Why is storage the last line of defence for data security
By Ning Yun, Director of Data Storage Department, Huawei SAR
Since ransomware attacks occur frequently, various measures are put in place to protect against them, including:
- Prevention before attack: Vulnerabilities are quickly identified and rectified, and ransomware is analysed and quickly identified.
- Interception during attack: Known ransomware is accurately detected and removed, and unknown attacks are identified immediately.
- Tracing after attack: Paths are analysed for timely blockage, and features are saved to libraries for future prevention.
Many security vendors would advise enterprises to enhance their security awareness, and to periodically back up their important data to minimise exposure to risks. However, despite having so many measures in place, storage is an absolutely essential part of ransomware protection.
Ransomware is hard to prevent, and hard to fend off
Ransomware is different from common computer viruses. If common viruses were hoaxes, ransomware would be a well-planned conspiracy. Behind targeted ransomware is a profit-oriented criminal who won't stop until they reach their goal. Ransomware has the following features:
Many different camouflage methods: The camouflaged malware can gain access to the system through storage media, phishing emails, website Trojans, social networks, malicious insiders, and zero-day vulnerabilities (security vulnerabilities that have not been resolved yet), and it is not possible to guarantee successful interception.)
Prolonged latency: Ransomware is evolving and becoming increasingly complex. Attackers aiming for big returns have been known to invest a lot of time and money into researching and carefully planning their attacks for weeks or even months in order to maximise their chances of success.
Traditional security systems use a passive approach
According to Northrop Grumman's Defense in Depth (DiD) model, there are five lines of defense against ransomware attacks.
Perimeter and network security are built into the network layer where the key to protecting against ransomware is to prevent and block known threats and detection from the malware. Endpoint and application security are deployed at the host layer. They update system and software patches, making it harder for cybercriminals to exploit vulnerabilities. Both network-layer and host-layer measures are passive forms of defense, meaning that firewalls and antivirus software can only prevent attacks from known viruses.
Common protection methods such as network firewalls and antivirus software cover the first four layers, but for a long time, data protection at the fifth layer has been lacking.
Because of its high invisibility and camouflage, it's often too late when victims detect ransomware. Attackers tend to lurk for months, encrypting the data and demanding a ransom after they gain higher privileges and possess large amounts of critical data. Victims are often unprepared to resist, leaving their data at high risk of breach even when blockage is available.
At this point, if the first four layers of defense have failed, the victim will likely be extorted into paying a huge ransom. As the last line of defense, storage systems must proactively form the fifth layer of defense.
How storage defends on the last line
Storage systems protecting against ransomware need to be able to accurately detect threats and prevent tempering.
Anti-tempering: Even if data is encrypted by ransomware, storage systems can handle it with ease. The system deploys anti-tampering techniques so that historical data backups or snapshots cannot be tampered with or deleted. In case of attacks, data can be quickly recovered to reduce losses.
Accurate: The storage system should detect abnormal I/Os caused by ransomware attacks immediately. The accuracy of Huawei storage system in identifying ransomware is as high as 99.9%. Data protection is initiated upon ransomware detection to quickly minimise data losses.
The Huawei Ransomware Protection Storage Solution is a four-layer protection system which protects data through ransomware detection, production storage recovery, backup storage recovery, and isolated storage recovery.
With ransomware attacks becoming more rampant, having the best possible comprehensive defense system - covering network, host, and data layers - is a top priority. As the last line of defense, a storage system can provide data security that is not offered in traditional security systems. The three-layer protection mechanism of prevention before attack, blockage during attack, and recovery after attack can empower organisations to say "no" to extortion.
For more information about how you can build powerful defense for your data, visit our website.