Client data now lives in more places than ever before — in data centers, on endpoints, in clouds and in SaaS applications. Through all the change, one constant remains — data is under attack. Ransomware is on the rise and continues to be a disruptive force for clients of all sizes across all industries.  

Today’s ransomware is built to overcome traditional security mechanisms. According to the 2021 Cyber Security Statistics report, a staggering 53% of organizations running multiple antivirus solutions fell victim to an attack. 

Authorities and industry experts alike tout a complete business continuity and disaster recovery (BCDR) strategy as the most certain way to resume operations after an attack. A good BCDR strategy is made up of five pillars of defense: secure, protect, detect, test and recover. In combination, these pillars offer your clients the best protection against ransomware.  

This post will help you understand the different BCDR options in the market and what questions you need to ask your vendor in context with the five pillars to determine the right BCDR solution for your MSP. 

1. Secure

In response to widespread attacks on Windows machines, many IT organizations are transitioning away from malware-susceptible Windows-based backup software. Beyond hardening of the backup appliance kernel and standard environmental security measures, additional controls (such as Role-Based Access Control) should be available for further customization. 

Features to look for

Fewer point products: An all-in-one protection strategy is far better than a multi-vendor one as it decreases IT complexity, risk and cost. It means fewer licenses and service agreements and saves management and technician time.

Purpose-built appliance: A purpose-built turnkey data protection solution is easier to install, upgrade, service and manage. 

Non-Windows-based backup appliance (i.e., hardened Linux): AV Test’s 2020 Security report revealed that more than 78% of malware developed in the last 24 months has been built to target and penetrate Windows systems. Running a solution on a different OS (such as Linux) differentiates the backup environment from production. Further hardening of the appliance kernel and the hierarchical nature of the Linux OS makes them more difficult to compromise. 

Immutable storage: Immutable storage enables you to store data in a format that cannot be modified or removed. This secures backup data from ransomware changes since no external client can read, modify or delete data once it’s been ingested.  

Role-based access control: Role-based access control (RBAC) helps secure the backup environment from unwanted access. Each user may operate within the environment under a defined scope, limiting the operations they can perform or the assets they have access to, as required.  

Immutable audit logs: Immutable logs and routine monitoring ensure that data handled by your backup and recovery systems is being appropriately managed and accessed by staff. 

AES encryption: Encryption secures data privacy both at rest and in flight. In addition to encrypting data backups, office email communication should be secured and any removable storage devices (HDDs, USB drives) should be encrypted.  

Integrated anti-phishing defense: Two-thirds (67%) of ransomware attacks are deployed via spam and phishing emails. Integrated anti-phishing defense empowers end users to defend against phishing and account takeover attacks. Solutions that provide visual cues (i.e., banner notifications) alert employees to external senders, spoofed and/or imitated users, and enable them to quarantine suspicious emails while automating workflows and feedback loops so as to streamline IT review and investigation. 

Questions to ask the vendor

How do you guarantee client backups are secure against ransomware? 

How do you store backups? Are they in native formats susceptible to attack? 

What level of encryption do you offer for data? Is client data encrypted in flight, at rest or both? 

2. Protect

Regardless of whether your clients’ environments are largely physical servers, virtual servers or a mix of both, you need to be able to protect them all. Your service should offer a number of different backup approaches that help clients meet the unique needs of their environments. You may want to leverage agent-based, agentless protection, or a combination thereof to meet the recovery objectives of clients. 

Features to look for

Wide coverage of protected assets: To reduce the number of point products your clients need to rely on, your backup solution should be able to natively support hundreds of versions of operating systems, hypervisors and applications.  

Policy-based management: Technicians should have the choice of how client backups are scheduled, either by entering a specific schedule or using intelligent, policy-based scheduling technology. 

Data reduction: Data reduction (deduplication, compression) reduces the overall size of files and eliminates redundancy among stored blocks, making movement, management and storage more efficient for client data. 

Global deduplication: As stated above, consider solutions that offer global deduplication across the entire backup volume. It enables more efficient storage utilization than job-based duplication, which reduces blocks on a per-job basis.  

Support for hyperscale clouds: Today’s solution should easily integrate with hyperscale clouds, such as AWS or Azure, to protect IaaS workloads, store backups for off-site and/or long-term retention requirements, and enable disaster recovery. 

Purpose-built cloud: A cloud provider offering a dedicated cloud provides a turnkey solution specifically tuned to meet the needs for immutable off-site storage, long-term retention and disaster recovery.  

Questions to ask the vendor

How do you get client data off-site? What types of targets do you integrate with? 

Do you offer dedicated cloud services? If yes, what security controls are implemented? 

3. Detect

The latest innovations in ransomware include variants designed to overcome backup defenses with phased attacks aimed to defeat backups in a number of ways, typically including the use of gestation periods or dormancy.  

For clients, early ransomware detection means faster recovery. Backup vendors are increasingly making use of predictive analytics and machine learning to recognize possible attacks and alert technicians of abnormal fluctuations in client data as backups are ingested, providing insights into data anomalies not found by security solutions such as antivirus. 

