Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Automated Ransomware Recovery for Full Cyber Protection

266 views

Published on

As Presented by Sagi Brody, Webair CT t ZertoCon Local NYC 9/25/2017

No company is immune to Ransomware attacks. While some industries such as healthcare continue to be targeted more frequently, more than 20 percent of organizations in financial services, IT/telecoms, entertainment/media and the education sectors have also been recently hit. Businesses of all sizes, from enterprises to SMBs, continue to see more attacks. Moreover, one in five companies that have paid Ransomware demands never retrieve their files.

While Managed Security Service Providers (MSSPs) offer threat detection and prevention services to combat these attacks, these proactive solutions are only half the battle. In order to achieve comprehensive security protection for the enterprise, these services must be paired with pre-planned, reactive solutions to provide full protection and recovery from Ransomware and other cyberattacks.

In this session, Mr. Brody will discuss the elements of an effective Disaster Recovery-as-a-Service solution, including being fully managed and automated, offering replication of the end-users' entire production environment and network, and ensuring company's business-critical data and applications are always available and accessible when faced with a Ransomware or other cybersecurity attack.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Automated Ransomware Recovery for Full Cyber Protection

  1. 1. Healthcare eCommerce Financial Services Recovery-as-a-Service 1 Automated Ransomware Recovery for Full Cyber Protection
  2. 2. 2 ZertoCon Local 2017 NYC: Agenda ➢ Webair?! ➢ Fully inclusive Disaster Recovery solution! ➢ Technical platforms! ➢ Non-Technical considerations! ➢ Network Integration & Automation! ➢ Recovery site integration, perpetual & on-demand fabrics! ➢ Internal traffic shift, traditional & overlay! ➢ External traffic shift methods ! ➢ Cybersecurity & Disaster Recovery! ➢ Proactive threat monitoring & mitigation! ➢ Platform and software integration! ➢ Automated Ransomware Recovery! ➢ Overview of BCDR offerings and proper matching of application criticality !
  3. 3. 8 Our History: Full Stack Ownership DevOps before Devops Full ownership and responsibility of customers’ infrastructure stack so that they can focus on their core business. ➢ In business for 20 years ! ➢ Uptime guarantee: 99.999%! ➢ Servers under management: over 10,000 ! ➢ DDoS attacks blocked: over 200 per month ! ➢ Average disaster recovery RPOs: under 5 seconds ! ➢ Support requests handled per day: 100+ ! ➢ Support requests resolved in under one (1) hour: 90%! ➢ Direct connectivity to 500+ network carriers! ➢ 10K+ VMs replicated! ➢ 10PB of data replication
  4. 4. 8 Managed Infrastructure ➢Bare Metal ➢Public Cloud ➢Private Cloud ➢Storage ➢CDN ➢DDoS ➢Managed Networking ➢Managed Firewall ➢Replication ➢Backups ➢DR ➢Space & Power 1998 Now OTHERS Managed Services Our History: Full Stack Ownership
  5. 5. 2 Webair Services 2017 Magic Quadrant for Disaster-Recovery-as-a-Service! 2017 Marketplace guide for Healthcare Cloud! 2017 Hype Cycle for Cloud Security! 2017 Hype Cycle for Business Continuity Management and IT Resilience Notable Vendor Enterprise Private Cloud Enterprise Public Cloud Disaster Recovery-as-a-Service Hybrid Colocation Backups-as-a-Service Full Stack Management Storage-as-a-Service Hyperscale Network Connectivity
  6. 6. Webair maintains a global network of state-of-the-art data center facilities that offer top-tier Colocation solutions featuring modular power options, superior architecture and access to DDoS-protected bandwidth, as well as superior connectivity to a multitude of leading carriers. ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! Hong Kong 9 Hong Kong Data Center Locations
  7. 7. ! Tier 3 rated, SOC1, SOC2, CJIS, HIPAA, PCI-DSS, NYS DFS 500, Open-IX Compliance! 400 Cabinet capacity, up to 8MW Power! 3 Generators on-site with 7+ days worth of fuel on-site! Hyperscale on-ramp on premises (AWS, Azure, Google)! DDoS monitoring and mitigation on-premises! Eco-system of managed services on-premises! Provides native transport services to all NY metro offices and data centers! Tax-Exempt and Hydro-Electric “green” power allocation from NYPA! Outside 25 mile NYC “blast zone” with Manhattan Bypass fiber routes! BCDR seats on-premises! LIRR train station on-premises 10 Webair NY1
  8. 8. 13 Webair Last Mile Cloud
  9. 9. Hybrid Colocation 10 ➢It’s not about space & power! ➢Ecosystem of managed services behind the firewall! ➢True hybrid - mix & match based on appetite for risk, ownership, growth projects, capex/opex, and temporary use! ➢Revenue Portability - Phased approach to cloud & future proof
  10. 10. 18 Services Fully Inclusive DRaaS
  11. 11. 17 Dirty little secret about Disaster Recovery….. ! ! Its not just about VM Replication (that’s the easy part ) Fully Inclusive Disaster Recovery (Thanks Zerto!)
