We built this security policy on rock’n’roll

Well pretty sure that was the song title – I’ve not done a post for a little while with a tenuous song lyric link in the title, but the Starship 80’s classic seems about right for this one… So what was behind this bit of song title chicanery ?

The surprising answer is a newsletter! This one from one of our innovative security partners, Varonis, which created an interesting conversation between my companies technical and sales folk.

What did this newsletter say that was such a great source of debate?

“How to Detect and Clean Cryptolocker Infections”

“Varonis customers have had success detecting and reacting to Cryptolocker infections, including the recent attacks, using DatAdvantage and DatAlert.”

That’s great news isn’t it, we all know cryptolocker and its ilk of ransomware attacks are potentially devastating to a business, at the least they are hugely inconvenient, at worst they can cause critical data loss and all that that entails.

On reading this, one of my sales colleagues asked a great question “does this mean this is a “cure” for cryptolocker?” this had special resonance for my colleague as one of his customers had a particular worry around this type of attack. You can see why he asked that question, but of course that’s not what the guys at Varonis meant (in fact have a read of their excellent blog post on the subject) and much to the disappointment of my sales colleague we had to inform him that actually no, Varonis don’t have a “cure” and that’s not what they meant.

Well what did they mean?

If you have a read of their post, you’ll see what Varonis actually talk about is something that I speak about often with clients and that is that data protection is not just one thing, there isn’t one magic bullet, in fact data protection is like a great big onion in reality (plug for another old BLOG post here! – Data Security Is A Great Big Onion) it is multi-layered, from core data, to people, the complexity of the problem means that every threat needs multiple layers of protection to ensure you are not easily exposed.

Let’s take this example specifically, the Varonis toolset in question here does not pretend to stop cryptolocker, in fact not only does it not stop it, in reality it doesn’t even know what it is. What Varonis actually do is assume another one of my favourite key tenants of security policy development “assume you are already compromised”. If you’ve never had that discussion in your business, you really should, if you’re assuming that firewalls and antimalware tools are all you need to protect yourself from the most devastating of malware attacks, you are probably setting yourself up for an unpleasant surprise. If we then assume our systems are compromised, what on earth do we do about that to protect ourselves?

If we then assume our systems are compromised, what on earth do we do about that to protect ourselves?

What do we do? in my experience two things;

  1. Make sure we can spot the signs of compromise
  2. Make sure we have the ability to recover from any damage caused by the compromise

Because Varonis assume you are already compromised, what their tools do is step number one and look for the signs of compromise, look for behaviour outside the norm of your polices and behaviour of your users, if we see deviation from those, we can act, so in the case of a ransomware attack we can spot the unusual file access behaviour and apply rules that can stop it. We do better than just stop it, the analytics engine also allows us to track the files affected by this behaviour.

That’s a great starting point and allows us to limit the damage, and importantly, greatly reduce both the time and cost of recovery. One of the issues with this kind of attack is we don’t know the extent of the damage and we can be finding encrypted files for months, what this tracking allows us to do is know exactly the extent, exactly the files and the users affected.

Once we have that information, step 2 kicks in, we identify the damaged data and move to our data recovery solution to recover an unaffected copy. The quicker we are in doing this, the less the damage and loss of data is, because if you’ve spent 8 hours working on a major proposal that then gets ransomware’d and you only have nightly backups, you are going to lose all that work, but that is a whole different conversation around recovery point objectives.

Is this all pie in the sky? does this stuff really happen? it certainly does, we had two instances last year where customers were victims of these very kind of attacks, however in both cases they had tools in place that massively reduced the impact of these attacks, they did have Varonis tools installed that had identified the attack and quickly limited its impact. They also had data protection capabilities that meant they carried out multiple snapshot backups during the day (NetApp based in these cases) that meant they could quickly recover these files from a backup no more than a couple of hours old, greatly reducing the impact, inconvenience and cost of these attacks.

Is the point of this post to say you have to run out and buy Varonis and NetApp solutions to protect you from ransomware attacks? No, of course not, if you regularly read my posts you know I try to avoid the blatant advert, all I’m saying is understand a couple of things;

  1. Data security is multi-layered, there is no magic bullet.
  2. Assume you are compromised and think about how you mitigate the impact of compromise.

Understanding just those couple of things can have a big impact on the security of your data and can greatly reduce the damage caused by any kind of compromise. Do those things in themselves do all the job?  no of course they don’t, but if you take those two things as part of your data security policy planning they will help, look for tools that help you to meet those goals, I’ve mentioned a couple here in this post, but there are others and some may be more suitable than others in your circumstances.

Hopefully the points here will be of use and will help you in building your data security policies with rock’n’roll or at least good strong security tools!

I’ve included a couple of links below for Varonis and NetApp and of course if you have any questions, contact me in the usual ways on Twitter or LinkedIn or give Gardner Systems a call on 0151 220 5552 and speak to one of the team.

For more information on Varonis click here

For more information on NetApp data protection solutions click here

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.