Features to look for

Predictive threat detection: Your solution should use machine learning to detect an active infection in the client’s environment in near real-time. Artificial Intelligence (AI) is used to identify anomalies in data. Automatic notifications alert technicians, enabling them to take immediate action to slow the spread and speed up recovery efforts for the client. 

Data loss prediction: Utilize intelligent tools that simulate different disasters and outage scenarios to determine how much client data would be lost in a downtime event. This will help you refine your strategy and ensure client-set RPOs are met. 

Internal anomalous monitoring and detection: Secure client servers, data and network with an AI-augmented solution that identifies threats that traditional security tools can’t — misconfigurations, unauthorized logins, new devices being added to the network, gaps in backups, admin rights being granted and more. 

Dark web monitoring: At a time when clients are following a hybrid work environment model, and cloud email adoption is at an all-time high, clients have an even greater need for strong cybersecurity defenses. A compromised account grants unauthorized access to the client network. Once hackers are in, they can use stolen credentials to further spread the infection. Look for a solution that includes built-in dark web monitoring to alert your technicians of compromised or stolen credentials. Automated alerts enable you to quickly take proactive steps to secure accounts before any malicious activity occurs. 

Questions to ask the vendor

Does your solution analyze for abnormal changes to client backup data? 

Do you alert to environmental anomalies and/or misconfigurations? 

Do you flag and alert where client backups may be potentially impacted by ransomware? 

4. Test

Once backup and recovery processes are implemented, configured and running in production, it is critical to establish a cadence for regular recovery testing for the client’s backup environment to ensure valid, recoverable backups in the event of a ransomware attack or other downtime event. 

Features to look for

Application-level certification: Legacy methods of testing, such as screenshot verification, leave much to be desired since they don’t provide any means of identifying data corruption within client backups or whether their applications and services are functional upon recovery. Look for a solution that certifies client backups at the application level, often through use of scripting, to verify client workloads will perform as expected upon restore. 

Compliance tracking: In order to understand whether or not your current backup strategy is sufficient to meet the RTOs and RPOs demanded by your client’s SLAs, ensure the solution enables tracking and reporting of Recovery Point and Recovery Time Actuals to ensure client goals are met.  

Automated testing: Many MSPs are unable to test client backups and disaster recovery, often due to the significant investment of manpower and time required to execute it. Look for a solution that automates testing in a pre-determined, isolated environment on a set schedule according to predefined parameters such as boot orders, machine reconfiguration and application verification. 

Audit-mode restore: Audit mode is a method of recovery through which you can selectively verify that particular machines can be recreated from any given recovery point. Isolated from production (no network connectivity), audit-mode restores verify that client machines are booting correctly and that data is accessible. Upon verification, the audit-mode instance can be safely torn down. 

Exportable reports: Your solution should provide exportable reporting on the outcomes of all testing to keep clients aware of the efficacy and compliance status of their DR. 

Questions to ask the vendor

How does your solution test for client recovery? Do you have an approach more thorough than screenshot verification? 

What automation is available for recovery testing? 

How does your solution report on the outcomes of testing? 

5. Recover

The required recovery efforts following a ransomware attack will vary from client to client. When the infection is caught early on, replacing infected files may prove sufficient. In other cases, rebuilding a portion or the totality of your client’s environment may be required. After an attack, you need to provide clients with multiple options to restore operations. 

Features to look for

File recovery: Should the infection be caught early on and contained to specific systems, removing the malware and recovering any infected files may prove sufficient. The solution should make it intuitive and easy to find, and restore individual files from client backups with only a few clicks. Indexed search capabilities and self-service capabilities (with role-based access control) enable quick recovery. 

Flexible recovery options: The solution should be flexible in both how technicians can recover client assets and where you can recover data to. Look for solutions that support a wide range of recovery modes, including physical-to-virtual (P2V), V2V, V2P and replicas. 

Instant recovery: In the wake of an attack, it is imperative to respond as quickly as possible to stop the infection, investigate, remove the threat and recover. If a client’s server or VM is attacked, technicians should be able to orchestrate failover to bring client applications back up from their most recent verifiable backup with a near-zero RTO. 

Bare metal recovery: Bare metal recovery (BMR) technology is used for disaster recovery of protected assets. BMR enables system and application recovery across client servers from different vendors and hardware configurations. 

Disaster-recovery-as-a-service (DRaaS): Reduce cost, complexity and time-to-recovery in the wake of an attack with DRaaS. DRaaS providers deliver rapid spin up of critical systems and applications in a secure cloud location and help the client re-route user traffic until the on-prem site is operational.

Questions to ask the vendor

Can you deliver near-zero RTOs for clients’ VMs, databases and file shares? 

What recovery options are available for recovery to alternate/dissimilar targets? 

Do you index client files for search capabilities? 

Keep client infrastructure ransomware-proof with Unitrends MSP

Defense against ransomware requires a multi-pronged, continuous effort, right from providing security awareness training to clients’ employees to improving your MSP’s BCDR strategy. Unitrends MSP, as part of your BCDR stack, provides your clients with protection against ransomware and other cyberthreats, leading to quick recovery from a host of advanced threats.  

Ready to learn how your MSP can reach BCDR nirvana with Unitrends MSP? Let’s Get Started!