by Garth Humphrey, Sales Engineer, VectorUSA
If your data center was compromised from a ransomware attack, how confident are you that you can successfully recover?
While you may think protection levels with your current tech support services are fine and capable of handling multi-pronged threats, it’s easy to overlook your data center itself.
Unfortunately, many companies view data center security — including internal server structures — as an afterthought. And that can have serious repercussions if overlooked.
In fact, data centers can easily become the end depository for ransomware that enters through various endpoints (e.g., mobile devices) and bypasses firewalls. If a data center is compromised, time to recover quickly becomes paramount.
How visible is your system?
If compromised due to an open vulnerability in your data center, do you have the system visibility to determine the source of malicious behavior? If not, the best solution is a platform known as security information and event management (SIEM).
“If compromised due to an open vulnerability in your data center, do you have the system visibility to determine the source of malicious behavior?”
– Garth Humphrey, Sales Engineer, VectorUSA
SIEM delivers system information proactively and collectively instead of requiring looking at systems individually in order to generate reports.
Fortunately, the ability to intelligently transcribe log file data from a data system is now automated. And because analytics and reporting procedures are so well automated, you’ll immediately discover any anomalous behavior occurring inside your network.
Also, with SIEM, instead of manually looking for the root cause of any data center issues, your network directly communicates via reports what’s occurring in real time.
However, once your data center reports are generated, it’s critical that you have the resources available to properly interpret them. Otherwise, you’ll get bogged down in a time-consuming reactionary response. If you can interpret your reports on your own, that’s great. If not, you’ll require the experience to properly understand what the report data means and potential impacts.
Beware of false positives
Backups are another important consideration, whether you use tape backups, a backup appliance or are taking snapshots.
Snapshots work fine as a way to replicate and move data from one system to another. However, if you lose that system, the snapshots you’ve taken aren’t going to get you to a recovery point where you have confidence that you’re back to normal.
A full backup can take a tremendous amount of time and storage space resources. And while a snapshot takes very little storage and is fast, it can often give you a false positive that you’re appropriately prepared to recover from something like a ransomware attack. For this reason, it’s important to consider alternative options to snapshots.
Ransomware feeds off being stealth
One of ransomware’s most unnerving traits is that it can sit dormant for up to 90 days. During that time, it gathers information to establish command and control. And it does so in such a stealthy way that it doesn’t raise any red flags. As it’s not immediately passing a lot of data or thousands of DNS requests, nothing will seem unusual until command and control are established.
“One of ransomware’s most unnerving traits is that it can sit dormant for up to 90 days. During that time, it gathers information to establish command and control.”
– Garth Humphrey, Sales Engineer, VectorUSA
Be aware too that:
- If your data center is compromised due to ransomware, proving who’s responsible — even if caused internally — can become a real burden.
- Even though you might have cybersecurity insurance, there’s no guarantee that the end result of the ransomware attack will contain anything that can be used in court.
- If a state-entity (foreign country) initiated the ransomware attack, not all cyber insurance policies (if any) cover such actions.
- A primary difficulty with ransomware is payment requests via cryptocurrencies like bitcoin which places a tremendous financial burden on victims. It also adds another step in the ransomware recovery process while allowing that much more time for the ransomware to damage a network.
Not all solutions the same
Ransomware prevention poses many challenges. For example, one company’s solution might not necessarily be the same solution for another, even though the two companies may have been compromised in similar ways.
To successfully address such challenges, listening with the intent to understand is much better than listening with the intent to reply. It’s more important to understand the questions being asked than to have an immediate answer. In addition, knowing the landscape of an enterprise, along with knowing who the visible and invisible decision makers are, always helps to craft the right solution.
Acceptable use policy a must
To better prepare for ransomware attacks, consider if you have a policy in place on the acceptable use of all company assets. That includes both PC and mobile assets. Amazingly, many companies don’t restrict mobile users the same way their local PC use policy does.
To protect your data center from mobile endpoints, in particular, you need to have a very specific security process in place, whether a group policy based on wireless access or a requirement to use “always on” stateful VPN clients.
The catch is that unless there’s a way to enforce a policy, the policy means nothing. Employees need to clearly understand their actions on a company-owned device will be controlled and scrutinized by the owner of that device. They must also understand that any inappropriate actions on their part that might cause a financial burden or an operational hardship to the company have consequences.
Take the appropriate steps now
Clearly understanding and taking seriously your company’s vulnerability to ransomware is key to your recovery:
- Make sure your data center systems contain the visibility to track and trace the source of malicious behavior
- Establish a platform for security information and event management (SIEM)
- Thoroughly evaluate your various backup procedures
- Fully understand the types of ransom payments and how their requirements work along with available cybersecurity insurance options and any legal limitations
- Implement a stringent policy on the use of company assets
These measures ensure you’re fully prepared to respond quickly if or when your data center is compromised by a ransomware attack.