Cyber Detection: A Must-Have in Primary Storage

By on
Read more about author Eric Herzog.

Enterprise storage is a critical component of a comprehensive corporate cybersecurity strategy. If an enterprise does not include cyber storage resilience in their measures to secure their enterprise IT infrastructure, it’s the equivalent of going on vacation and leaving the back door and back windows of your house open, so you have made it easier for criminals to walk right in and take your valuables. While endpoint security, network security, and the cybersecurity of servers and applications are all needed, you leave your organization vulnerable if you don’t include cyber storage resilience. One of the key capabilities that have emerged in 2023 as part of expanding an integrated, modernized storage solution is cyber detection.

Ransomware and malware have turned out to be a true scourge on organizations, and it’s not slowing down. It’s not “if” a cyberattack will hit your organization. It’s “when” and “how often.” On average, an enterprise gets attacked 1,168 times per week. The estimated cost of cybercrime in 2023 is projected to be $8 trillion (USD) and scaling to $10.5 trillion in 2025, according to Cybersecurity Ventures. Companies are paying large amounts of money to get their data back. The impact of cyberattacks is often devastating.

This is why, if an enterprise does not have cyber storage resilience built into the corporate cybersecurity strategy, it’s not really a comprehensive strategy to deal with this very powerful threat. How valuable is a company’s financial asset database? What data is considered a high priority at your organization? Wonder if a certain cyberattack gets through and subjects your data to an attack in a way you have no defense to combat it. Your company neglected to enhance its level of cyber resilience. What will be the fallout? Who will be blamed? What can be done now to prevent such a disastrous scenario?

It has become more challenging to protect everything because enterprise environments are much more distributed, with data everywhere. Data is at the core of the infrastructure and all the way out to the edge. There are different types of data as well as different data platforms. When a cyberattack hits your organization, the speed and quality of your recovery process makes a huge difference. If you are spending all day – or several days – trying to recover data, it means you are spending costly time on recovering, rather than on running operational tasks that make your business money or deliver critical services that your customers need. It’s no longer good enough to say, “Well, we can recover in four hours.” This slow recovery can have a big, negative impact on your business.

It’s a better approach to see early detection and highlight potential data corruption issues before they occur. You should be able to roll back as quickly as possible to a known good copy of your data. If you aren’t able to do that, however, you will lose valuable uptime ­– which is no longer acceptable in the corporate world or the mission-critical world of healthcare, government, utilities, or financial services. 

Cyber resilience entails immutable snapshots, logical air gapping, fenced forensic environments, and rapid recovery – preferably guaranteed. The fenced environment provides a place where a known good copy of data can be identified. Now that recovery can be done in under one minute with the latest technology advancements, the pivotal question is: How do you get to a known good copy of data, in order to do the near-instantaneous recovery? This is where cyber detection comes in. 

Cyber detection can essentially be used in two ways. One way is as an early warning system. You scan the immutable snapshots to see if there are indications of a cyber intrusion. You can choose what you want to scan. You don’t even have to scan the whole snap. In addition, you can scan databases of all types. You can do files, volumes, workloads. It’s your decision. After you do the scan, if something comes back that looks strange, the automated cyber detection capability sends an email and creates an alert. It provides this early warning signal. 

The other way is for when your enterprise is attacked. In order to do a rapid recovery that will neutralize the effects of the cyberattack, you need a known good copy of the data. The last thing you want to do is recover immutable snapshots that have malware or ransomware hidden inside them. Before cyber detection, you would not necessarily know whether malware or ransomware was in there. 

In a forensic fenced environment, you can do cyber detection of the immutable snapshots to identify the known good copy of data – and this is done on primary storage. You no longer need to call the Oracle team or the SAP team to have them take a look at the data in the fenced area. You can do the scanning yourself in the fenced forensic environment through the storage platform with cyber detection capabilities. You can better manage the process of ensuring a known good copy of data that is then recovered rapidly.

A lesson learned is that you need to be able to recover not just from the backup system, but also from the primary storage system. You may not be able to rely solely on backup data that may have been adversely affected at some point down the line. By doing it on primary storage earlier in the process, you can actually identify the good copies of data before you actually keep them. You are moving closer to the ingress point of the data so that, when the data is on the system and you take a snapshot, it’s clean. It has data integrity. When you recover, you are recovering clean data, free of ransomware and malware. Ultimately, this is a smart way to neutralize a ransomware or malware attack.