Constant threats put IT estates at risk, demanding proactive protection. From natural disasters, outages, credential breaches, to cyberattacks—every scenario requires careful planning. Among these threats, ransomware presents unique challenges for IT departments. Organizations must ensure data resiliency to minimize downtime and protect business operations.
Understanding the Ransomware Threat
Ransomware attacks often infiltrate systems slowly, remaining undetected for months. Attackers create backdoors with viruses and infiltrate backups, making recovery long and difficult. They aim to force companies to pay a ransom rather than endure costly downtime.
On average, it takes 23 days to recover from a ransomware attack—time most businesses can’t afford to lose. Compounding the problem, 45% of infected data is production data, affecting crucial systems. According to IBM Security X-Force Threat Intelligence Index 2023, 17% of cyberattacks are ransomware-related, and incidents have doubled year over year. Alarmingly, even after paying the ransom, 26% of organizations still cannot recover their data.
Why Data Resiliency Matters
Companies relying solely on backups risk replicating ransomware infections within those backups. Breaches and infections can linger undetected for 180 days. Attackers use this time to install multiple backdoors. You may not know when the infection first started and only find out when important systems go down. The process for recovery can take weeks.
IT teams must handle ransomware threats differently from natural disasters or other cyberattacks. Since ransomware attacks seek to infect backups as well as production data, the real path to protection is in data resiliency.
Data resiliency offers a more proactive approach, helping organizations detect, quarantine, and recover from ransomware attacks within hours instead of weeks. By implementing a robust resiliency strategy, businesses can safeguard their brand, customers, and employees.
Different stakeholders have different objectives when it comes to building resiliency:
- C-suite: Mitigate business risk and protect the brand.
- IT Directors: Reduce cost and complexity while maximizing resources.
- Security Teams and Admins: Ensure data integrity and operational recovery.
While their goals may differ, the core solution remains the same: comprehensive data resiliency.
Five Key Attributes of a Data Resilient Environment
Most businesses deploy robust cybersecurity to detect and prevent attacks. But these systems often do nothing to recover infected data. Data protection systems are primarily reactionary and don’t help avoid attack. A cyber-resilient approach must integrate cybersecurity and data protection with AI and automation to effectively detect and counter ransomware attacks. Below are five attributes of a data resilient environment, from the most foundational to the most sophisticated:
- Foundational security and data protection: Protects your systems from infrastructure failures and natural disasters. This includes cybersecurity, data protection, and data classification capabilities. This allows you to understand where data is, how valuable it is, and how often it is accessed/updated.
- Immutability: Creates isolated, corruption-free snapshots of data. Air-gapping techniques preserve clean copies and protect against ransomware tampering.
- Discovery: Continuously monitors for changes to detect attacks early. Automation constantly monitors data changes, enabling rapid detection of attacks. It ensures data integrity and detects anomalies. IBM Storage Flashsystems have the discovery solutions built into the drives themselves.
- Recovery: Rapidly restore operations to a minimum viable company within hours. It is usually entails recovering to a “minimal viable company” to keep running in the immediate term, while a “full company” recovery happens over a longer period. This requires automation and orchestration capabilities.
- Automation: The highest level of security, AI-driven automation is necessary to perform monitoring and recovery operations at scale continuously, which is essential for data resiliency. Continuous monitoring and recovery processes ensure threats are addressed quickly and efficiently.
Most companies are very capable up to Step #2 and have a robust security protocol, but seldom go further because constantly monitoring backup data can take hundreds of man hours. With new AI and automation technology, modern systems can validate that data is safe and clean. The monitoring process only needs to be defined and mapped by a human once, and then automation can do it continuously at scale. When an organization is experiencing an “all hands-on deck” emergency, they can proceed with confidence that the snapshot used for recovery is clean data.
Minimum Viable Company: A Critical Concept
Another key element of resiliency is a minimum viable company. If a company experiences a sweeping successful attack, they aren’t going to be able to bring all of their data back quickly. It’s essential to define “what keeps the lights on” for your business and what the minimal capabilities are needed for the immediate recovery.
This is an important conversation to get correct. Consider the example of one company that defined the minimum viable company but made a small but very serious oversight. When they got attacked, they executed their plan and recovered their apps and data quickly, but they failed to plan for the recovery of the authentication system so nobody could log on. More complete planning would’ve mitigated this oversight. It’s important to understand what is vital to get back up while the sun is still shining. Once your company is in emergency response mode, the organization will be overtaxed and panicked to the point where it will be impossible to make good decisions or execute on them.
With a properly set up data resiliency solution and a well-planned minimum viable company, the new timeline for a successful recovery is much shorter, if the attack is not prevented altogether. The automation technology will detect the attack within minutes and immediately respond, quickly identifying and isolating corrupted small pools of data. With full automation, a company can recover data quickly and the minimum viable company will be back in operation serving customers or employees within hours.
IBM’s Data Resiliency Solution
IBM’s data resiliency solution uses machine learning and AI to constantly monitor data for corruption. It continually scans for anomalies, can sense if data is not compressing as it should, and looks for any alarming patterns.
Today’s bad actors are releasing 60-70 new viruses and attack vector formats each day, so a workable solution must be dynamic to keep up to date. The solution generates secure, immutable copies in the data backup clean room; it can be logical on the flash array or physically air gapped in a second location. What is important is that it can’t be accessed by users or systems, and it’s hidden and protected. Once in the clean room, the system performs scans on immutable copies to make sure the data is clean if a recovery is needed. You don’t want to put an old virus back into your environment.
When an attack occurs, AI detects it and launches an automation playbook. It alerts the storage administrator, who is empowered to make a business decision, identify that the data is not right, and take action. The workload is isolated so that it can’t propagate to the rest of the environment. Deep scans are continuously performed in the clean room to find the snapshot that doesn’t have the virus to ensure a clean copy is used to recover to production.
The IBM Storage FlashSystem has AI capabilities at the drive level and produces storage insights based on your data and data patterns. It’s an integrated framework for an end-to-end solution.
The IBM Storage Defender solution is the “traffic cop” of the system, providing one pane of glass to integrate and orchestrate data resiliency processes. IBM Storage Defender is a highly customizable solution providing multiple capabilities, including:
- Virtualizing your storage to modernize and consolidate data
- Managing your copies i.e., immutable snapshots
- Scanning immutable snapshots for anomalies
- Creating backups and copies of data
- Protecting containerized environments
- Archiving data for long term retention
- Protecting data with immutable targets, i.e., tape, cloud, flash, etc.
Assess Your Resiliency with Converge
Ransomware threats are evolving rapidly. Investing in data resiliency helps you outpace attackers, minimize downtime, and protect your organization’s future. Your attackers aren’t waiting, so why should you? Converge offers a Cyber Resiliency Assessment to evaluate your current data resilience, identify gaps, and build an actionable plan. This quick, focused workshop delivers a business case for investing in your organization’s resiliency. Contact our cybersecurity team to get started today.
This article is adapted from a presentation by Mike Adams, Principal Technology Advisor, Converge; Brock Greer, Cybersecurity Practice Leader, Converge; and Doug Schofield, IBM Technical Specialist. View a recording of the presentation here.