GLOBAL SPONSORS

Dell EMC Isolated Recovery Andreas El Maghraby

Advisory Systems Engineer DPS

@andyem_si

© Copyright 2017 Dell Inc. 2

Incident Response: Categories of Cybercrime Activity

37%

12% 9%

7% 7% 5%

27%

Ransomware Banking Trojan Business EmailCompromise

Web Script Adware Spam Other

April to June 2016

* DoS, unknown, digital currency mining and credential harvesting

*

© Copyright 2017 Dell Inc. 3

The Evolution of Ransomware

• Cybercrime has matured into a business

sector

• The latest paradigm is Cybercrime-as-a-

Service (CaaS)

• The Ransomware market, within this

paradigm, is rapidly maturing

• Ransomware strains are being upgraded,

rebranded, and sold cheaply on the Dark

Web

• All potential targets, regardless of size,

present equal opportunities

© Copyright 2017 Dell Inc. 4

True Costs of Ransomware

Lost Revenue 2,500,000

Incident Response 75,000

Legal Advice 70,000

Lost Productivity 250,000

Forensics 75,000

Recovery & Re-Imaging 60,000

Data Validation 25,000

Brand Damage 500,000

Litigation 200,000

Total Costs of Attack $3,785,000

Ransom: $30,000

NIST Cybersecurity Framework

• Asset Management

• Business

Environment

• Governance

• Risk Assessment

• Risk Management

Strategy

Protect

• Access Control

• Awareness and

Training

• Data Security

• Information Protection

Processes and

Procedures

• Maintenance

• Protective Technology

• Anomalies and

Events

• Security Continuous

Monitoring

• Detection Processes

• Response Planning

• Communications

• Analysis

• Mitigation

• Improvements

• Recovery Planning

• Improvements

• Communications

• Validation

Identify Detect Respond Recover

Dell EMC IR Services for Risk Management, Governance Model, &

Operating Model

Isolated Recovery Solution Protective

Technology, Processes & Procedures

Isolated Recovery Solution Validation

Servers. RSA Security Behavior Analytics

Dell EMC IR Services for Response

Framework for Cyber Incident Management

Isolated Recovery

Solution with

Recovery Servers

Focus

© Copyright 2017 Dell Inc. 6

Not preventative against

attacks

Hacktivists can encrypt your

encrypted data

For data protection, not

recovery

Potential negative impacts on

cost to store, replicate and

protect

Traditional Strategies Are Not Enough

Data Encryption Tape Backups Cyber Insurance

Too long to recover

Difficult to validate data

Requires backup infrastructure

to recover

May not protect:

Backup Catalog

PBBA [Data Domain]

Tape Library Meta Data DB

All breaches may not be

covered

Policies have baseline security

requirements

Monetary limits may not cover

all damages

Does not protect:

Patient needs

Brand

Lost trust

© Copyright 2017 Dell Inc. 7

Current State: Risk Profile Summary

© Copyright 2017 Dell Inc. 7

Technical People & Process

All data is currently susceptible to a cyber attack IT Engineering and Ops have access to most if

not all Backup Assets

Primary storage replication can replicate

corruption

Security teams not assigned to assets. Bad

actors inside the firewall can create havoc.

Backup catalog not replicated Franchise critical and non-critical data are not

segregated

Recovery of backup catalog from tape is slow

and failure prone

Backup images can be expired without

authorization

Backup copies not isolated from network

• These risks are consistent with traditional Prod/DR models.

• This is a different challenge and requires a different architecture.

© Copyright 2017 Dell Inc. 8

Current State: What is a Business Impact Analysis?

© Copyright 2017 Dell Inc. 8

• A process to understand:

• What is the monetary impact of a disaster of failure?

• What are the most time-critical and information-critical business

processes?

• How does the business REALLY rely upon IT Service and Application

availability?

• What availability and recoverability capabilities are justifiable based on

these requirements, potential impact and costs?

• Composed to two components

• Technical Discovery – Data Gathering

• Human Conversation – Talk to People!

© Copyright 2017 Dell Inc. 9

Compute

Applications

Validate & Store

Highest Priority Data

BIA Output: The Most Critical Data First

• Protect the “heartbeat”

of the business first

• Prioritize top

applications or data sets

to protect

• Usually less than 10% of

data

• Start with a core set and

build from there

© Copyright 2017 Dell Inc. 10

Advanced Protection Services

• Isolated recovery solution

• EMC/EY service offerings: assess, plan, implement, and validate

• Use of evolving security analytics: RSA & Secureworks

Additional Hardening and Protection Features

• Product specific hardening guides

• Encryption in flight and/or at rest

• Retention lock with separate security officer credentials

Traditional Data Protection Best Practices

• Deploy a layered data protection approach (“the continuum”)

for more business critical systems but always include a point in

time off array independent backup with DR Replication (N+1)

• Protect “Born in the Cloud” and endpoint Data

Level of Protection

Good Better Best

Layered Cyber-Security for Data Protection

© Copyright 2017 Dell Inc. 10

© Copyright 2017 Dell Inc. 11

Isolated Recovery Production Apps

Business Data

(Crown Jewels) Tech Config Data

(Mission-critical Data)

Isolated recovery solution – how it works Critical data resides off the network and is isolated

Corporate

Network

RISK-BASED REPLICATION PROCESS

Dedicated Connection

Air Gap

DR/BU

© Copyright 2017 Dell Inc. 12

Isolated Recovery – Dell EMC VMAX

• No management

connectivity to IR Vault

• Enable data link and

replicate to isolated

system

• Complete replication

and disable data link

• Maintain WORM

locked restore points

• Optional security

analytics on data at

rest

• Professional Services

Primary Storage Isolated Recovery

System

SRDF

Management

Host

Validation

Hosts

ISOLATED RECOVERY VAULT

Restore

Hosts

Air Gap

© Copyright 2017 Dell Inc. 13

Isolated Recovery – Dell EMC Data Domain

• Create backup of data

• No management

connectivity to IR Vault

• Enable data link and

replicate to isolated

system

• Complete replication and

disable data link

• Maintain WORM locked

restore points

• Optional security

analytics on data at rest

• Professional Services

Primary Storage Isolated Recovery

System

Backup Appliance

DD

Replication

Management

Host

Validation

Hosts

ISOLATED RECOVERY VAULT

Restore

Hosts

Air Gap

© Copyright 2017 Dell Inc. 14

Separate Copy Streams For Better Recovery

Daily

Backup

Data Domain

DD MTree

Replication

Isolated Recovery Vault

Change

Control Copy

Distribution Mgmt.

Production Hosts

Clean Room

DD MTree

Replication

Vendor Distros

Material For IR Vault

Change

Control

Process

Backup

Process

Malware path

) ( OS

OS OS

Data Domain

) (

© Copyright 2017 Dell Inc. 15

Proactive Analytics in the IR Vault Why Analytics in the Vault?

• Increase effectiveness of Prevent/Detect cybersecurity when

performed in protected environment.

• Diagnosis of attack vectors can take place within an isolated

workbench.

• App restart activities can detect attacks that only occur when

application is initially brought up.

Categories of Data

• Transactional Data – dynamic/large (log variances, sentinel

records, etc.)

• Intellectual Property – static/large (checkums, file entropy)

• Executables / Config. Files – static/small (checksums, malware

scans)

Isolated Recovery

System

Management

Host

Validation

Hosts

ISOLATED RECOVERY VAULT

Restore

Hosts