Ransomware Protection with Commvault’s Modernized Air Gap

By David Cunningham

Cyber threats are continuously evolving at an accelerated pace. Ransomware is often the leading antagonist, leaving organizations crippled and at the mercy of cybercriminals. Commvault helps organizations protect and recover data to resume business operations quickly. However, as threats evolve, even backup and recovery platforms are at risk to ransomware. This has led to next-generation security controls such as immutability and multi-factor authentication to mitigate against these invasive threats. What about traditional air gap solutions? Is air gapping a viable solution against ransomware threats? In some cases, air gapping by itself may not be enough protection against threats; conversely, immutability and multi-factor authentication (MFA) may not be enough protection either. However, layering immutability, MFA, and Commvault’s modernized air gap controls provide a highly effective solution at mitigating threats. Let’s dive into this further.

Understanding the basics of ransomware

First, let’s understand how ransomware works at a high level. I like to think of ransomware as a symptom but not necessarily the catalyst. Most of the common ransomware strains we see today started as an Advanced Persistent Threat (APT) introduced into the environment through a targeted socially engineered phishing attack. For example, you may get an email from what appears to be a legitimate source (such as a work organization or bank) that tricks you into downloading a malicious application that introduces the APT. The APT keeps itself hidden in the environment crawling around doing reconnaissance, such as looking for user accounts and data to steal, as well as locating resources to infect. APT’s use “off the shelf” tools built into many operating systems to remain hidden, help collect data, and spread ransomware. They take advantage of exposed and exploitable protocols to move around the environment. APT’s have also been known to take down backup applications and data, as you can see from the Ryuk ransomware breakdown. Threats that move and spread around in the network are called lateral moving threats. As soon as the APT has done its work, the ransomware is released like a time-bomb.

This is key to understanding how air gapping provides an effective layer of security. The assumption is ransomware will infect your environment if there is any exposure to public networks such as the internet. This is especially true during the COVID pandemic wherein organizations adopted “work from home” policies, allowing end-users to connect into the work environments, creating more exposure and entry points for threats. However, backup storage targets that are air-gapped within the organization are shielded from lateral moving threats.

What is traditional air gapping?

We established that air gapping has value. When you think of air gapping, you might immediately think of tape backups or the classic “government” dark site. Both solutions offer protection against lateral movement of threats since tapes are removed from the library, and dark sites are isolated and have no persistent connections to public networks. However, both solutions are slow and ineffective for modern environments that need accessibility and rapid recovery. Organizations are looking for air gap principles applied to modern storage,  including cloud targets, to limit lateral moving threats while providing a seamless recovery experience when needed.

Commvault’s modernized air gap

Commvault’s approach to air gapping allows organizations to maintain efficient recovery point and recovery time objectives while reducing the impact of lateral moving threats. 

The most accessible air gap solution offered by Commvault is Metallic™ Cloud Storage Service (MCSS). With MCSS, there are no persistent connections to the storage since all data resides in Metallic Cloud and is only accessed via authenticated API calls. Direct access to cloud storage is not possible as credentials are not exposed. The storage is secure, scalable, and accessible. When ransomware infects the environment, it will not spread to the cloud storage since it is virtually air-gapped, reducing lateral threats. MCSS is built into Commvault data protection solutions and preconfigured. It is as simple as applying a license and selecting the storage; there is no additional infrastructure or settings required.

For organizations that cannot use the cloud, they can air gap using Commvault’s Network Topologies and built-in intelligence for managing persistent connections to storage. This on-premises solution segments and compartmentalizes storage; all incoming communication to the storage is blocked, and data pulled into the isolated storage. Communication is air-gapped by controlling power management automatically for virtual gateways or data movers. This solution requires minimal infrastructure; however, it can be applied to Commvault HyperScale™ and just about any storage.

To protect the backup content, Commvault’s machine learning framework detects anomalous activity and changes to the content. Events and notifications are automatically triggered so customers can respond proactively. Removing threats from content is as simple as browsing your content and selecting the threat to erase. Check out this youtube video demonstration, Avoid ransomware reinfection with Commvault, to see how this works. This ensures backup data is clean and ready for recovery.

Putting the security pieces together for maximum ransomware protection

At this point, you might be thinking, why bother with an air gap solution when I have immutable storage locked down with MFA controls? There is no doubt that immutability and MFA are an integral part of the layered solution; however, they do not address lateral moving threats.  

Let’s use the analogy of a combination safe. If your offline bitcoin wallet is stored in a safe, is it safer sitting in plain sight for an intruder to easily see, or would it be better if the safe is secured and hidden in your house?  Even though your safe is locked and secured, why would you expose it to additional risk? You don’t need the combination to get into the safe; you need a way to exploit the safe. It makes logical sense that the most secure option would be to keep your bitcoin wallet in a lockbox stored at a remote secured facility such as a bank – where it is air-gapped and un-reachable. Now you have eliminated the possible exposure to an intruder altogether. 

The same applies to backups; your storage should be immutable and protected with MFA controls. As soon as you segment, isolate, and air gap, you are further reducing the risk to ensure the ultimate protection.

Fighting ransomware with Commvault’s layered security approach

Taking a layered approach to securing backup data provides the best overall protection against threats such as ransomware. Commvault’s modernized approach to air gapping is not only simple, but it also provides the maximum level of security needed to protect against lateral moving threats so customers can be assured their data is recovery ready.