Assuming an attack will happen also puts you in the position of having to prepare tools and procedures for remediation. This will save valuable time once an attack has been detected and minimize the impact. With ransomware, this would involve removing the malicious code and decrypting the data. Recovering encrypted data is an option only in the case where researchers have exploited vulnerabilities in the malware code or recovered keys allowing decryption.
Data Recovery
If an attack results in loss of access to critical data, as is the case with malware that corrupts data or ransomware that encrypts your data, data recovery becomes the only option. Recovery from attacks becomes another thing to be considered as you build strategies for data recovery and determine the target RPO (acceptable amount of data loss in case of an incident) and RTO (time to recovery).
Prior to the introduction of snapshots, traditional backups served as the single mechanism for data protection—both for data recovery and for disaster recovery. Traditional backups suffered from very poor levels of RPO and RTO. Snapshots introduced in the early 1990s provided very low RTOs and replaced backup as the preferred mechanism for data recovery from errors and corrupted data, including those caused by malware and ransomware attacks.
However, practical RPOs continue to be in the order of hours, with the best achievable at tens of minutes. With increasing frequency of attacks, the sheer volume of data and increased data change rate have meant that using scheduled snapshots still expose customers to significant data loss in the case of a successful attack in addition to the overhead of managing snapshots and schedules. The latest approach to data recovery is “BackDating,” an emerging technology that aims to make snapshots obsolete by supporting RPOs as low as 1 second with instant data recovery. This allows for data to be recovered in case of ransomware or malware corruption to the second before the event, and in the case of ransomware, eliminates the need to pay to recover data.
Having a three-pronged approach to security that includes prevention, education, and detection and remediation ensures that you will minimize the risks of not being able to continue operating as a business in case of a successful cyberattack, which is what IT security is about.
For more articles on data security, download the CyberSecurity Sourcebook 2017