Edward Gately

**Editor’s Note: Register now for Channel Partners Evolution, Sept. 25-28, in Austin, Texas.**

How can you protect your customers from the ravages of ransomware?

Isolated backups might be a good option to explore. During this concurrent education session titled, “Ransomware Rescue: How to Use an Isolated Backup to Restore Data,” at Channel Partners Evolution, Sept. 25-28, in Austin, Texas, Edward Haletky, principal analyst, author and entrepreneur with TVP Strategy, will walk attendees through the process of setting up isolated backups that can protect customers even when ransomware hits.

Edward Haletky

He also will discuss how various DRaaS providers protect data and show exactly how to restore systems after an attack.

In a Q&A with Channel Partners, Haletky provides a sneak peak of the information he plans to share with attendees.

Channel Partners: How can isolated backups protect customers even when ransomware hits?

Edward Haletky: Isolated backups ensure that your backup repository is also not hit by ransomware. This would make for a very bad day if it happened and currently it can happen easily. Many backup tools mount volumes to potentially infected machines, do their backup to this mount point, and then unmount. The fact that the mount happens puts backups at risk. Also, if the backup server happens to be running Windows and mounts the backup repository directly, it can also be the culprit for encrypting the repository. It is best for the backup repository to be isolated from the machines being backed up and the servers itself. So instead of using SMB protocols to communicate, you would use other non-filesystem-based protocols. This in turn isolates the repository from infected systems.

CP: What is the process for setting up isolated backups that can protect customers?

EH: The process for setting up isolated backups differs from product to product, but the most important one is to ensure that the backup repositories are not accessed as if it was a filesystem. In other words, do not use backup tools that mount repositories or target systems. There are two points to protect. One is the repository itself, and the other is the backup server in use. We need to think architecture more than individual products. We think architecture by knowing how ransomware hits today. Multiple layers of protection are always best.

CP: How best do you restore systems after an attack? It is getting easier with the right tools?

EH: To restore a system from an attack you need an agent that has not been infected, a backup server not affected and a repository not infected. The fastest way is to use what is called instant recovery. Once infection is noticed, the recovery process starts. First, it isolates and kills the ransomware process that is running, then restores the data affected. The agent could and should live on a read-only bit of system so that it is also not encrypted. If not using agents, it is possible to …

… present a fully baked disk to the cloud or virtualization host to present the volume directly to a VM.

CP: How do various DRaaS providers protect data?

EH: DRaaS providers are those that offer cloud storage as a target for their solution. If the solution itself does not have the concept of immutable storage, the DRaaS solution does not. Most of the time DRaaS providers keep a number of instances of the backup. They sometimes will keep synthetic full backups (reconstituted incrementals) ready to be restored or used. DRaaS has the ability to keep hundreds of incrementals or synthetics full. The fact that they have so many allows them to have one version that is not encrypted by ransomware. However, if the backup solution has no ransomware detection capability, they are just hoping the number of incrementals is sufficient. A few use the version write capability of the clouds object store. This is a big win and allows for immutable copies.

CP: What do you want those who attend your session to learn and take with them?

EH: That there are many places protection from ransomware can exist. Having a data-protection architecture that covers the potential locations is a must and provides defense in depth. Yet, even so there are some fundamentals about data protection that we all must learn. Those fundamentals are to limit access, to never mount the data protection repository, and to choose tools or combinations of tools that detect ransomware in some form.