmental organizations or companies that deal with highly sensitive data. Backups for Disaster Recovery are pretty much a given these days, but protecting your backup data itself is something that probably doesn’t get much consideration outside the types of organizations I just mentioned. Unfortunately, it does require a lot of forward thinking and a good bit of cash to protect that one small aspect of your infrastructure. Cyber Recovery is not an all encompassing security solution, rather it solves one particular problem within a much larger security ecosystem. Many companies may not be willing to spend the time and money for a security blanket that you may never really need. It is also true that not all companies have their backup data currently residing on Data Domain. For companies that don’t already have Dell EMC Protect infrastructure, it may be a hard sell to rip and replace just to get in the door for this solution. That being said, all it takes is one large-scale attack and a ton of time and money lost for this to look like a good investment.
Check out the full presentation from Tech Field Day, starting with part one below (parts 2-4 available at Tech Field Day):
Disclaimer: I was invited by Gestalt IT to participate as a delegate for this Tech Field Day presentation. While my travel and accommodations were paid for by Gestalt IT, I was in no way compensated for this blog post. I was not obligated by anyone to post about any of the presentations that occurred during Tech Field Day. Any blog posts, tweets or other content related to my time at Tech Field Day are my own views for the sole purpose of creating consumable content.