As an IT Security professional, I can tell you that one of the worst events for IT is data loss. One of my own responsibilities is to notify my company’s clients if there is ever a breach that involves their data, which is not a call I want to make. But data loss is not always from exfiltration – it could be encrypted in a ransomware attack. This would still require that call and now I would have to explain how the attack occurred.
One of the most important steps a company can take is to prepare before something bad happens. Post-infection is the worst time to start planning how to recover. The FBI has some good recommendations on how to help avoid a ransomware event. These include keeping systems and software up-to-date on patches, creating a business continuity plan before something happens, and securing data backups, including making sure they are free from infection among other items (https://www.fbi.gov/scams-and-safety/common-scams-and-crimes/ransomware). Keeping systems and software up-to-date is important as new vulnerabilities are discovered all the time. Following business continuity plans can only happen if you have them; so make sure to get these drafted. During an emergency is not the time to come up with things like roles and responsibilities.
However, I have an issue with the last task I mentioned – securing your backups and making sure they are free from infection. I am not suggesting companies should not have backups – just the contrary, as that is how you recover data in case something happens such as staff overwriting their own files (and that will happen). But the problem is with RPO/RTO. RPO, or Recovery Point Objective, is how much data your business can lose. If you backup once each day, then your RPO is 24 hours since you could lose a full day of work when restoring. Of course, you can just backup more but that could add cost and impact business due to resource constraints. RTO, or Recovery Time Objective, is the amount of downtime you can tolerate or time it will take to restore from backup. If you have a terabyte of data, how long would it take to access your backup media, restore the data, and get it back into production? If that process takes 24 hours and you backup only once each day, then it is possible to have 2 days of lost business since you could have up to 24 hours of missing data and it takes up to 24 hours to recover fully. Of course, that is only if your latest backup did not contain encrypted data from a ransomware event.
Fortunately, there is a better way. RackTop, a company started by US Intelligence Community veterans, created a product called BrickStor that protects data at source. They took the zero-trust model of security and applied it to probably the most important asset for a company: its data. Security staff tends to have lots of tools to analyze the network for events but that could be too late in the case of a ransomware attack. If someone is connected to the company when ransomware deploys, it could flow to on-premises file servers, possibly encrypting data for all staff. However, BrickStor uses an active defense to monitor data access in real-time. That ransomware event would be stopped as soon as it deploys, and IT would be alerted to the event. But it is not just ransomware. It can even stop something like data exfiltration. Your users need to access company data but if one of them starts downloading too much, BrickStor would stop that event. The best part is that you do not have to rip out your existing file servers as BrickStor can be installed in front through an appliance connected to your SAN or as a virtual appliance.
Not being able to recover from a malicious event could sink a company, so it is important to be prepared. But recovery should not take too long as that can impact the business almost as much as the event. By adding BrickStor to your environment, you can monitor data access and stop any malicious events proactively. But do not take my word for it. You can listen to Eric Bednash, RackTop’s CEO and co-founder, talk about this technology at https://www.youtube.com/watch?v=fL4ot5tu3Fo. Better yet, head over to RackTop’s website to request a demo.