Protection

Ransomware Counts on Patch Tuesday

by Leave a Comment

Ransomware counts on Patch Tuesday to successfully infiltrate an organization. While there is nothing wrong with applying patches on Tuesday, it is which Tuesday the patch is applied that can open the door that ransomware plows through. Ideally, you want to apply the patch the next Tuesday after the release; doing so would eliminate the exploits that most ransomware and other cyber threats use to do their work.

The problem is organizations wait weeks or even months to apply patches. Why? Because the IT team needs to understand how the proposed patch will impact the rest of their environment. They don’t want to apply a patch that suddenly causes other currently working environments to fail.

Today’s infrastructure solutions must enable IT to vet and apply patches quickly and eliminate Patch Tuesday altogether. IT needs a solution that can address these patching challenges:

  1. Difficulty determining where the potential conflict is because of the number of vendors involved in delivering IT services.
  2. Difficulty in assembling and maintaining a lab environment to test patches.
  3. Difficulty rolling back a patch once it is deployed.
Ransomware Counts on Patch Tuesday

Eliminate Patch Tuesday and set yourself up for ransomware recovery success by attending our live TechTalk, “Creating a Ransomware Response Strategy,” this Thursday at 1:00 PM ET.

There are Too Many Vendors to Eliminate Patch Tuesday

One of the biggest challenges facing IT as they attempt to apply patches to prepare for the next ransomware attack is the complexity of the multi-vendor data center and this is why ransomware counts on patch Tuesday. While Hyperconverged Infrastructures (HCI) were supposed to make the multi-vendor data center easier to manage, they have the opposite effect. Traditional HCI is still a vertically layered stack of multiple software solutions. At a minimum, most HCI has software-defined storage (SDS), hypervisor (VMware/Hyper-V), software-defined networking, and software that protects the environment (backup and recovery).

Many environments are only one step down the software-defined path, running a legacy three-tier stack, virtualizing only compute. As a result, legacy data centers and even more “modern” HCI data centers are equally confusing when determining the impact of applying a patch.

Ultraconverged Infrastructure Simplifies Patch Reconciliation

VergeOS rotates the traditionally vertical IT stack into a tightly integrated linear plane that provides all infrastructure services (networking, hypervisor, storage, data protection) as a data center operating system within a singular software code base. We call this ultraconverged infrastructure (UCI), and it moves beyond legacy hyperconverged infrastructure to deliver greater efficiency and scalability at a significantly lower cost.

Reducing the IT stack to a singular, horizontal layer increases efficiency and scalability and simplifies the patching process. Updates for the entire infrastructure come from a single source, and because VergeOS is inherently highly-available, IT can apply patches and updates without disruption. VergeOS applies patches one node at a time, and workloads automatically move between nodes so that applications are unaffected.

You Need a Lab to Eliminate Patch Tuesday

Patches also come from operating systems and application vendors. Properly evaluating the impact of these patches is best done in a lab. IT organizations need a lab for patch testing and various other use cases. The problem is not just the cost to configure and maintain the lab but also making sure the lab has the same settings and data as the production environment. These requirements mean that most organizations don’t have a dedicated lab environment. When one is needed, they have to scramble to put something together. As a result, the lab is nothing like the production environment they are looking to simulate.

Virtual Data Centers: The Always Ready Lab

One of the critical capabilities of VergeOS is Virtual Data Centers (VDC). Virtual Data Centers are to physical data centers, what virtual machines (VM) are to physical servers, an encapsulation. Using another VergeOS capability, IOclone, IT professionals can, within milliseconds, create a space-efficient copy of their entire data center within.

Capturing the entire data center, including the data, networking configuration, storage policies, and application setups, is critical to ensuring that IT does patch verification against an exact replica of production. Since the copy is standalone and not dependent on the original, administrators can apply the patch without concern of impacting the production environment.

IT can implement a single VDC for its entire data center or subdivide it by application or workload. For example, a VergeOS administrator may create a VDC for Oracle, another for MS-SQL, and a “core” VDC for general-purpose VMs. Each VDC can be cloned hundreds of times, and those clones can be used as golden masters, backups, development, and patch verification.

IT Needs to Eliminate Patch Tuesdays AND Surprise Wednesdays

Even with the best testing, sometimes an errant patch slips through. Depending on the level of chaos it causes, IT may have to recover from the backup infrastructure completely. Recoveries from backup, especially large ones, are time-consuming, meaning IT may deal with the Wednesday surprise for the rest of the week. The problem is most infrastructure software is too inefficient to maintain its data protection points, typically traditional snapshots, for more than a few hours. As pointed out in this article, “VMware Storage Challenges,” this problem is especially apparent in VMware environments.

