Veeam Backup Protection: Cybercriminals look for multiple routes to infiltrate a network, so accordingly cybersecurity measures need to be equally as comprehensive. In the context of protecting Veeam backup files and the storage volumes that hold them, there are many recommended best practices. Unfortunately, some of these measures may not be practical for branch or remote office deployment due to resource limitations or other logistical challenges. Having multiple remote offices broadens the attack surface available to hackers, so we will look here at some common challenges and how application fingerprinting technology can offer a cost effective and easy to deploy security solution for remote office installations.
On-premises backups have become the primary target
Veeam Backup Protection: It is now an everyday occurrence that a company falls victim to a cyber-attack only to find that their backups have been compromised along with other files essential to business operations. Backups should serve as an insurance policy to enable operations to be restored following an attack but of course cybercriminals know this and set out to locate and encrypt backups first.
There are many best practice recommendations available to secure a Veeam Backup & Replication architecture. The objective being to place as many hurdles in the way of attackers as possible. We have covered these in our previous article Quick tips for Veeam® Backup Security so will not repeat them in detail here, but instead highlight those practices which may prove difficult at remote locations or cost prohibitive to many companies.
Object storage and OS hardening
The usual practice set in place for a corporate headquarters backup process is to have an on-site Veeam backup repository which may store 14 to 30 days of backup data locally. The system administrator then has several options available to protect this backup information. One option is to send copies of the primary backup data to S3 based object storage in the cloud which can then take advantage of object-lock technology. This could be an immediate copy of the backup data or alternatively use an aging out process where, for example, backup data greater than 14 days old is copied to the object store.
Object storage is typically deployed in the cloud, but on-premises solutions are becoming more popular. While both are certainly solid security options, for many organisations the cost of these services will be prohibitive.
With the release of Veeam V11 the option of replicating backups to a hardened Linux based backup repository became available. This is a very popular option for organisations who already use Linux within their infrastructure and have the appropriate skills in-house. Unfortunately, with Linux having less than 2% worldwide coverage as a desktop operating system, many organisations are reluctant to undertake the learning curve, or add the skills required to introduce Linux into their Windows dominated architecture.
In the context of branch and remote offices the prevalence of Linux is even lower. Additional challenges may include less than optimal network connectivity for the use of cloud-based backup solutions, and a general lack of on-site technical resources.
Hardening a Windows based system is far more difficult as it is a much vaster OS than Linux and unfortunately a victim of its own popularity. The security of an operating system will depend to a large degree on the size of its installed base. For malware authors, Windows provides a massive playing field therefore concentrating on it gives them the biggest return for their efforts.
Hardening a Windows® Veeam Repository for remote offices
Veeam Backup Protection: Veeam offer some great best practice resources for securing a backup environment including tips for Hardening a Backup Repository running on Windows however these steps will never result in a truly hardened Windows platform. If these steps are followed the environment will certainly be harder for cybercriminals to infiltrate, but Veeam backup volumes will still be vulnerable.
Remote sites typically use local storage as a staging area for backups of up to one week in age and having backups reside on local storage provides the fastest possible recovery time. While cloud-based object storage is effective, the network bandwidth limitations at remote sites may make this unpractical to meet recovery time objectives in the event of a cyberattack, or any other disaster recovery scenario.
Blocky for Veeam® offers a solution for both remote and head office Windows based backup repositories using local storage which will prevent any unauthorised system process from modifying the content of designated backup volumes or folders.
The system administrator would select which storage volumes or first level folders that need to be protected, and then instruct the Blocky for Veeam® filter driver utility to perform an application fingerprint analysis of the required Veeam Backup & Replication application processes. Once protection has been enabled then only those fingerprinted processes are able to write to the protected volumes. No Malware code could masquerade as a Veeam application process as it would not match the application fingerprint that has been created from the genuine Veeam processes.
Early detection is vital to limit the damage of a Cyberattack
Malware payloads and subsequent ransomware demands are typically launched after the hackers involved have worked undetected within the IT infrastructure for quite some time. This happens when ‘zero-day’ vulnerabilities have been exploited to gain access the network. This can come in the form of new loopholes in the OS or network hardware, or simply from the development of new Malware codes that are unknown and therefore do not exist within current antivirus definition files.
Even though deploying a hardened Linux based Veeam backup repository will be effective in stopping backup files from being compromised, the Linux repository itself will not alert of any unauthorized access attempts or other suspicious network behaviours.
Blocky for Veeam® by contrast can send alerts of any unauthorised access attempts via system log files, email, SMTP and through the Blocky for Veeam® logging panel when an administrator has the GUI open. Early detection of suspicious activity especially from ‘zero-day’ threats can go a long way to limiting the damage caused by a cyberattack.
Branch & remote offices are a key entry point for cyberattacks. Due to on-site challenges security solutions using cloud technologies, tape archives or a hardened Linux OS may be impractical