The issue of Ransomware protection has risen to one of the top priorities for IT. Organisations are feeling overwhelmed by the vast array of threats coming from all angles and are scrambling to figure out how they are going to protect their file data. In recent weeks we have seen the most significant cyber-attack on the Irish state in the HSE ransomware attack and the US’s most sophisticated ransomware attack on critical infrastructure in the Colonial Pipeline attack.
Unfortunately, these attacks are part of a growing complex ransomware trend and are growing in frequency. Although no preventative measures can guarantee protection from the next ransomware attack, organisations can start to better manage their data to reduce the damage caused by the ransomware attack. Organizations need to reassess and review now how they manage and protect their data.
Backups for protecting file data should be considered as only partial protection as in many cases they are not taken as frequently as they should, and versions not retained for long periods of time. Depending on how and where the backups are stored, they too can be infected. Microsoft and AWS both offer immutable Blob storage options that prevent objects from being written over or deleted until a specific retention period has passed. In addition, some storage vendors offer Litigation Hold options that would protect file objects from being deleted until the hold has been released. These setting are at the container or bucket level. Retention or Litigation Hold also protect the containers/buckets from storage account deletion and/or container deletion.
TripleLock Planning and Implementation
SISCN TripleLock Archive
The SISCN TripleLock Archive (Storage Account/Password, Encryption and Immutable) protects your most critical documents and files against Ransomware attacks and other acts of destruction, in three ways:
1. Storage Account
SISCIN TripleLock Archives uses storage you provision in Azure, AWS, Wasabi or other S3 compatible storage. Only you control the storage accounts and passwords used to access the TripleLock Archives.
All critical documents and files stored in TripleLock Archives are individually compressed and encrypted using unique keys generated at the time of encryption.
Immutable storage is for organization-critical file data that you simply cannot lose. This data may be required regulatory compliance, business operations, project plans, financial documents, contracts, etc. All TripleLock archives use immutable storage which protects your critical documents and files from being encrypted by Ransomware, deleted either accidental or intentional, until the retention period that you have defined for the Archive has expired. TripleLock helps you in meeting regulatory or legal retention requirements for some types of information that requires an additional level of protection.
You will be able to enable the TripleLock protection feature on any SISCIN archive – new or existing. The retention period is applied to each file in these Archives, and they will be protected against ransomware, destruction and in compliance with your regulatory requirements until the retention period has passed. Highly critical data could also be placed under Hold which would add an additional layer of protection. Files within an TripleLock Archive in Hold status cannot be deleted until the Hold has been released. In addition, TripleLock Archives can have both Retention based deletion and HOLD. Files will have an additional level of protection until the Hold has been released and then your Retention policies would then take over. Legal hold overrides the Retention period defined on the immutable storage. You might have data in immutable storage with a 60-day retention. By placing this data on Hold you override this retention period. Once a retention period is defined the policy is applied to all objects already in the container and when a new file is added to the container. By placing a hold on the container, you protect all of the data in that container until the hold is released.
SISCIN TripleLock is not a replacement for good backups. Archiving solutions like SISCIN Archive data at the file level and makes copies of these files in Cloud Storage. Backup solutions stream data at the block level which makes them ideal for disk or share backups. While SISCIN can archive massive amounts of data to the cloud it does takes longer than streaming data at the block level. The advantage of SISCIN is that you can archive critical files to immutable cloud storage, index those files for eDiscovery and other compliance-related requirements, replace the files on disk with small stub links and quickly restore individual critical files or directories in the event of a data loss, ransomware attack or accidental deletion.
Developing your Data Recovery Strategy
Every organization must have a strategy for recovering data in the event of an attack, disaster, or hardware failure. The goal of those targeting your organization with Ransomware is to disrupt your operations to the point that paying them to get your data back is your best short-term option. By combining industry-standard backup and SISCIN archiving strategies not only is your data protected, but your most critical data can be accessed immediately in the event of a Ransomware attack, destruction, or in the event of hardware failure.
Backup your Data Frequently
Every organization should back up data frequently. Without good backups, your organization cannot effectively recover from the loss of hardware, accidental deletion, or ransomware attacks. Backups typically target specific drives or shares and stream the entire contents to a very large file. Because these files become so large storing them can become an issue and finding individual files or folders and restoring just the contents of those can take a very long time. Backup is best when restoring large volumes of data and not individual or groups of files.
SISCIN Helps You Identify Your Organization’s Critical Files
Using SISCIN, run Storage Analysis reports identifying the location of your most critical data. This data may be financial (spreadsheets or other reports), projects, engineering documents like AutoCAD files, legal documents such as contracts, HR files or other business-critical files. SISCIN reports that identify files using file types are especially helpful. SISCIN will show you how many of these files you have and where they reside. You can use SISCIN Vue-X Search to identify files and folders by keyword content as well.
TripleLock Archive Your Most Critical Data
SISCIN TripleLock Policies enables you to target and archive specific files types and folders so that the critical files you need to run your organization or are required for regulatory compliance are safely stored encrypted, compressed, in your immutable storage and where it is out of the reach of the bad actors like Ransomware malicious attacks and is protected for regulatory compliance.
Here is an example of a SISCIN Policy that does just that:
Frequently Asked Questions
Are we limited to a single TripleLock Archive?
No. Using SISCIN TripleLock so you can create different archives for different sets of requirements. We recommend creating different TripleLock Archives to match the purpose of the files. Create TripleLock Archives with retention periods to match regulatory compliance and then create additional archives for organization critical files that simply cannot be lost to Ransomware or accidental destruction.
How long should we set our retention polices?
Retention periods assigned to your TripleLock archives must be carefully considered. Archiving highly active files will result in multiple revisions of these files being stored for the duration of your retention period. SISCIN allows you to restore the last 10 revisions of the same file but you could have many more in an archive that are inaccessible. Critical Files that are frequently updated during day-to-day operations should use shorter retention periods. Files that do not change often and fall under regulatory policies can be retained longer based on the requirements of those policies.
How do retention policies affect files already in an archive?
Retention starts on the date/time the file is Archived. This means that if you have an existing archive and you apply a TripleLock retention period the files already in that archive will start when the files were originally archived. If you set a retention period of 5 years and you have files that have been in the archive for 1 year, these files will be eligible for deletion in 4 years.
The Threat of email attacks has never been greater, preventing an email attack and minimising its damage is top of the agenda for IT and Security departments across the globe. You can find more information on this topic here.
Ask Waterford Technologies for Help
Our Experts on the SISCIN Customer Support Team will be happy to discuss your organization’s requirements and assist you in developing a critical data protection strategy so that your most important data is safe and in compliance with your regulatory requirements and are protected against Ransomware attacks or other malicious actions. Once that strategy has been defined the SISCIN Team can help you run the right analysis reports and then assist you in creating sample policy templates that you can use to protect your data across your entire environment. Protecting your file data need to a be a priority for your organisation.