Usually when we think about disasters we think about natural disasters and IT is not an exception. Floods, earthquakes, storms and other climatic phenomena are on the top of our minds. But this is a misconception, particularly now with vicious cyber-attacks that can compromise entire infrastructures.
There are Disasters and Disasters
The reality is that natural disasters don’t happen as often as we think. Yes, they make the front page and they are happening more often than in the past, but they still count for a small minority of all risks. Besides, most of these disasters are now predictable and if you are smart enough you can adopt the right countermeasures to avoid disrupting, or minimizing, service continuity. In fact, for example, it’s quite easy to get accurate weather forecasts, and if a hurricane is on its way you can apply preventive action to move critical applications and data elsewhere. The cloud can be of great help in these scenarios and actually smooth things out to the point that your users will most likely not even notice that something has changed underneath.
We often forget that the major risk to take into account for every disaster recovery plan is human error and lately, cyber-attacks.
Cyber-attacks are disasters
There are several ways to detect and act against cyber-attacks. Most of them are based on common firewall and intrusion detection systems, antivirus and ransomware scanning of network activity and so on. But sometimes these attacks are sneaky and especially difficult to detect.
One of the major risks comes from the dwell time or, in other words, the amount of time that passes between the moment of infection and when you actually detect the effects of the attack on your data.
A well programmed ransomware could abruptly stop your business activity and, if you don’t react quickly and appropriately, there are chances that you’ll never be able to operate again. In this video, recorded at Tech Field Day in October, you can get an idea of the kind of threats cyber-attacks can pose to any modern organization.
At the same Tech field Day event, Dell EMC demonstrated an interesting solution based on its Data Domain appliances and, thanks to their partner Index Engines, smart software that is able to detect anomalies in the data saved in these systems. And I have to admit, that Index Engines was the part of the presentation that impressed me the most.
The solution is fairly independent from the backup software you use and it comes with services and best practices to make it work as promised.
Long story short, with some risk of oversimplification, a secondary data domain appliance receives copies of your backups and the software digs into it analysing the content to detect any changes in the backups, which could turn out to be ransomware attacks or other similar threats. The software comes up with logs, reports and alarms which help to isolate and eliminate the threat.
By applying this methodology and the tools, it is possible to detect the attack in its early stages and in so doing, nullifying or minimizing its effect. The alternative could be quite scary; if you have no idea of what/when/how the attack started, recovering the right data could be very costly both in terms of time and money, affecting the ability to give reliable service to users for an extended period of time.
Closing the Circle
Data is one of the most important assets in any company or organization. In some cases, it’s the most important asset, and without data some businesses cannot operate at all today.
The solution presented at TFD17 by Dell EMC makes a lot of sense if you are a Data Domain customer. It’s also becoming a top priority for every vendor working in this space and the number of options are growing by the day.
Planning for disaster recovery from cyber-attacks is not as easy as planning for natural disasters or human errors. Think about remote replication on a secondary site for DR, for example. What happens if you have been replicating corrupted or encrypted data for a while? Will you be able to restart all the services correctly? How long will it take before the problem will appear also in the DR site? In this case, preventive actions are necessary, like when you move your workloads elsewhere if a storm is coming. However, for cyber-attacks you have to plan differently and in advance with a process that probes data continuously and smart enough to detect anomalies.
Disclaimer: I was invited to Tech Field Day 17 by GestaltIT and they paid for travel and accommodation, I have not been compensated for my time and am not obliged to blog. Furthermore, the content is not reviewed, approved or edited by any other person than the Juku team.