Bogotá - Dell › ... › co › jorge-espinosa-cyber-security.pdf · 2020-05-20 ·...
Transcript of Bogotá - Dell › ... › co › jorge-espinosa-cyber-security.pdf · 2020-05-20 ·...
BogotáSeptiembre 19, 2018
Cyber-Security:Protecting Your Business From A Destructive Cyber-Attack With Dell
EMC Data Protection Solutions
Jorge Espinosa
@JEspinosaG2
DPS PreSales Manager, Andean, Mexico & NOLA
3
Threat landscape evolving – Biz @ risk
70%Organizations
compromised last
year
80%CISOs re-thinking
strategy in next
12-18 months
37%Largest category
Ransomware /
Wiperware
170Avg. # days to
detect an advanced
persistent threat
69%Believe their data
protection
infrastructure is
NOT adequate to
recover from cyber
attack
60%CISOs actively
involved in data
recovery planning
as part of IR
4
Incident Response: Categories of Cybercrime Activity
37%
12%9%
7% 7%5%
27%
Ransomware Banking Trojan Business EmailCompromise
Web Script Adware Spam Other
April to June 2016
* DoS, unknown, digital currency mining and credential harvesting
*
5
The Evolution of Ransomware
• Cybercrime has matured into a business
sector
• The latest paradigm is Cybercrime-as-a-
Service (CaaS)
• The Ransomware market, within this
paradigm, is rapidly maturing
• Ransomware strains are being upgraded,
rebranded, and sold cheaply on the Dark
Web
• All potential targets, regardless of size,
present equal opportunities
6
It can happen to you, or you…
7
OR YOU!
8
True Costs of Ransomware
Lost Revenue 2,500,000
Incident Response 75,000
Legal Advice 70,000
Lost Productivity 250,000
Forensics 75,000
Recovery & Re-Imaging 60,000
Data Validation 25,000
Brand Damage 500,000
Litigation 200,000
Total Costs of Attack $3,785,000
Ransom: $30,000
9
Challenges of coordinated response
73% of respondents agreed that the
relationship between IT security
and business risk can be difficult to
coordinate.
82% of Risk and Security professionals
report that their organizations consider
security breaches as a business risk
rather than just an IT risk.
Strongly Agree
Agree
Neutral
Disagree
Strongly Disagree
73%Strongly Agree
Agree
Neutral
Disagree
Strongly Disagree
82%
Source: ESG Custom Research, Cybersecurity and Business Risk Survey, March 2018
10
Express cyber risk in financial terms
P r i v a t e a n d C o n f i d e n t i a l
Cyber Risk
Quantification
11
Not preventative against
attacks
Hacktivists can encrypt your
encrypted data
For data protection, not
recovery
Potential negative impacts on
cost to store, replicate and
protect
Traditional Strategies Are Not Enough
Data Encryption Tape Backups Cyber Insurance
Too long to recover
Difficult to validate data
Requires backup infrastructure
to recover
May not protect:
Backup Catalog
PBBA [Data Domain]
Tape Library Meta Data DB
All breaches may not be
covered
Policies have baseline security
requirements
Monetary limits may not cover
all damages
Does not protect:
Patient needs
Brand
Lost trust
12
Disaster Recovery ≠ Cyber Recovery
Category DR CR
Recovery Time Close to Instant Reliable & Fast
Recovery Point Ideally Continuous 1 Day Average
Nature of Disaster Flood, Power Outage, Weather Cyber Attack, Targeted
Impact of Disaster Regional; typically contained Global; spreads quickly
Topology Connected, multiple targets Isolated, in addition to DR
Data Volume Comprehensive, All Data Selective, Includes Foundation SVCs
Recovery Standard DR (e.g. failback) Iterative, selective recovery; part of IR
NIST Cybersecurity Framework
• Asset Management
• Business
Environment
• Governance
• Risk Assessment
• Risk Management
Strategy
Protect
• Access Control
• Awareness and
Training
• Data Security
• Information Protection
Processes and
Procedures
• Maintenance
• Protective Technology
• Anomalies and
Events
• Security Continuous
Monitoring
• Detection Processes
• Response Planning
• Communications
• Analysis
• Mitigation
• Improvements
• Recovery Planning
• Improvements
• Communications
• Validation
Identify Detect Respond Recover
Dell EMC IR Services for Risk Management, Governance Model, &
Operating Model
Isolated Recovery Solution Protective
Technology, Processes & Procedures
Isolated Recovery Solution Validation
Servers. RSA Security Behavior Analytics
Dell EMC IR Services for Response
Framework for Cyber Incident Management
Isolated Recovery
Solution with
Recovery Servers
Focus
14
Cyber recovery effectiveness
Type of Attack Examples Probability IR Effectiveness Notes
Persistence / Dormant Malware
Ransomware: WannaCry, Petya/ NoPetya
HIGH HIGH• Consider leveraging a clean room to route binaries
& OS images to IR Vault prior to distribution.
Data Wiping Ransomware: Petya / NoPetya HIGH HIGH• Spread of wiper software contained to production
environment.• Data in IR Vault stored in raw backup format.
Data LockingRansomware: WannaCry, CryptoLocker
HIGH HIGH• Spread of encrypting malware contained to
production environment• Pre-Locking restore points available in IR Vault.
Insider Attack Examples: Media, Gov; Sensitive Data Exposed
MODERATE / HIGH HIGH• IR Vault removes restore points from production
network. • IR Vault accessible by CSO assigned admins only.