  12. 12. 12 Production environments are complex. ! DR Strategy must match. Fully Inclusive Disaster Recovery Disaster Recovery is:! ➢ A strategy! ➢ Part of production workload conversations! ➢ Part of cybersecurity conversations! ➢ Part of 3rd party integration conversations! ➢ Hybrid cloud, multi-cloud strategy conversation! ➢ About accountability, ownership, appetite, and recourse for failure! ➢ Possibly “All or Nothing” ! ! Disaster Recovery is not:! ➢ Replication software that you purchase! ➢ “Set it and forget it”! ➢ Static! ➢ ZaaS!
  13. 13. 17 ➢Storage not captured by VM replication: ➢ iSCSI mounts directly to VMs (that cannot be converted)! ➢ NFS/NAS platforms! ➢ Object Storage platforms! ➢ Side by side storage replication! ! ➢ What else is connected via the local LAN?: ➢Physical Servers ! ➢“Legacy Platforms” pending sunsetting (can’t make any changes)! ➢ Non-x86 workloads (Mainframe, AIX, AS/400)! ➢ Side by side colocation! ! ➢ Platforms better served by “Always-On” Infrastructure @ Recovery site and Application replication:! ➢ “Always on” Authentication - Active Directory / LDAP / DHCP or connectivity to cloud! ➢ MS SQL Clustering! ➢ Oracle RAQ Clustering! ➢ Vendor “supported” DRaaS methods (self managed)! ➢ Side by side private or public cloud! Fully Inclusive Disaster Recovery Considerations
  14. 14. 17 ➢ Managed Networking:! ➢ MPLS / VPLS ! ➢ SD-WAN integration! ➢ Publicly facing applications: 3rd party proxy service? DNS change? BGP swing? ! ➢ 3rd party connectivity to vendors (financial / healthcare) ! ➢ Hyperscale connectivity to AWS, Azure, GC or other! ➢ Inability to modify subnets/IP scheme at production site! ! ➢ Cybersecurity considerations! ➢ Recovery site “as good” as production! ➢ DDoS Monitoring & Mitigation! ➢ IDS/IPS! ➢ SIEM Monitoring! ➢ 3rd party flow analysis! ➢ “Full Accountability” from security provider! ➢ Included in security review / vulnerability scanning / penetration testing?! Fully Inclusive Disaster Recovery Considerations
  15. 15. 17 Non-Technical Considerations ➢ Ownership & Accountability:! ➢ Recourse should the solution not work? ! ➢ Recourse should a data breach occur?! ➢ SLAs? Considerations and mechanisms to resolution! ➢ Internal? What else are they responsible for?! ➢ Internal: Fire someone?! ➢ Provider: Contract/SLA/BAA! ➢ Monitoring / Alerting integrations! ➢ Who owns failback?! ➢ Regardless of the recovery site, public, private, hyper scale..! ! ➢ Testing considerations! ➢ “Application Centric” strategy: match network, security, integrations per application! ➢ Runbook per application! ➢ Shift testing to application owners, not IT! ➢ Empower application owners to perform their own testing! ➢ “Real test”
  16. 16. 17 Fully Inclusive Disaster Recovery Considerations ! Small VM Environment ! Multi-Platform/Complex Environment Provider Support or Internal Accountability Provider Support or Internal Accountability All or nothing?
