Mike_Kiev - Fotolia
Recognizing that ransomware is targeting backup systems, backup vendors are teaming up with security companies to beef up their ransomware protection defenses.
Phil Goodwin, research director at IDC, said security for backups isn't a new issue, but there is now greater awareness of it and a desire to address it. Arcserve extended its Secured by Sophos portfolio in May to cover Microsoft Office 365 and hybrid cloud deployments, and Druva introduced API integration in its InSync product with FireEye Helix in June to let security teams view access and performance information.
Goodwin said there is value in coordinating backup and security from a recovery point objective (RPO) perspective. If security can determine the point of intrusion, it's easier for backup admins to roll back. Previously, these were two separate activities, and backup admins would have to determine the clean restore point -- one that doesn't accidentally restore the malware -- by trial and error.
"What we're seeing is a reaction from the backup vendors - more interest to integrate backup and security," Goodwin said.
Goodwin said this trend is exemplified by the recent Druva-FireEye and Arcserve-Sophos partnerships, as well as vendors that develop these joint measures in-house such as Acronis, IBM and Cohesity. Acronis and IBM were among the earliest to combine backup and security, along with Carbonite, which Goodwin said is the only backup vendor he could think of that acquired a company to gain security capabilities.
Hal Lonas, SVP and CTO of Carbonite, an OpenText company, worked for Webroot for 10 years before Carbonite bought it. He said both companies had recognized early that there was a need to bring backup and security together and build something called, "cyber resilience." It wouldn't be enough to simply be able to recover the data -- organizations must still be able to run its applications and keep doing business in the middle of cyberattacks.
"Businesses are looking at business continuity in the face of ransomware and security threats, making sure your backups are working and secure, you're not backing up malware and your backup program isn't getting attacked," Lonas said.
Lonas said SMBs are most in need of cyber resilience, and they represent Carbonite's biggest market opportunity. Former Carbonite CEO Steve Munford, who stepped down from the position after OpenText bought Carbonite in December 2019, had a "laser focus" on SMB and accelerated the integration between Carbonite and Webroot. This meant tapping into Webroot's managed service provider (MSP) partnerships and adding Carbonite to Webroot's platform.
Lonas said the Carbonite-Webroot cyber-resilience platform will be unveiled this summer. It will feature the same learning management system for security education and phishing simulators from the Webroot platform combined with the backup capabilities from Carbonite. The platform, which will be targeted at MSPs, is meant to make it easy to deploy and manage its features, check the statuses of all the endpoints and centralize billing.
In response to COVID-19, Lonas said Webroot had added additional coursework and security training specifically to address a heavily work-from-home world. Examples included targeted training on consumer devices and shared SaaS storage such as Dropbox. He said the world was trending toward work-from-home already, and the coronavirus only sped things up.
"I think we've seen a jump forward in time -- a 30% jump into the future, accelerated by about five years," Lonas said.
Ransomware a catalyst
Naveen Chhabra, senior analyst at Forrester Research, said this backup and security combination is a rising trend in response to the growing ransomware threat. Ransomware had been going after backup for a while, but that doesn't happen in every case. Nevertheless, organizations have grown uncomfortable with the possibility that they might not be able to recover from their backup systems, and vendors are teaming up to close this vulnerability.
"This was one of my recommendations to all of the backup vendors three and a half years ago," Chhabra said.
Chhabra also pointed out how difficult it is to research the outcome of paying a ransom. Some companies require public disclosure, such as when London-based foreign currency exchange company Travelex paid $2.3 million to cybercriminals, but private organizations have no such mandate. Therefore, it's hard for analysts to accurately determine how often companies actually get access to their data back after paying versus how often they get ghosted. In addition, Chhabra said criminals don't often graciously identify how their ransomware got in, so there's no guarantee an organization won't get reinfected via the same vulnerability later.