IOclone: Unlimited Clones and Retention

To make surprise Wednesdays less of a concern, IT needs the ability to retain backup copies for more than a few hours. Traditional backup software can meet this need, but the time and nuances in recovering an application with an errant patch are significant. IOclone has the entire state of the VM and the entire data center or workload. No rollback is needed; point to the last known good instance, and the application is running.

Get Ahead of Ransomware

Ransomware Counts on Patch Tuesday

Because ransomware counts on patch Tuesday, applying the latest patches is critical to staying ahead of ransomware. With VergeOS, IT can apply patches almost as soon as they are released without waiting for Tuesday. They can test application patches against a mirror image of their production environment. If an errant patch slips through, they can instantly point to the non-patched version.

Even with the improved patching capabilities within VergeOS, ransomware may still slip through because of user carelessness. Our IOfortify solution takes you the rest of the way by leveraging the hardened VergeOS, IOclone, and new detection capabilities to deliver rapid restoration from an attack. During our TechTalk, “Designing a Ransomware Response Strategy,” we will conduct a live demonstration of IOfortify in action. See if we can recover a VM under attack during the webinar.

Patch Comparison: Traditional Infrastructure Software vs. VergeOS

Rapid Patch RequirementTraditional Infrastructure SoftwareVergeOS
Determining Patch ImpactDifficult – Multiple vendors makes identifying potential conflicts time consumingEasy – One Vendor
Pre-deployment TestingDifficult – Hard to setup, maintain and pay for dedicated labEasy – Virtual Data Centers and Cloning can create “Instant labs.”
Patch RollbackHard – Recovering from a backup copy is very time consumingEasy – No rollback required, just point to pre-patched clone.

Building a Ransomware Response Checklist

by Leave a Comment

The best time for IT Professionals to start building a ransomware response checklist is now, before an attack occurs. There are several reasons for creating a checklist:

√ Successful Ransomware Response requires preparation.

√ Stress levels are high during an attack. You might forget a critical element in a rush to get everything back online.

√ A checklist will expose areas where you must practice and test.

√ A checklist provides a framework for comprehensive auditing.

Section One: Build a Ransomware Resilient Foundation

Implement a Prevention Solution
The first step in building a ransomware response checklist is to have the foundational elements covered. The best response is the one you don’t have to conduct because the attack doesn’t get through. While no prevention solution is perfect, and you still need a response strategy, they are effective at preventing many types of attacks.

Simplify Patching
Most patch releases sent to IT professionals today involve closing down potential security exploits. These patches should be applied upon release. The problem is most IT professionals are hesitant to apply patches to the environment because of downtime and the potential for unexpected impact of the patch. This is especially true of infrastructure software since an errant patch or downtime because of a patch can impact dozens of servers instead of just one.

Simplifying patching is a critical item when Building a Ransomware Response Checklist.

Another challenge is that most IT infrastructures are comprised of multiple pieces of software. Instead of a single, cohesive data center operating system (DCOS), IT must run layers of incompatible infrastructure software components, including networking software, virtualization software, storage software, and data protection software. Patches are applied to these layers when the respective vendor for each layer releases a service pack, which rarely coincides with when the vendors of the other layers release their patches.

Look for a vendor that takes a DCOS approach to infrastructure, which is not only critical to simplifying patching but also simplifies the entire ransomware response effort.

A DCOS should provide two deliverables in terms of patching. First, it should be able to simplify the foundational DCOS patching process by integrating the legacy IT stack into a single software element. Second, it should make the patching of guest operating systems and applications running inside VMs simpler by enabling zero-capacity and zero-performance impact clones so that IT can test the released patch for conflicts with other elements within the data center. If there is a problem with the patch, IT can roll back to the prior version, or if the patch works, roll the patched version into production.

▢ Harden the Operating Environment
An essential but often overlooked step is to harden the infrastructure software as much as possible. Suppose the ransomware can infect a part of the core infrastructure, like the hypervisor, the storage software, or the data protection software. The impact is widespread in that case, and recovery is far more complex.

Hardening the Data Center is a critical item when Building a Ransomware Response Checklist

While most mainstream OSs are not resilient to attack, you should ensure your core infrastructure software, like the hypervisor, storage, and networking software, are hardened. Look for infrastructure software that takes special developmental steps to make it act like firmware, loaded into RAM, and can be replaced easily from an unalterable good copy. Again, a DCOS makes these processes easier since only one software component needs to be hardened instead of three or four.

