How Dell PowerProtect Cyber Recovery Can Help You Recover from a Cyberattack

1. Isolation: The components of the data vault must be physically and logically isolated. “Logical” isolation has similarities to an air-gapped network, except that limited connectivity for data updates is permitted on a regular basis, typically daily.
2. Immutability: All data written to the data vault must be “locked” in a manner that electronically prohibits deletion or changes until the expiration of the locking period, which is typically a few weeks to a month. At minimum these requirements should block administrative overrides or virtually based/software defined components that can be destroyed using an administrator’s credentials.
3. Intelligence: Data in the vault should be analyzed or interrogated in a manner that ensures it has not been manipulated or corrupted. Where the focus of both isolation and immutability is to protect anything copied into the vault, intelligence validates that the data was not corrupted before reaching the vault.

Public and private sector organizations have increasingly implemented data vaults, which securely store updated copies of their most critical data and applications. If a ransomware or data destruction attack impacts data and applications in the main production environments, the threat actors still cannot access the contents of the data vault. Post-attack, as part of the incident response and recovery process, the clean copies of data and applications stored in the data vault are used to restore the production environment.

Dell PowerProtect Cyber Recovery provides extremely high levels of protection, integrity and confidentiality for your most valuable data and critical business systems and can be used as a critical component of a comprehensive cyber resiliency strategy. PowerProtect Cyber Recovery focuses on protecting your critical data on-premises or in the cloud and recovering your businesses following a successful cyberattack or ransomware incident, while leveraging a combination of professional services and technology that provide the following three key elements of a cyber recovery solution:

ISOLATION — Gartner recently recommended that organizations who are looking to protect themselves from ransomware need to create an isolated recovery environment. PowerProtect Cyber Recovery provides a physically and logically isolated data centre environment that is disconnected from corporate and backup networks and restricted from users who don’t have the proper clearance. Automated workflows securely move business-critical data to an isolated environment via an operational air gap.

You can also create protection policies in less than five steps and monitor potential threats in real time with an intuitive dashboard. The vault is ideally operated in a physically restricted area, such as a cage or locked room, that helps to guard against an insider threat. When the air gap is in a “locked” state — no data can flow — there is no access to any part of the solution. No SSH, HTTPS or non-data traffic is permitted. All other components in the vault utilize private address space (RFC 1918) and are never accessible from outside the secure vault area.

When unlocked, which is done to update or “sync” data, the operation is controlled from the secure, vaulted side, not from production. And during this phase the vault maintains a very secure profile. Only network traffic representing replication data is allowed and there is never access to other vault components or to the management plane of the storage or solution. So bad actors can’t wait for the vault to unlock and then just drive in.

IMMUTABILITY — PowerProtect Cyber Recovery offers an automated data copy and air gap, which creates unchangeable data copies in a secure digital vault and has processes that create an operational air gap between the production/backup environment and the vault. Originally developed to meet the write-once-read-many requirements of an SEC archiving standard, this capability protects data from being deleted or modified during a specified retention period.

Using the Compliance Mode Retention Lock capability from Dell PowerProtect DD, data is prevented from deletion or change for a set time period. The lock cannot be overridden, even by an administrator with full privileges. PowerProtect DD offers unique enhancements that further secure the lock from an attack on the clock (or NTP server), which might otherwise allow a bad actor to create an early expiration of the lock. Those who do not want or require such a strong control, or want operational flexibility, can configure governance retention lock (which is also the available mode on the PowerProtect DD Virtual Edition).

INTELLIGENCE — CyberSense allows you to stay ahead of the rapidly changing threat landscape and sophisticated cybercriminals with CyberSense adaptive analytics, machine learning (ML) and forensic tools to detect, diagnose and accelerate data recovery within the security of the Cyber Recovery vault.

CyberSense is fully integrated with PowerProtect Cyber Recovery and monitors files and databases to determine if an attack has occurred by analyzing the data’s integrity. Once data is replicated to the Cyber Recovery vault and retention lock is applied, CyberSense automatically scans the backup data, creating point-in-time observations of files, databases and core infrastructure. These observations enable CyberSense to track how files change over time and uncover even the most advanced type of attack.

Automated integrity checks determine whether data has been impacted by malware and tools support remediation if needed. Signatures are not used so regular updates are not necessary and new techniques used by threat actors can be discovered without knowing about them beforehand. Post-attack forensic reporting will quickly and safely identify a ‘last known good’ copy of data that can be used to recover data and resume business.

Cyberattacks have had devastating consequences on businesses worldwide and caused reduced revenue, loss of reputation and millions of dollars in recovery costs. In the rapidly evolving threat landscape, organizations are looking for effective recovery strategies with the knowledge that prevention and detection alone are not sufficient.

Dell PowerProtect Cyber Recovery provides an effective recovery solution against common attack vectors, including dormant malware, data wiping and locking, data corruption, insider attacks and destruction of backup and storage assets. It gives organizations the assurance that you can quickly and confidently recover your most critical data and systems after a cyber or other disruptive event and resume normal business operations.