  17. 17. 25 DRaaS: More than just VM Replication
  18. 18. 25 From Production to DRaaS services Full Stack Managed Infrastructure DRaaS
  19. 19. 25 Hybrid DR Setup ! ➢ Utilize existing hardware, licenses, and expertise! ➢ Shift legal/security ownership where needed! ➢ Reduce demands on internal teams! ➢ Take advantage of partner experience! ➢ Shared runbook responsibilities ! ➢ “Future-proof” investment - mix/match later as needed! ➢ “Hardware appliance and management as a service”
  20. 20. 25 Proper DR Solution: Partnerships
  21. 21. 18 Services Network Integration ! & Automation
  22. 22. 17 Dirty little secret about Disaster Recovery….. ! ! It’s not about replicating data. It’s all about network consumption! DR Networking (Sorry Zerto!) Applications served from the recovery site must be consumable to users same as production.! Consumption, Consumption, Consumption, Consumption!
  23. 23. 17 ➢ Recovery site integration: ➢ Site-to-Site, Site-to-Client VPN ! ➢ MPLS / VPLS integration ! ➢ Point-to-Point, L2 stretch (e-line), L3, possible encryption! ➢ SD-WAN! ➢ Interconnection Fabric! ! ➢ Internal traffic shift! ➢ iBGP/eBGP swing! ➢ Internal route injection! ➢ DNS ! ➢ Subnet alignment ! ➢ Network Overlay via SDP / NAC software! ! ➢ External traffic shift! ➢ DNS! ➢ Proxy services! ➢ BGP swing DR Networking: Methods for Integration
  24. 24. 17 ➢ No “Right” answer, What’s your network already look like? ! ! ➢ VPN:! ➢ Easy point of integration if already using VPN solutions! ➢ Demarcation point when using 3rd party DRaaS/Infrastructure providers! ➢ Simple on/off connectivity “backup VPN”! ➢ Straight forward testing! ➢ Easily virtualized at DR site! ➢ Does it scale?! ! ➢ Layer 2 stretch & EVPL / Multi-Site L2 Cloud! ➢ Typical issues that arise from spanned L2 (broadcast, STP, etc)! ➢ No clear network security demarcation ! ➢ Dangerous when the idea is to mimic production with same IPs/ network! ➢ Wont pass the CISO test! ➢ Does it scale?! DR Networking: Recovery site integration
  25. 25. 17 ➢MPLS / L3 VPLS! ➢ Similar advantages to VPN! ➢ iBGP over MPLS (easy to automate)! ➢ Requires long term commitment.. “ordering” circuits, cross connects, dealing with carriers. ! ➢ Tough integration with hyperscalers! ➢ May not be allowed by all providers! ! ➢ SD-WAN! ➢ Similar advantages to VPN! ➢ “Colo” at recovery sites if physical?! ! ➢ Interconnection Fabrics: ! ➢ SDN solution for public interconnection! ➢ Virtualizing the meet-me-room! ➢ Metro & Longhair use-cases! ➢ API based private connectivity! ➢ No Long term commitments! ➢ Site Portability DR Networking: Recovery site integration
  26. 26. 17 DR Networking: Public SDN Fabrics
  27. 27. 17 DR Networking: Public SDN Fabrics for Longhaul
  28. 28. 17 DR Networking: Fabrics for DR! ➢ Consume DRaaS over fabric? ! ➢ Direct connectivity to multiple clouds and hundreds of facilities. Part of larger multi-cloud strategy! ➢ Fabric follows you wherever you go and provides freedom & flexibility ! ➢ Different virtual circuits for replication vs production traffic! ➢ Segment DRaaS traffic per application / use-case! ➢ Completely private solution, no data transfer fees, encrypted! ! Part of larger automated run-book strategy:! ➢ Enable production virtual circuits on demand via API ! ➢ Increase bandwidth to recovery site(s) on-demand via API! ➢ Only pay for connectivity to recovery site when needed! ➢100% removes L2 overlap issues / mistakes!
