By Stefan Voss, Senior Director and Product Management for Dell Cyber Recovery, at Dell EMC
Destructive cyber-attacks have become part of our daily lives. A few lines of code can take down an entire enterprise and cyber-attacks are growing in sophistication.
A Changing Threat Landscape
Lloyd’s of London estimated that a serious cyber-attack could cost the global economy more than $120 billion – as much as catastrophic natural disasters such as Hurricanes Katrina and Sandy[i].
Most cyber-attacks are financially motivated and Ransomware continues to be a major threat. However, Ransomware isn’t the only type of attack companies are worried about since data corruption can stem from different attacks including insiders and wiper-ware (e.g. NotPetya).
Organisations are not confident in their ability to detect and investigate breaches quickly, in part because of the explosive growth in the amount of malware variants.
While investment in prevention and detection will (and should) continue, organisations realise that effective strategies to respond and recover are just as important. Most believe that isolation and recovery from backups are effective strategies to respond to destructive cyber-attacks.
Data recovery should be done in the context of overall incident response, however, that can prove easier said than done. According to ESG[ii], 73% of organisations believe that the relationship between IT security and business risk can be difficult to coordinate. This is why security professionals like Chief Information Security Officers (CISOs) are more involved in the data recovery strategies of an organisation.
Cyber-Attacks Impact the Bottom Line
Equating the cost of a destructive malware attack to the amount of ransom demanded is a bad assumption. Estimates in of the average cost of a malware attack vary. Accenture[iii] estimates the average cost to be $2.4 million but the study also reveals that the cost varies by organisational size and vertical (Financial Services being #1). Regardless, the average cost is worsening year over year, with a 27.4% increase from 2016 to 2017 alone.
In all cases, the cost of a cyber-attack will increase as the complexity of the attack and the recovery time increases. The top three attack types in terms of response times are malicious code, malicious insiders, and ransomware. Most sophisticated attacks use a combination.
Consider a large retail company that was one of the 60 organisations impacted by the NotPetya attack. In business terms the impact of the cyber-attack can be summarised as follows:
- Attack vectors: supply-side malicious code injection, wiper ware disguised as Ransomware
- Velocity of Attack: minutes for the malware to compromise the organisation.
- Revenue Impact: 17 factories came to standstill resulting in $15 million in lost revenue daily. Total Revenue Loss: >$65 million (it took over 4 days to restore business critical systems).
- Ransom Demand: $300 per computer with a total of $1.5 million across 5,000 machines. NOTE: paying ransom would have been ineffective since no means of decryption was built into the NotPetya wiper ware. Ransom was not paid.
- Productivity Impact: 5,000 Windows systems down, 17,000 employees impacted. Financial impact not disclosed.
- Recovery Costs: hundreds of emergency beds, multiple recovery teams. Data recovery 4.5 days from Dell EMC Data Domain system compared to 4-5 weeks projected if recovery were done from tape directly. Financial impact not disclosed.
- Brand Damage: cyber-attack publicised in major news outlets (online, print). Financial impact not disclosed.
Dell Cyber Recovery – A Key Component of Your Security Posture
Dell Cyber Recovery gives organisations an effective strategy to improve the maturity of their security posture. According to Gartner[iv], traditional backup services are not designed for recovery from cyber-attacks. Gartner along with several other analysts and government agencies recommend making backup images or gold copies inaccessible from the network through air-gapped media.
This is the central tenet of Dell Cyber Recovery. The technical solution assumes that a hardened backup and disaster recovery infrastructure is already in place. Organisations today use Dell Cyber Recovery as the last line of defence for business critical data.
The mechanics of Dell Cyber Recovery are actually quite simple:
Step 1: Periodic synchronisation of data from the production network to the Cyber Recovery (CR) Vault, a dark site with a dedicated private network. The replication link is only online during the synchronisation itself. Note that both backed up data and the metadata of any backup application is synchronised. This adds additional protection from cyber-attacks targeted at the backup infrastructure.
Step 2: Once the data is synchronised into the CR Vault, immutable copies are created to ensure that even administers authorised to access the CR Vault cannot delete them. All the copies in the CR Vault are pointer based and highly efficient.
Step 3: Sandbox copies can be created for purpose of recovery drills of analytics. A future post will dive deeper into built in analytics capabilities to find indicators of compromise (IOCs) in the native backup format.
Under the covers, Dell Cyber Recovery leverages industry leading technology from Dell EMC Data Domain including secure replication, data invulnerability architecture, retention lock, and data efficiency.
For more information check out this video and be sure to visit the Dell Cyber Recovery Site.
[ii] ESG Custom Research: Cybersecurity and Business Risk Survey, March 2018
[iii] Accenture: 2017 Cost of Cyber Crime Study
[iv] Gartner: Backup and Recovery Best Practices for Cyberattacks, Author: Ray Schafer, Published: 22 June 2017