Protecting Business-Critical Data from a Cyber-attack · Protecting Business-Critical Data from a Cyber-attack Jim Shook ... Solution with NetBackup - HDS and NetApp (NFS) ... •

Protecting Business-Critical Data from a Cyber-attack Jim Shook Director, Data Protection Cyber-security and Compliance Practice Alex Almeida Sr. Advisor, Product Marketing

© Copyright 2017 Dell Inc. 2

A different challenge “It erased everything stored on 3,262 of the company’s 6,797 personal computers and 837 of its 1,555 servers. The studio was reduced to using fax machines, communicating through posted messages, and paying its 7,000 employees with paper checks.”

— Fortune, July 2015



With serious stakes

“A Fortune 1000 company will fail because of a cyber breach”

“In 2017, the basic fabric of trust is at stake as CEOs

grapple with how to defend against escalating, dynamic security and privacy risk.”


True costs of ransomware

Lost Revenue 2,500,000

Incident Response 75,000

Legal Advice 70,000

Lost Productivity 250,000

Forensics 75,000

Recovery & Re-Imaging 60,000

Data Validation 25,000

Brand Damage 500,000

Litigation 200,000

Total Costs of Attack $3,785,000

Ransom: $30,000


Regulatory guidance

“... It is vital for state insurance regulators to provide effective cyber-security guidance regarding the protection of the insurance sector’s data security and infrastructure.” ~NAIC


Another control for consideration is an "air-gap,“ a security measure in which a computer, system, or network is physically separated from other computers, systems, or networks. An air-gapped data backup architecture limits exposure to a cyber attack and allows for restoration of data to a point in time before the attack began.” ~FFIEC

“Best practices to protect information systems and networks from destructive malware attack include ... Segregate network systems” ~NSA

“Financial institutions should consider … logical network segmentation, hard backups, air gapping [and] physical segmentation of critical systems” ~Federal Reserve

“Competent authorities should assess whether the institution has comprehensive and tested business resilience and continuity plans in place” ~European Banking Authority

— NIST CSF

Identity Respond Protect Recover Detect


Interagency technical guidance

Back up data regularly. Verify the integrity of those backups and test the restoration process to ensure it is working.

Secure your backups . . . Backups are critical in ransomware recovery and response; if you are infected, a backup may be the best way to recover your critical data.


Advanced Protection Services • Isolated recovery solution

• EMC/EY service offerings: assess, plan, implement, and validate

• Use of evolving security analytics: RSA & Secureworks

Additional Hardening and Protection Features • Product specific hardening guides

• Encryption in flight and/or at rest

• Retention lock with separate security officer credentials

Traditional Data Protection Best Practices • Deploy a layered data protection approach (“the continuum”)

for more business critical systems but always include a point in time off array independent backup with DR Replication (N+1)

• Protect “Born in the Cloud” and endpoint Data

Level of Protection Good Better Best

Layered cyber-security for data protection



MIND THE AIR GAP


Isolated Recovery Production Apps

Business Data (Crown Jewels)

Tech Config Data (Mission-critical Data)

Isolated recovery solution – how it works Critical data resides off the network and is isolated

Corporate Network

RISK-BASED REPLICATION PROCESS

Dedicated Connection Air Gap

DR/BU


Isolated recovery solution – Data Domain

• Create backup of data

• Enable link and replicate to isolated system

• Complete replication and disable link

• Air gapped solution

• Enable link and initiate restore

Primary Storage Isolated Recovery System

Backup Appliance

DD Replication

Management Host

Validation Hosts

ISOLATED RECOVERY SYSTEM

Restore Hosts

Air Gap


ddve-03.brsvlab.local

Production Vault

ave-03 192.168.1.190

Isolated Recovery - Networker

ddve-03c 192.168.3.85

Mtree: /data/col1/nw01

Mtree: /data/col1/nw01-IRrepl

- Backups run & complete - Bootstrap & Catalog (CFI)

IR Management Station


ddve-03.brsvlab.local

Production Vault

ave-03 192.168.1.190

ddve-03c 192.168.3.85




IR Link Enabled Replication Initiated

Link Disabled




Production Vault

ave-03 192.168.1.190

ddve-03c 192.168.3.85





Mtree (Retention Lock Enabled): /data/col1/nw01-IRRetLock/..PIT1

NFS Export: /data/col1/nw01-IRRetLock/..PIT1

NFS Mount: /data/col1/nw01-IRRetLock/..PIT1

Create Fast Copy NFS Export of Fast Copy

NFS Mount of Fast Copy

Set Retention

Lock

Unmount Export

Remove Export



Production Vault

ave-03 192.168.1.190

ddve-03c 192.168.3.85





Mtree (Retention Lock Enabled):