Section Two: Build a Ransomware Resilient Protection Strategy

Increase Protection Frequency and Retention
Protecting data is an obvious inclusion in any attempt at building a ransomware response checklist. Most data centers run into three challenges when creating a ransomware-resilient data protection strategy:

  1. Protection events occur too infrequently to be meaningful.
  2. Protected copies aren’t retained long enough to outlive a prolonged attack.
  3. Too many protection solutions are used, making the process complex and expensive.
    A best practice for a successful ransomware response is to make sure you are capturing all data hourly. Snapshots, on paper, look ideal for this use case, but most solutions experience significant performance problems as the number of snapshots increases, limiting how long those snapshots can be retained.

Consolidate Protection Tools
To get around the limitation of traditional snapshots, most organizations use at least four data protection tools to protect their environment. They may use a combination of hypervisor snapshots, storage system snapshots, replication software, application-level backup utilities (dumps), and enterprise backup software. Using all these applications makes the data protection process more expensive and complex, especially during a ransomware recovery effort. IT may be unsure which part of the process has the best known good copy.

Look for an infrastructure DCOS that enables you to consolidate, preferably down to one, the number of tools used for data protection. In essence, the DCOS will protect itself. It should provide the ability to protect data frequently and retain those protection events indefinitely without suffering performance degradation. It should enable you to restore the entire data center footprint, if need be, including network and storage configurations, with a single click. Lastly, it should enable affordable, high availability so data can be moved off-site and adhere to all aspects of the 3-2-1 rule.

Finding an alternative to traditional snapshots is a critical item when Building a Ransomware Response Checklist

Consider a Snapshot Alternative
Traditional snapshot technology, standard in most storage systems and hypervisors, is ill-suited to meet these requirements. The metadata requirements to maintain a high frequency, long retention snapshot schedule is too great. It impacts performance and makes deleting old snapshots to free up capacity too time-consuming. Clones are a better option for performance and retention because they are independent copies, but without global inline deduplication, frequent clones and long retention will consume too much storage capacity and degrade performance too much to be practical.

Look for an infrastructure that combines the best benefits of both clones and snapshots by implementing DCOS-wide deduplication. If the deduplication technology is built into the core of the DCOS, then it will eliminate concerns about algorithmic performance overhead and capacity consumption while enabling the cloning of PBs of data in milliseconds.

Section Three: Build a Ransomware Resilient Detection Strategy

Alerting to a potential attack is a critical item when Building a Ransomware Response Checklist

Detect Data Anomalies
Detection is a critical component of building a ransomware-resilient checklist. The sooner the DCOS can alert IT to an attack, the faster IT can stop and remedy the situation. Most ransomware attacks take two vectors after the malware finds its way into the environment. First, they start encrypting files as fast as possible, and second, the malware starts replicating itself to encrypt more files in parallel.

Again multiple detection tools are problematic. Look for a DCOS that can deliver in near real-time, a single source of alerting based on data change rates. In a globally deduplicated environment, the DCOS builds an alert off of an unexpected increase in capacity consumption.

Preserve Forensic Data
When ransomware attacks, most IT professionals’ first reaction is to start the recovery response as quickly as possible. The problem with jumping right into recovery is that the process will likely destroy any forensic data available to determine how the attack entered the environment and how it spread. Both data points are crucial to future prevention efforts.

Instead, look for a DCOS that enables quick isolation of the current state. Again using a cloning type of technology powered by global inline deduplication enables these clones to be made in milliseconds without consuming too much capacity. It is also critical that this clone be independent and isolated.

Create Ransomware Honeypots
Another detection strategy is to create Honeypots of the environment and expose them to attack, obviously anonymizing data in them. These honeypots can alert you of a potential wider threat and provide excellent practice for further hardening your data center. Honeypots typically have a lower false positive rate, when compared to most traditional intrusion-detection systems.

Look for a DCOS that can virtualize entire data centers in the same way that virtual machines virtualize servers. Then the DCOS can easily create honeypot data centers that are securely isolated from the production virtual data centers.

Section Four: Build a Rapid Recovery Strategy

Mount the Recovery, Don’t Copy

When ransomware strikes, rapid recovery is critical. Depending on the severity of the attack, IT may need to recover a few VMs or an entire data center. Copying data from another snapshot or a backup process takes too much time. Again, clone the current state for forensic reasons, then start recovery. The key is to be able to mount, in place, the last known good copy of data. That mount still needs isolation so IT can scan it for any malware trigger files before returning it to production.

Look for a DCOS that can in-place mount a previous VM version or an entire data center. An in-place mount provides instant access to the data so IT can scan it to ensure there are no malware remnants and then provide user access.

How’s Your Checklist?

Building a Ransomware Response Checklist is only effective if you tick all the boxes. If your evaluation is missing a couple of marks, then consider attending VergeIO’s next TechTalk, “Creating a Ransomware Response Strategy,” with our CEO, Yan Ness, and SE Director, Aaron Reid. They will dive deep into the elements of this checklist and show you a live demo of our IOfortify solution for recovering from a ransomware attack.