  29. 29. 17 ➢ Do you run a clean & organized network where every application sits in its own dedicated subnet?! ➢ Yes: Go home, you’re a rock star! ➢ No: Welcome to the real world!! ! ➢Real world:! ➢ Subnet/Application alignment is rarely the case. ! ➢ Many “Enterprise” networks we’ve seen are flat or close to it! ➢ Non-technical issues usually prevent change (red-tape, change control, etc..) ! ➢ Typically re-IPing is not an option! ➢ Shouldn’t be a barrier to entry for a proper DR setup! ! ➢ Proper alignment = Easy shifting of applications and back via:! ➢ Internal Route injection (static, internal routing protocols, BGP! ➢ “Enable” the interface/VLAN at recovery site and let it redistribute! ➢ Easily automated via NetOps tools and part of automated run book! ! ➢ Lack of Alignment:! ➢ /32 static routes (still can be automated)! ➢ Doesn't help for local LAN traffic: Double NAT (sorry)! ➢ DNS still an option Internal traffic shift & subnet alignment Application Subnet
  30. 30. 17 Internal traffic shift: Don’t get sucked into the weeds
  31. 31. 17 ➢ Network topology a blocker to DR strategy? ! ➢ Leapfrog the network and overlay..! ➢ Utilize NAC (Network Access Control) or SDP tools to shift traffic per endpoint! ! ➢ SDP: Software Defined Perimeter! ➢ “Zero Trust” model & contextual awareness! ➢ All traffic is routed through Gateway from endpoints! ➢ Gateway enforces network security! ➢“Tag” users, applications, device types, locations! ➢ Build global security policies via single pane of glass for entire organization! ➢ Think of a specific tunnel being built to per use-case ! ➢ Global visibility into user & application consumption ! ➢ API / Automation available! Internal traffic shift: A better way
  32. 32. 17 ! ➢ Cool. What’s that have to do with DR?! ➢ “Shift” application traffic from location A —> B via software defined policies! ➢ Physical network agnostic! ➢ Future proof - Network, locations, clouds can all change ! ➢ Part of automated runbook, APIs! ➢ Alignment issues, network topology issues go away! ➢ Security solution - May be part of larger organization security! ! ➢Requirements ! ➢ Organization must adopt the solution! ➢ DR Solution or DRaaS provider must support it (Webair does!! :) )! ➢ DRaaS providers should be vender neutral! ➢ Internal traffic only - Doesn’t help with internet facing applications Internal traffic shift: A better way
  33. 33. 17 ! ➢ BGP Swing! ➢ Must already be speaking BGP, own IPs, AS #, etc! ➢ Best solution for true “Disaster”, no caching issues or residual, full portability! ➢ Fastest solution - internet routing table updated globally in “seconds”! ➢ Horrible “Application specific” failover - All or nothing entire /24, not application specific ! ➢ Easily automated - can be part of automated run book! ➢ DNS! ➢ Typical caching issues / failback draw back! ➢ Recursive DNS servers, low end routers, endpoints not honoring TTLs..! ➢ Easily automated - can be part of automated run book! ➢ Proven solution! ➢ Some DRaaS providers have authoritative DNS and integrate as part of DRaaS solution! ➢ Proxy Services! ➢ GSLB offered by many DNS providers! ➢ “Always-On” proxing, even when you don’t need it! ➢ Adds layer of complexity, latency, application problems! ➢ Expensive - Typically based on redirects (millions/month) ! ➢ Typically focused on web traffic and not other application (ie cloudflare) External Traffic Shift
  34. 34. 18 Services Cybersecurity & Ransomware
  35. 35. 17 Managed security landscape
