Penn State Health has to be doubly careful about its data. Not only is it an educational and research institution, but it’s also a healthcare services organization, with hospitals and outpatient practice sites across central Pennsylvania.
Each part of Penn State Health requires protecting critical data. On the clinical side, that includes personal, health and financial data, while the College of Medicine side consists of petabytes of proprietary research data, along with student records.
About three years ago, the sheer amount of data became so large that backups were not able to complete in a timely fashion. In fact, things were so bogged down that it was impacting productivity. Team members decided to switch to Commvault’s backup and recovery solution to ease the strain.
As they became familiar with what Commvault could do, team members discovered that it could also be very useful for data protection—something the university was keenly focused on since it had hired its first chief security officer a few years before.
“Once we got into it, we started to see how it could help with cybersecurity as well,” said Cory Heikel, a senior systems engineer at Penn State Health. “We especially liked the anomaly detection, which flags anything that seems out of the ordinary and sends us an alert.”
Heikel pointed to one recent incident where the system reported that logs were being deleted as they were being backed up during Microsoft Exchange backup. The system saw this as an anomaly and alerted Heikel’s team, which immediately investigated the incident.
That’s just the kind of thinking that more and more organizations are adopting when it comes to cybersecurity and cyber-resilience—the idea that backup and recovery technology can and should help their organizations find vulnerabilities and recover from cyberattacks.
Detect, Warn and Recover
When it comes to cyberattacks, there are two states: before and after. Backup and recovery technology can be helpful in both cases, depending on the features of the solution.
The concept of the before state is catching attacks and vulnerabilities before they happen. More and more (but not all) backup and recovery solutions now use machine learning or artificial intelligence to identify anomalies and notify administrators of those anomalies.
“The idea is that if it knows what standard behavior looks like, it will flag spikes in file or server activity and send out an alert that something is going on,” said Commvault Director Lance Shaw. “It may detect, for example, that a set of folders and files have suddenly disappeared. It might be due to human error or it might be nothing, but it’s something that warrants further investigation.”
If your organization has experienced a ransomware attack—and current research shows that many organizations will—the goal is to get back to a state before the destruction occurred as quickly as possible.
But it’s not that simple, says Christophe Bertrand, a senior analyst at the Enterprise Strategy Group who covers data protection.
“In many cases it’s not enough to just come back to a state before the destruction occurred, because that ransomware may have been dormant and have been triggered on a timer. So you don’t want to necessarily restore what propagated in the first place because you may be perpetuating the problem,” he said.
Sandboxing and Isolated Recovery
That’s where isolation comes in. Most advanced backup and recovery tools today employ some type of isolation for backups, where they can be vetted and checked for problems before being released to users.
Sandboxing is essentially a staged cleaning and recovery method that puts the backup into a safe, isolated environment, running it on a server or set of virtual machines that are totally isolated from the rest of the network. The data and applications on the backup can then be analyzed and tested so that if anything goes wrong, it does so in a protected environment. If everything is found to be working correctly and malware-free, it is then released for general use.
Isolated recovery takes sandboxing one level further. The difference is that the system has an additional level of separation from the traditional backup and recovery environment because it is only connected when data is being transferred. This process, called air gapping, means the data is accessible to only a few people, and analysis and testing happens when the data is essentially offline. As Bertrand explains it, “It gives you the ability to deter something from spreading before it starts spreading.”
While many organizations have been using air gapping techniques for years to provide secure replication of data to an isolated environment, the process traditionally happened via tape. This is simply an evolution of that process.
“Traditionally, tape was an ideal air gap because it was completely disconnected from the network and sitting in a storage cabinet,” Shaw said. “That’s more difficult with cloud and disk environments, but there are still techniques when you can isolate the environment from all incoming connections and severely limit the outgoing connections to a single port to greatly reduce that risk. It’s critical, because the minute corruption hits on one disk it’s immediately replicated to other disks. Isolation of those backups is really the only way to recover quickly and prevent corruption.”
Isolation is important for both detection and restoration. For organizations that have not experienced an attack, it’s a best practice.
“As a matter of course, your backups should always be put through one of these two processes first,” Bertrand said. “You always want to test for cyberattacks or risks, at least for critical data. That way you’re ready if something is dormant.”
It’s also invaluable after experiencing an attack. If one occurs, the first step is to isolate the attack from spreading. Typically, an attack will try to either control some administrative rights and shut people out, or encrypt data. Isolating the data allows you to stop the spread and clean it up.
Finally, isolated recovery is one of the best ways to protect against attacks on backups—something that is increasing significantly. According to one recent report, attacks on backups as part of a ransomware attack increased by 39 percent in one year. One of the most frequent ways ransomware can attack backups is by encrypting backup file extensions.
“If somebody goes after your backup, the risk is that you have your backup server infected by ransomware, and the data becomes unusable,” Bertrand said. “Now you are in trouble because you don’t have recovery capability. That’s why an isolated recovery type of solution is a good idea.”
With cybercrime at an all-time high, organizations are re-examining everything in their environment, looking for ways to combat threats. Today, backup and recovery technology has clearly entered that realm. No longer simply a routine process to check off the list, backup and recovery has become one of the many tools in the security arsenal.