Backups Compromised
Examples: Media, Healthcare; Ransomware / Sensitive Data Exposed
MODERATE / INCREASING
HIGH• IR Vault removes recovery infrastructure from
production network. • IR Vault accessible by CSO assigned admins only.
Air Gap Bypass Stuxnet LOW LOW• Secure / immutable copies cannot be deleted.• Risk of physical destruction remains.
Data Theft Ransomware Attacks HIGH LOW• Data stored in IR Vault removed from data theft risk
but copies typically remain in production.
15
Advanced Protection Services
• Isolated recovery solution
• EMC/EY service offerings: assess, plan, implement, and validate
• Use of evolving security analytics: RSA & Secureworks
Additional Hardening and Protection Features
• Product specific hardening guides
• Encryption in flight and/or at rest
• Retention lock with separate security officer credentials
Traditional Data Protection Best Practices
• Deploy a layered data protection approach (“the continuum”)
for more business critical systems but always include a point in
time off array independent backup with DR Replication (N+1)
• Protect “Born in the Cloud” and endpoint Data
Level of Protection
Good Better Best
Layered Cyber-Security for Data Protection
© Copyright 2017 Dell Inc.15
16
Isolated RecoveryProduction Apps
Business Data
(Crown Jewels)Tech Config Data
(Mission-critical Data)
Isolated recovery solution – how it worksCritical data resides off the network and is isolated
Corporate
Network
RISK-BASED REPLICATION PROCESS
Dedicated Connection
Air Gap
DR/BU
17
Compute
Applications
Validate & Store
Highest Priority Data
The Most Critical Data First
• Protect the “heartbeat”
of the business first
• Prioritize top
applications or data sets
to protect
• Usually less than 10% of
data
• Start with a core set and
build from there
18
Isolated Recovery – Dell EMC Data Domain
• Create backup of data
• No management
connectivity to IR Vault
• Enable data link and
replicate to isolated
system
• Complete replication and
disable data link
• Maintain WORM locked
restore points
• Optional security
analytics on data at rest
• Professional Services
Primary Storage Isolated Recovery
System
Backup Appliance
DD
Replication
Management
Host
Validation
Hosts
ISOLATED RECOVERY VAULT
Restore
Hosts
Air Gap
19
Separate Copy Streams For Better Recovery
Daily
Backup
Data Domain
DD MTree
Replication
Isolated Recovery Vault
Change
Control Copy
Distribution Mgmt.
Production Hosts
Clean Room
DD MTree
Replication
Vendor Distros
MaterialFor IR Vault
Change
Control
Process
Backup
Process
Malware path
) (OS
OS OS
Data Domain
) (
20
Proactive Analytics in the IR VaultWhy Analytics in the Vault?
• Increase effectiveness of Prevent/Detect cybersecurity when
performed in protected environment.
• Diagnosis of attack vectors can take place within an isolated
workbench.
• App restart activities can detect attacks that only occur when
application is initially brought up.
Categories of Data
• Transactional Data – dynamic/large (log variances, sentinel
records, etc.)
• Intellectual Property – static/large (checkums, file entropy)
• Executables / Config. Files – static/small (checksums, malware
scans)
Isolated Recovery
System
Management
Host
Validation
Hosts
ISOLATED RECOVERY VAULT
Restore
Hosts
22
Current State: Risk Profile Summary
© Copyright 2017 Dell Inc.22
Technical People & Process
All data is currently susceptible to a cyber attack IT Engineering and Ops have access to most if
not all Backup Assets
Primary storage replication can replicate
corruption
Security teams not assigned to assets. Bad
actors inside the firewall can create havoc.
Backup catalog not replicated Franchise critical and non-critical data are not
segregated
Recovery of backup catalog from tape is slow
and failure prone
Backup images can be expired without
authorization
Backup copies not isolated from network
• These risks are consistent with traditional Prod/DR models.
• This is a different challenge and requires a different architecture.
23
Proposed: Exposures Resolved and Remaining
© Copyright 2017 Dell Inc.23
Backup
Master
Server
Backup
Media
Servers
Backup
Storage
Tape
Library
Short Term
Retention
Long Term
Retention
Non-HA backup server represents
single point of failure
Prod Network
Franchise
Critical Hosts
Backup images may
be prematurely
expired without
authorization
Ineffective role-based
access controls may allow
unintended access to
backup data
Backup Mgmt
ConsoleBackup
Reporting/Ops
Mgmt Server
Backup copies are not isolated or
logically segregated from network
IRS
Backup
Storage
Management
Host
Validation Host
IR Vault Network
Air
Gap
Switch 1
Switch 2
Management host opens/closes ports
based on schedule and DD probes.
Applies Retention Lock on DD.
Switches are only logical point of
entry and open only ports required for
scheduled replication and alerting
IRS copies are isolated and
Compliance/WORM locked.
No destructive actions without dual
role authentication
Validation host ensures usability of
IRS copies and alerting of corruption
24
Next steps
We Know The Data To Protect We Need More Help
• Confirm current backup infrastructure –
compatibility, etc.
• Determine sizing and location of backup
data on Data Domain (by mTree)
• Verify Data Domain sizing requirements
• Sample SOW with Pricing Estimate
• Isolated Recovery Introductory Advisory
Engagement
– Workshops to determine IR metrics, DR
Maturity, data classification and sizing
© Copyright 2017 Dell Inc.24