Look out for the cyber threats hiding in your backups

Spending on security technology continues to soar. Nevertheless, data breaches and cyberattacks continue to make headlines at an incredible rate, with no relief in sight. The Online Trust Alliance reported that attacks in 2017 came from a myriad of vectors, such as phishing and ransomware, and that the number of attacks doubled to nearly 160,000 incidents per year over 2016. What’s worse, estimates for the number of unreported attacks exceed 350,000 annually.

While enterprises typically dominate the headlines, organizations of all sizes are affected by cyber incidents. A recent Ponemon study showed that two-thirds of small and mid-sized businesses reported that threats evaded their intrusion detection systems, and more than half of the companies said they were attacked by ransomware more than twice during the last year. There is no dispute that the number of vulnerable endpoints and the complexity of threats will continue to increase, and limited IT budgets and overstretched staff will remain an industry-wide problem. It’s clear that companies need to adopt new approaches to stay ahead of cyberattacks.

Traditional approaches aren’t enough

Firewalls and antivirus solutions are the norm in most IT shops, and they do thwart security attacks daily. Despite being very widely deployed, industry trends clearly show the need for more innovative approaches to threat detection.

Larger organizations have the resources to implement security incident & event management (SIEM) solutions, which are effective in collecting vast amounts of data from endpoints. Arrays of sensors can be integrated to provide rich and comprehensive security data for many types of cyber analytics. But big data platforms are complex to deploy and manage, and even the most advanced IT shops admit to not being able to keep up with the sheer volume of flags and false positives. Unfortunately, hidden in the sea of alerts are numerous threats that do get through, untriaged and undetected.

Whether or not a company has the resources for the most advanced cybersecurity tools and specialized personnel to support them, the fact remains that traditional solutions are not stopping threats from compromising critical network systems.

Gaps in the armor

Backup and disaster recovery systems are the go-to resources as insurance policies to protect against cyberattacks. Successful recovery from the last known good configuration is a reasonable and sound approach, but this assumes knowing exactly when the attack occurred, as well as discipline with ongoing backup testing. A 2018 benchmark study sponsored by IBM revealed that a mean time to identify a data breach incident climbed to a staggering 197 days with another 69 days to contain it. Backups are being contaminated during this lengthy timeframe. Thus, the recovery process following a cyber incident will not only be highly labor-intensive but also a protracted affair, if it is even possible at all.

Compounding matters, breaches rarely remain confined and often spread across a corporate network, compromising a variety of systems and databases, making the recovery effort even more complex. As malware continues to increase in sophistication, the level of manual effort required to unravel the intricate cybersecurity maze and restore all system components of a production environment can be immense.

Looking forward

In the future, we will see intelligent and automated tools that use granular backup and replication data sets to continuously detect latent security breaches, irregular behavior and patterns or other unusual backup attributes that may pose a risk to a quick recovery. Offline backup and replication files and their metadata are an untapped wealth of context-rich cybersecurity data, which opens a new door to proactively identifying cyber threats without impacting production workloads. With the right tools, organizations of all sizes could leverage this data to improve their security posture and decrease the labor-intensive manual effort currently required in recovery efforts.

Soon, security fingerprinting, data transformation, machine learning and advanced analytics will all be brought to bear to automatically analyze backup and replication data for cybersecurity issues in near real-time. By integrating with threat intelligence feeds, verified cyber infections can be readily detected and confirmed. Malware and other anomalous behavior can be surfaced and resolved long before the backups or replicas are needed following a disaster. These next-generation cyber tools will enable data protection systems to deliver the speedy recovery that’s both needed and expected.

Compared to current solutions, this new approach will dramatically improve security analysis and remediation, since backup data is offline, every restore point can be tested automatically and analysis does not impact production environments. Utilizing backup and replication data sets for cybersecurity purposes is a completely new methodology for attaining a multi-layered security program at a cost that’s practical for all IT shops, not just enterprises with enormous budgets.

New approaches can provide dramatic improvements in the security posture of an organization by examining a previously inaccessible, but endlessly rich data source for advance threat detection, analysis and remediation. It’s widely agreed that every organization would benefit from more effective cybersecurity tools. Forward-looking IT shops will begin turning to the very backup and replication data sets already being captured to create a more robust, cost-effective cybersecurity strategy.

Photo Credit: lolloj/Shutterstock

Lynn LeBlanc, CEO and founder of HotLink Corporation, has more than 25 years of enterprise software and technology experience at both Fortune 500 companies and Silicon Valley startups. Prior to founding HotLink, Lynn was founder and CEO of FastScale Technology, an enterprise software company acquired by VMware, Inc.