Chhabra said it's important for vendors to build tools that bridge the gap between security and backup. A security team in constant communication with backup admins works, but not at scale. He said there needs to be tools that share information intelligently between the two groups, and that can develop a recovery workflow based on knowing when unauthorized access happened and what systems were infected.
Ransomware works by laying dormant until backup systems have replicated it a few times, compromising all backup copies after that initial point of infection. Chhabra said a speedy and successful recovery hinges on identifying when that infection first started.
"All those copies are more or less time bombs," Chhabra said.
In February 2019, Protek, an IT MSP based in Sandy, Utah, suffered a ransomware attack. Protek's backup provider was unable to spin up 200 to 300 servers in a week to keep the business running, as per its agreement. CEO Eric Woodard said he had used this backup provider for eight years and done successful recoveries before. However, he had never tested such a large-scale recovery. He decided it was better to pay the $92,000 ransom, and even though Protek got a decryption key five days later, it still took months to decrypt all its data.
"I learned the hard way that my backup provider didn't have a DR plan themselves," Woodard said. "I don't know if all vendors consider losing all servers at once."
Protek has 50 customers and 15 employees. The MSP offers services such as IT support, backup, DR and phone systems for its clients, which are businesses that range between 10 and 200 computers. It is responsible for 1,500 to 2,000 endpoints and has about $3 million in annual revenue.
Woodard has since switched to OffsiteDataSync, and he tested and guaranteed its ability to spin up hundreds of servers from backups in a short amount of time. However, backup wasn't the only point of failure. The attackers got into Protek's systems through a vulnerability in a ConnectWise plugin, which was designed to exchange information between the ConnectWise software and Kaseya's. The criminals used this exploit to bypass Protek's security measures, which included two-factor authentication (2FA), a next-generation firewall and threat hunting, and distributed malware to 1,700 endpoints in 30 minutes.
Backup is not enough for ransomware protection
Woodard said he takes security very seriously and uses products from vendors such as Huntress Labs, Carbon Black and Mist Systems. Protek's backup and recovery servers are as isolated from production as possible, with separate vendors, separate logins and 2FA on every server. Woodard said backup is just another aspect of security, so he treats both with the same level of seriousness. Yet, he said he doesn't feel he has a perfect solution, as he's still missing an efficient way to determine which backup copies are "clean" and safe to recover from.
"Backups are really nothing more than security. Consolidation is desperately needed," Woodard said.
After the attack, Woodard and his team reached out to Protek's clients and told them what happened. They personally met each one and did group briefings every night, explaining the situation and the measures Protek was taking to recover all the encrypted data. Arcserve recently published a study finding that 17% of customers will view ransomware-afflicted businesses as incompetent, and 43% would immediately seek out a competing product or service after an attack. Woodard said Protek was able to retain 95% of its customers through his transparency efforts.
"We came out of the box and said, 'This is what happened.' We didn't try to hide it," Woodard said.
Gaidar Magdanurov, chief cyber officer and COO at Acronis, said COVID-19 has increased the importance and stress of IT infrastructure -- and cybercriminals know it. He said since everyone is an at-home worker, everyone is under attack. More endpoints are hosting business-critical data, while also representing potential access points into an organization's sensitive systems. It's no longer enough to just be able to recover from backup -- the current challenge is locking down a widely spread attack surface.
"Backup is not enough anymore. Pretty much overnight, we've become work-from-home, and we just can't do anything without IT anymore," Magdanurov said.
Magdanurov said combining backup and security, which Acronis has been doing for the past three years, is necessary in a world where cybercriminals have access to the same resources as legitimate organizations do to mount their attacks. Criminals can tap into cloud computing for more processing power, use AI to develop better malware and collaborate within their networks to share code and discuss vulnerabilities.
The Acronis Cyber Protect product can detect and remove malware from backup copies, automate backups, perform instant recovery and collect data from memory dumps so security can investigate the aftermath of an attack. Even still, Magdanurov said social engineering is the number one vulnerability, and it takes training -- not tech -- to plug that gap.
"It's a game that's nearly impossible to win," Magdanurov said.