Ciudad de México27 de Septiembre de 2018

Cyber-Security:Protecting Your Business From A Destructive Cyber-Attack With Dell

EMC Data Protection Solutions

Jorge Espinosa

@JEspinosaG2

DPS PreSales Manager, Andean, Mexico & NOLA

4

Threat landscape evolving – Biz @ risk

70%Organizations

compromised last

year

80%CISOs re-thinking

strategy in next

12-18 months

37%Largest category

Ransomware /

Wiperware

170Avg. # days to

detect an advanced

persistent threat

69%Believe their data

protection

infrastructure is

NOT adequate to

recover from cyber

attack

60%CISOs actively

involved in data

recovery planning

as part of IR

5

Incident Response: Categories of Cybercrime Activity

37%

12%9%

7% 7%5%

27%

Ransomware Banking Trojan Business EmailCompromise

Web Script Adware Spam Other

April to June 2016

* DoS, unknown, digital currency mining and credential harvesting

*

6

The Evolution of Ransomware

• Cybercrime has matured into a business

sector

• The latest paradigm is Cybercrime-as-a-

Service (CaaS)

• The Ransomware market, within this

paradigm, is rapidly maturing

• Ransomware strains are being upgraded,

rebranded, and sold cheaply on the Dark

Web

• All potential targets, regardless of size,

present equal opportunities

7

It can happen to you, or you…

8

OR YOU!

9

True Costs of Ransomware

Lost Revenue 2,500,000

Incident Response 75,000

Legal Advice 70,000

Lost Productivity 250,000

Forensics 75,000

Recovery & Re-Imaging 60,000

Data Validation 25,000

Brand Damage 500,000

Litigation 200,000

Total Costs of Attack $3,785,000

Ransom: $30,000

10

Challenges of coordinated response

73% of respondents agreed that the

relationship between IT security

and business risk can be difficult to

coordinate.

82% of Risk and Security professionals

report that their organizations consider

security breaches as a business risk

rather than just an IT risk.

Strongly Agree

Agree

Neutral

Disagree

Strongly Disagree

73%Strongly Agree

Agree

Neutral

Disagree

Strongly Disagree

82%

Source: ESG Custom Research, Cybersecurity and Business Risk Survey, March 2018

11

Express cyber risk in financial terms

P r i v a t e a n d C o n f i d e n t i a l

Cyber Risk

Quantification

12

Not preventative against

attacks

Hacktivists can encrypt your

encrypted data

For data protection, not

recovery

Potential negative impacts on

cost to store, replicate and

protect

Traditional Strategies Are Not Enough

Data Encryption Tape Backups Cyber Insurance

Too long to recover

Difficult to validate data

Requires backup infrastructure

to recover

May not protect:

Backup Catalog

PBBA [Data Domain]

Tape Library Meta Data DB

All breaches may not be

covered

Policies have baseline security

requirements

Monetary limits may not cover

all damages

Does not protect:

Patient needs

Brand

Lost trust

13

Disaster Recovery ≠ Cyber Recovery

Category DR CR

Recovery Time Close to Instant Reliable & Fast

Recovery Point Ideally Continuous 1 Day Average

Nature of Disaster Flood, Power Outage, Weather Cyber Attack, Targeted

Impact of Disaster Regional; typically contained Global; spreads quickly

Topology Connected, multiple targets Isolated, in addition to DR

Data Volume Comprehensive, All Data Selective, Includes Foundation SVCs

Recovery Standard DR (e.g. failback) Iterative, selective recovery; part of IR

NIST Cybersecurity Framework

• Asset Management

• Business

Environment

• Governance

• Risk Assessment

• Risk Management

Strategy

Protect

• Access Control

• Awareness and

Training

• Data Security

• Information Protection

Processes and

Procedures

• Maintenance

• Protective Technology

• Anomalies and

Events

• Security Continuous

Monitoring

• Detection Processes

• Response Planning

• Communications

• Analysis

• Mitigation

• Improvements

• Recovery Planning

• Improvements

• Communications

• Validation

Identify Detect Respond Recover

Dell EMC IR Services for Risk Management, Governance Model, &

Operating Model

Isolated Recovery Solution Protective

Technology, Processes & Procedures

Isolated Recovery Solution Validation

Servers. RSA Security Behavior Analytics

Dell EMC IR Services for Response

Framework for Cyber Incident Management

Isolated Recovery

Solution with

Recovery Servers

Focus

15

Cyber recovery effectiveness

Type of Attack Examples Probability IR Effectiveness Notes

Persistence / Dormant Malware

Ransomware: WannaCry, Petya/ NoPetya

HIGH HIGH• Consider leveraging a clean room to route binaries

& OS images to IR Vault prior to distribution.

Data Wiping Ransomware: Petya / NoPetya HIGH HIGH• Spread of wiper software contained to production

environment.• Data in IR Vault stored in raw backup format.

Data LockingRansomware: WannaCry, CryptoLocker

HIGH HIGH• Spread of encrypting malware contained to

production environment• Pre-Locking restore points available in IR Vault.

Insider Attack Examples: Media, Gov; Sensitive Data Exposed

MODERATE / HIGH HIGH• IR Vault removes restore points from production

network. • IR Vault accessible by CSO assigned admins only.