  36. 36. 17 Today…….Managed Security (MSSP) Services:! ➢ SEIM (Security Event and Incident Management)! ➢ Threat/Asset Monitoring & Mitigation! ➢Vulnerability testing! ➢ Penetration testing! ➢ Automated Patch management ! ➢ Automated network bricking! ! ➢“Very good” Proactive solutions, not perfect.! ➢ Are any MSSPs providing a 100% SLA?! ➢ If not, where’s the rest of the solution?! ! Managed security message: Proactive Prevention
  37. 37. 17 Managed security: Complete cyber solution Threat monitoring & mitigation MVP & Automated DR Solution Full Cyber Protection ! ➢ Zerto knows this and markets it well! ➢ Why isn't the security community pushing for a full solution? (no offerings?)! ➢ Vendor neutrality, transparency, and integration is required ! ➢ DraaS provider != MSSP and vis versa! ➢ MSSPs are missing out on an opportunity: Full accountability & ownership Proactive Reactive
  38. 38. 17 ➢ DR solution provider must be MSSP agnostic (they’re not a security company) ! ➢ MSSP should be able to deploy SEIM at recovery site for full cyber accountability! ➢ Security considerations at recovery site must be “as good” as production:! ➢ Network edge (IDS/IPS/WAF)! ➢ DDoS monitoring and mitigation! ➢ Asset scanning! ➢ DR solution providers should: ! ➢Provide API for pre-warming & activation! ➢Provide network automation! ➢ Provide an integration platform Managed security: Complete cyber solution
  39. 39. 17 Its a Hybrid World: Security Vendor Neutrality & Transparency
  40. 40. 17 Ransomware-Recovery-as-a-Service (RRaaS) ➢ If DRaaS API exists, and if SEIM is at recovery site….! ➢ DRaaS can be true RRaaS! ➢ Use DR infrastructure for typical vulnerability & asset scanning! ➢ Less intrusive to production & can be automated! ➢ RRaaS providers sometimes includes free usage of recovery site (Webair: 72 hours/ month)) ! ➢ Utilize Recovery site for data loss prevention & data assurance:! ➢ Virus scanning at recovery site (VM internal or external)! ➢ Integration with 3rd party DLP software vendors at recovery site! ! ! ➢ Blockchain to the rescue? Backend storage at recovery, immutability, private ledgers
  41. 41. 17 Automated Ransomware Recovery Fabric virtual cross connect enable Increase BW to recovery site VM spin up NFS/iSCSI direct storage mounts SDP Policy redirect BGP/DNS Swing “Always customized, never cookie cutter!”
  42. 42. 18 Services BCDR Servies Offerings
  43. 43. 27 Webair BCDR Offerings ! ! • Backups-as-a-Service • Backups-as-a-Service to Azure • Disaster-Recovery-as-a-Service • Disaster-Recovery-as-a-Service to Azure • Ransomware-Recovery-as-a-Service! • IBM DRaaS Services (i Series, p Series, system Z) "Webair is a solid choice for prospective companies…..it provides excellent value for the money and has experience with many different replication approaches..” - Gartner 2017 Disaster-Recovery-as-a-Service Magic Quadrant
  44. 44. 17 Webair BCDR Recommendation Tier 0 Applications Tier 1 Applications Tier 2 Applications Tier 2 Applications Backups-as-a-Service……… ! 0 RTO DR-Lite Addon…… ! ! 24 Hour RTO Disaster-Recovery…………1 Hour RTO Ransomware-Recovery 15 minute RTO ! Match application criticality to proper platform ! Common X (Network, Runbook, Integrations, Accountability)
