Cyber security insurers say immutability’ is a must-have, along with everything else

Every plan needs a good backup plan—unfortunately, ransomware operators want to encrypt that too.

As ransomware attackers increasingly target secondary copies of data, cybersecurity insurers are asking not just that you have backups, but that you protect them. Or make them, in a word: immutable.

“Immutable” means unable to be modified—like your dad’s vacation itinerary, or how tweets used to be. While not a perfect solution, immutable backups are an assuring safeguard to security professionals, especially when placed alongside additional controls.

“It’s almost like extra credit,” said Jason Rebholz, CISO at Corvus Insurance. “It’s not necessarily required for getting insurance, but it’s going to be looked upon favorably, because you’re putting in an extra layer of defense against those backups getting deleted.”

Immuta-wha? Immutable storage, by definition, refers to data that exists in a form that cannot be tampered with.

On-site, the unchangeable, “write-once, read-many” setting exists for conventional storage media, including tapes and disks. On-cloud, companies like NetApp, Dell, Microsoft (with Azure), and Google (with Cloud) offer immutability.

A number of ransomware attacks have gone after backup data. Monti ransomware, discovered in late June 2002, used a PowerShell script to pull credentials from Veeam backup software.

Has the IT services company Airiam seen backup attacks? “I would say every ransomware we’ve been involved in probably for the last 24 months,” said Conor Quinlan, CEO of the company, which assists in ransomware recovery.

Wait, wait, wait, backup. Immutability, however, is not invincibility; ransomware threat-actors can still find a hiding place in the most locked-down data, according to John Burke, CTO at Nemertes, who said that attackers can “pre-infect” data with a command signal that initiates at a predetermined time.

“When you restore [data] from your immutable backup, that time bomb is still embedded in the file, and it will encrypt itself or do whatever else it is supposed to do as soon as it’s been restored,” Burke told IT Brew. “So, at that level, immutable backup by itself is no longer sufficient.”

3-2-1. When immutability alone is insufficient, additional controls are often recommended alongside the “extra-credit” option.

The well-known 3-2-1 backup rule, for example, calls for saving multiple data copies on different devices and in different locations: three data replicas on two different media (say, disk and tape) with one copy off-site (with different credentials). “There is not a decision to be made, whether I should keep my backups on premises or in the cloud; the customer should keep doing both,” said Nilay Patel, VP of sales at the cloud-storage company Backblaze.

Other important controls that create a resilient data-management architecture when added to immutability, Quinlan told IT Brew: multi-factor authentication, managed detection and response, and network segmentation, to name a few.

“There’s a whole bunch of other controls that you’ll see in a standard cybersecurity frameworks, that are common, that different industries will mandate, but the real challenge, and why this happens, is those best practices are not always implemented, or the things that they implemented are not always maintained,” said Quinlan.—BH

Do you work in IT or have information about your IT department you want to share? Email [email protected] or DM @BillyHurls on Twitter.