/data/col1/nw01-IRRetLock/..PIT2 /data/col1/nw01-IRRetLock/..PIT3 /data/col1/nw01-IRRetLock/..PIT4

/data/col1/nw01-IRRetLock/..PIT1



Production Vault

ave-03 192.168.1.190

ddve-03c 192.168.3.85





Mtree (Retention Lock Enabled):

/data/col1/nw01-IRRetLock/..PIT2 /data/col1/nw01-IRRetLock/..PIT3 /data/col1/nw01-IRRetLock/..PIT4

/data/col1/nw01-IRRetLock/..PIT1

Mtree: /data/col1/nw01-restore

Create MTree for FastCopy PIT Recovery



Production Vault

ave-03 192.168.1.190

ddve-03c 192.168.3.85





Mtree (Retention Lock Enabled): /data/col1/nw01-IRRetLock/..PIT1

Mtree: /data/col1/nw01-restore

Set up new NW Server

Register Alternate vProxy (If Required)

Perform NSRDR Procedure to import Bootstrap, CFI

and Savesets

Activate Clients and Begin Recovery



Compute

Applications

Validate & Store

Highest Priority Data

The most critical data first • Protect the “heartbeat”

of the business first

• Prioritize top applications or data sets to protect

• Usually less than 10% of data (this is NOT DR!)

• Start with a core set and build from there


CASE STUDY: FINANCIAL SERVICES FIRM

Challenges - Need to recover from

cyber destruction that destroys essential data

- Also concerned about Ransomware to a lesser extent

- Need protect major securities trading platform application

- App owners skeptical about IT’s capability to deliver an Isolated Recovery Solution

Results - Customer has a Proven

Isolated Recovery Process in Place

- Customer wants Dell EMC IR Advisory Services to build a programmatic approach for other apps

- Customer will use functioning IR Solution to show other app owners that solution can recover their apps from cyber destruction

Solution - Data Domain based IR

Solution with NetBackup - HDS and NetApp (NFS) in

overall solution - Customized Isolated

Recovery Vault Automation Scripts and Documentation

- Dell EMC provided recovery runbooks for all environments including DD, HDS, and NetApp


CASE STUDY: FINANCIAL SERVICES FIRM [CONTINUED]

Financials (FY end July 2016) - Assets under Management: $5T - Annual Revenue: $2.49B Business Impact of Outage - $10M/Day

o $2.49B / 252 (average annual NYSE trading days) = $10M/day

Customer Background - Mixed HDS, NetApp, EMC, DD Storage - NBU Backup Application - Outsourced to HP - No previous Dell EMC Consulting Services IR Solution Interest - Need to have something implemented by year-

end (board mandate)

Board of Director Drivers - Concern that the loss of operating revenue without

recovery would be catastrophic - Initial IR solution covers the application that is to key

running the business - Upcoming Regulations Regulatory Drivers - FFIEC issued a Cybersecurity Assessment Tool update in

June of 2015 o Tool assesses alignment to National Institute of

Standards and Technology (NIST) Cybersecurity Framework (CSF)

- Draft Enhanced Cyber Risk Management Standards from the Federal Reserve Board. Key requirements: o “…substantially mitigate the risk of a disruption due to a

cyber event” o “…immutable, off-line storage of critical records”


Next steps

We Know The Data To Protect We Need More Help • Confirm current backup infrastructure –

compatibility, etc.

• Determine sizing and location of backup data on Data Domain (by mTree)

• Verify Data Domain sizing requirements

• Sample SOW with Pricing Estimate

• Isolated Recovery Introductory Advisory Engagement

– Workshops to determine IR metrics, DR Maturity, data classification and sizing



Deploy Securely

• Refer to the Security Configuration Guide (SCG) for each product on how to

configure the product to maximize its security posture in your environment

Stay Informed

• Subscribe to Dell EMC Security Advisories through the support portal: https://support.emc.com/preferences/subscriptions

Stay Secure • Upgrade to the latest version of your Dell EMC product and/or apply the latest security patches

• NEW: Visit the Dell EMC Product Security Information page (https://support.emc.com/security) where you can search

security advisories by Common Vulnerability Exposures (CVE), view all SCGs, and get the latest information on high profile vulnerability alerts

Keep your Dell EMC Products Deployments Secure

https://support.emc.com/preferences/subscriptions

https://support.emc.com/security

Documents

Protecting Business-Critical Data from a Cyber-attack · Protecting Business-Critical Data from a Cyber-attack Jim Shook ... Solution with NetBackup - HDS and NetApp (NFS) ... •