  45. 45. 17 Webair Backups-as-a-Service ➢Platforms: Vmware, HyperV, Physical Servers running Linux or Windows ➢Features: ➢Full Accountability from Webair. ➢24x7 Management & Monitoring ➢Account Portal with single pane of glass view ➢Enterprise grade HW (N+2 EMC/Isilion, Cisco UCS) ➢Network Customization ➢ Per file or per VM restores, ability to restore direct! ➢ Direct HV integration, no agent ➢Cost Metrics: ➢Storage usage only - Per GB per month.! ➢ Raw Dedupped / Compressed storage pools available. ➢No per VM charges ➢No transfer charges ➢No operation charges
  46. 46. 17 Webair Backups-as-a-Service: DR Lite Addon Included Features ➢Addon “Insurance Policy for BaaS”! ➢ Ability to spin up backed up storage on-demand! ➢ 15 Minute RPO ➢ 24 Hour RTO worst case ➢ Yearly testing included ➢ Portal Access to: ➢Spin up / Shutdown VMs ➢Console VMs, Manage networks ➢Download / Restore backups for fallback! Always-on Networking: ➢Reduces RTO to minutes to on-demand (minutes) ➢Network pre-planning and pre-configuration ➢Site-to-Site and Site-to-Client FWs ➢MPLS & Direct Connectivity tie in ➢Internal NAT & DHCP to match existing ➢Internal Route Injection & Automation Options! Cost Metric: Storage only
  47. 47. 17 Webair Disaster-Recovery-as-a-Service ➢Platforms: ! ➢Vmware, HyperV (Zerto) ! ➢Physical Servers! ➢ Native HCI platforms! ➢ IBM iSeries, AIX, Mainframe (i, P, Z)! ➢ Native storage replication (Nimble, NetApp Snap Mirror, EMC, Object)! ! ➢Features: ➢ Pre-planned & configured always on Network and automated failover ➢ Fully Managed Failover AND Failback ➢ Fully Managed Quarterly testing with reporting ➢ 72 hours per month of DR environment usage included (use for QA/Dev/Patching/testing) ➢ 14 Day Journal history ➢ Synchronous RPO SLA, 1 Hour RTO SLA ➢ Portal Access with on-demand testing, and spin up ➢ Enterprise grade HW (Cisco UCS, Nimble SSD Storage), dedicated, shared, or “air gapped” compliance platforms ➢ Storage Tiers: Normal, High Performance, Encrypted! ➢ Application specific failover! ➢ Automated runbook creation, including scripting, network automation, 3rd party APIs!
  48. 48. 17 Webair Disaster-Recovery-as-a-Service ➢Cost Metrics: ➢Per VM / Server per month & storage usage. ➢No per VM charges ➢No transfer charges ➢No operation charges! ! *** Special cost considerations if you already own Zerto perpetual licenses
  49. 49. 17 ➢Platforms: Vmware, HyperV, IBM Power I, Physical Servers ➢Features:! ➢All Features of DRaaS Service ➢Virus Scanning at recovery site (shift overhead) ➢Asset & Endpoint vulnerability scanning at Recovery Site ➢SEIM at Recovery Site ➢Custom MSSP alerting automation ➢No cost for data transfer or operations ➢Direct Connectivity ➢DDoS Monitoring & Mitigation ➢24x7 SOC services (3rd party) ➢BYoMSSP ➢Cost Metrics: ! ➢Per VM / Server per month & storage usage. ➢No transfer charges Webair Ransomware-Recovery-as-a-Service
  50. 50. 4 Companies That Trust Webair
  51. 51. 5 NY Based, Owner-operated. Focused on building long-term relationships, not consolidation or M&A ! Laser-focused on our core business of managing, monitoring, scaling, and securing infrastructure! Data’s best interested at heart, matching the proper cloud platform to the exact use-case! Not an MSP, VAR, or SI. Instead, work directly with them to provide full ownership of solutions! Dont manage or touch equipment at customer premises! Full stack accountability & ownership backed by single SLA & BAA for all for dc, network, cloud from 1 vendor Webair Partnerships
  52. 52. 40 Meet Us!
  53. 53. Section Title Click to edit Master subtitle style Healthcare SAP eCommerce/SaaS Disaster Recovery-as-a-Service 41 THANK YOU! Sagi Brody! @webairsagi! www.webair.com!

×