Backups Compromised

Examples: Media, Healthcare; Ransomware / Sensitive Data Exposed

MODERATE / INCREASING

HIGH• IR Vault removes recovery infrastructure from

production network. • IR Vault accessible by CSO assigned admins only.

Air Gap Bypass Stuxnet LOW LOW• Secure / immutable copies cannot be deleted.• Risk of physical destruction remains.

Data Theft Ransomware Attacks HIGH LOW• Data stored in IR Vault removed from data theft risk

but copies typically remain in production.

16

Advanced Protection Services

• Isolated recovery solution

• EMC/EY service offerings: assess, plan, implement, and validate

• Use of evolving security analytics: RSA & Secureworks

Additional Hardening and Protection Features

• Product specific hardening guides

• Encryption in flight and/or at rest

• Retention lock with separate security officer credentials

Traditional Data Protection Best Practices

• Deploy a layered data protection approach (“the continuum”)

for more business critical systems but always include a point in

time off array independent backup with DR Replication (N+1)

• Protect “Born in the Cloud” and endpoint Data

Level of Protection

Good Better Best

Layered Cyber-Security for Data Protection

© Copyright 2017 Dell Inc.16

17

Isolated RecoveryProduction Apps

Business Data

(Crown Jewels)Tech Config Data

(Mission-critical Data)

Isolated recovery solution – how it worksCritical data resides off the network and is isolated

Corporate

Network

RISK-BASED REPLICATION PROCESS

Dedicated Connection

Air Gap

DR/BU

18

Compute

Applications

Validate & Store

Highest Priority Data

The Most Critical Data First

• Protect the “heartbeat”

of the business first

• Prioritize top

applications or data sets

to protect

• Usually less than 10% of

data

• Start with a core set and

build from there

19

Isolated Recovery – Dell EMC Data Domain

• Create backup of data

• No management

connectivity to IR Vault

• Enable data link and

replicate to isolated

system

• Complete replication and

disable data link

• Maintain WORM locked

restore points

• Optional security

analytics on data at rest

• Professional Services

Primary Storage Isolated Recovery

System

Backup Appliance

DD

Replication

Management

Host

Validation

Hosts

ISOLATED RECOVERY VAULT

Restore

Hosts

Air Gap

20

Separate Copy Streams For Better Recovery

Daily

Backup

Data Domain

DD MTree

Replication

Isolated Recovery Vault

Change

Control Copy

Distribution Mgmt.

Production Hosts

Clean Room

DD MTree

Replication

Vendor Distros

MaterialFor IR Vault

Change

Control

Process

Backup

Process

Malware path

) (OS

OS OS

Data Domain

) (

21

Proactive Analytics in the IR VaultWhy Analytics in the Vault?

• Increase effectiveness of Prevent/Detect cybersecurity when

performed in protected environment.

• Diagnosis of attack vectors can take place within an isolated

workbench.

• App restart activities can detect attacks that only occur when

application is initially brought up.

Categories of Data

• Transactional Data – dynamic/large (log variances, sentinel

records, etc.)

• Intellectual Property – static/large (checkums, file entropy)

• Executables / Config. Files – static/small (checksums, malware

scans)

Isolated Recovery

System

Management

Host

Validation

Hosts

ISOLATED RECOVERY VAULT

Restore

Hosts

23

Current State: Risk Profile Summary

© Copyright 2017 Dell Inc.23

Technical People & Process

All data is currently susceptible to a cyber attack IT Engineering and Ops have access to most if

not all Backup Assets

Primary storage replication can replicate

corruption

Security teams not assigned to assets. Bad

actors inside the firewall can create havoc.

Backup catalog not replicated Franchise critical and non-critical data are not

segregated

Recovery of backup catalog from tape is slow

and failure prone

Backup images can be expired without

authorization

Backup copies not isolated from network

• These risks are consistent with traditional Prod/DR models.

• This is a different challenge and requires a different architecture.

24

Proposed: Exposures Resolved and Remaining

© Copyright 2017 Dell Inc.24

Backup

Master

Server

Backup

Media

Servers

Backup

Storage

Tape

Library

Short Term

Retention

Long Term

Retention

Non-HA backup server represents

single point of failure

Prod Network

Franchise

Critical Hosts

Backup images may

be prematurely

expired without

authorization

Ineffective role-based

access controls may allow

unintended access to

backup data

Backup Mgmt

ConsoleBackup

Reporting/Ops

Mgmt Server

Backup copies are not isolated or

logically segregated from network

IRS

Backup

Storage

Management

Host

Validation Host

IR Vault Network

Air

Gap

Switch 1

Switch 2

Management host opens/closes ports

based on schedule and DD probes.

Applies Retention Lock on DD.

Switches are only logical point of

entry and open only ports required for

scheduled replication and alerting

IRS copies are isolated and

Compliance/WORM locked.

No destructive actions without dual

role authentication

Validation host ensures usability of

IRS copies and alerting of corruption

25

Next steps

We Know The Data To Protect We Need More Help

• Confirm current backup infrastructure –

compatibility, etc.

• Determine sizing and location of backup

data on Data Domain (by mTree)

• Verify Data Domain sizing requirements

• Sample SOW with Pricing Estimate

• Isolated Recovery Introductory Advisory

Engagement

– Workshops to determine IR metrics, DR

Maturity, data classification and sizing

© Copyright 2017 Dell Inc.25