Paid features Ransomware is one of the great tragedy of our time. And it’s getting worse. We spoke with Shawn Rosemarin, Global Vice President of Emerging Technologies Solutions Sales at Pure Storage, about how the company can help protect its customers.
Blocks and Files: What if a pure customer finds himself regretted having been hit by a ransomware attack? What is the best result they can expect?
Sean Rose Marine: In an ideal scenario, the customer prepares and protects the infrastructure and eavesdrops and discovers ransomware attacks as soon as possible. It is the residence time that affects the difficulty of restoration. If you can quickly find out that someone is doing something you shouldn’t do, you can restore it quickly and easily. The time and amount of data that needs to be restored directly affects the time and complexity of reaching the point of restoration.
Another premise is that the organization is sure to prepare for the event, so there will be no panic. Everyone knows what their role and task are. We also know the applications that are essential to business operations and how long they can be out of service without impacting operations. That’s your recovery time goal, but how long can you go down? How much data can they afford to lose? Can they afford to lose an hour, a minute, a second, and depending on their industry, it results in that RPO.
Can Pure Storage software or services detect ransomware and alert customers?
Find out what’s happening across the Pure Storage Array. We work closely with industry partners in log analytics areas such as Splunk and Elastic to enhance our security incident and event management architecture.
So we look at what’s happening and find out what’s considered different or strange. They usually don’t go there, as someone spends a lot of time on sharing that is suddenly accessible.
Thinking about dwell time means that the longer you stay in the system, the more access you have to other credentials. If you get a set of admin credentials, you may run into problems, but I’m not going to do that yet. Use your credentials to access other systems to see where your backups are. What is the attack vector that gives the organization maximum leverage and causes maximum pain just by paying the ransom?
How can Pure help customers recover if their data begins to be compromised?
Therefore, the first thing that happens is knowing that there is a violation. Have a plan or put it together very quickly. Organizations then usually go to the insurance company and declare a ransomware attack. The insurance company then involves a third-party security forensic team like Mandiant to discover what really happened. What did they have access to? What kind of data is at stake? Is there a backdoor that is set?
This is a big part of that. This is because you need to make a clean decision at which point you can restore, assuming you have the infrastructure to restore. If the dwell time was 30 days, if I came back 31 days ago, I might be pretty, but can I patch myself to those who actually come back?
But the most important part is is there an unencrypted backup to actually recover? Or is there an unencrypted snapshot to recover? Snapshots are easy to restore, but organizations often cannot afford to keep snapshots for 30, 45, or 60 days, so they are considering reverting from backup. And that’s where you’re working on a large amount of data that needs to be restored quickly. And in our experience, traditional tape or disk-based backups see about 1 terabyte or 2 terabytes per hour.
With Pure Storage FlashArray // C, you’ll see a recovery rate of 8 terabytes per hour, and with FlashBlade you’ll see a recovery rate of 40-270 terabytes per hour. Therefore, the restore time here is significantly different from what was traditionally considered a type of backup.
It’s because the paradigm has changed, right? Think about the speed of your backup and how quickly you can back it up. So how fast can you run a SQL database without impacting performance? But lately it’s time to restore. How quickly can you restore the data of these important applications?
Do people usually restore from snaps such as FlashArray and restore backups with FlashBlade?
This is our view. The basic protection is to restore using snaps. Turn on Safe Mode on the primary array to ensure that snapshots are written to unencryptable volumes. This is immutable.
When it gets a little better, it not only takes a snapshot, but actually gets a backup volume. We are currently placing backup volumes in these safe mode repositories. And now, if you can’t restore with a snap, you can actually get a permanent backup.
In the best scenario, connect FlashArray // X to FlashBlade so that you can restore all the latest backup volumes incredibly quickly. Therefore, in an event, you can mount from FlashBlade and then move the FlashBlade volume back to the primary array.
Is there any difference in Safe Mode behavior on FlashArray // X, FlashArray // C, FlashBlade?
SafeMode works the same in both scenarios. It is an invariant volume. It’s also interesting because I’ve seen many vendors say that you can’t change or change an array unless you’re a system administrator. Safe mode is different. In reality, we assume that someone may be causing the damage and that your credentials may be compromised or stolen.
When a ransomware attack occurs, can the attacked organization trust someone’s credentials?
That is correct. This is called Zero Trust, so we need to give every employee access to only what they absolutely need. However, you should always assume that your set of credentials can be compromised.
What happens in terms of safe mode, I have what is called an “eradication timer”. So, assuming I have administrator credentials, delete the backup. SafeMode has an eradication timer, and no matter who deletes it, it doesn’t actually delete it for 30, 45, or 60 days. Therefore, it does not matter if it is deleted. It’s not actually deleted, it’s on a preset timer.
Now, if you want to change or reconfigure it, you need to contact support and you need to be one of the few named individuals. Therefore, you need to identify yourself by name and include a PIN that only you know. And only then will support come in on our side and actually reset or change the eradication timer and safe mode settings.
Security companies suggest that recovery from ransomware is becoming easier and easier. What is your reaction to it?
When asked if it’s easy to restore from a snapshot, yes, snapshots are very easy. Also, if you want to restore data or accidentally deleted user files, I think it’s easy. The hard part, as I said, is to understand how you got here. We have seen first-hand what it takes to regain cooperation with various organizations. This is not an easy task. I would like to put a marketing veneer, and you know it’s one click. That’s not the way this works.
Sponsored by Pure Storage.
