HPE Shadowbase Digital Resilience* and Data Recovery Solutions

Recover Critical Applications and Data After a Malware* or Ransomware* Attack

Enterprises around the globe are racing to protect themselves because Malware and Ransomware have become massive and potentially existential threats.

A comprehensive defense requires multiple layers of protection, including strong Data Resilience.

Gravic has provided Digital Resilience solutions for 40+ years: use HPE Shadowbase software to replicate data into immutable storage* and quickly recover applications on an air-gapped*, isolated*, and hence fully protected system.

Global Impact

According to Malwarebytes:
  • 1,900 total Ransomware attacks occurred within just four countries – the U.S., Germany, France, and the U.K. – in one year.”
  • “The U.S. shouldered a hefty 43 percent of all global attacks.
  • “A total of 48 separate Ransomware groups attacked the U.S. in the observed period.”
  • “If more groups start adopting CL0P’s zero-day exploitation techniques, the Ransomware landscape could tilt from service-oriented attacks to a more aggressive vulnerability-focused model – a move that could skyrocket the number of victims.”
According to Veeam:
  • 93% of attacks targeted backup repositories.”
  • “4% of Ransomware victims paid the ransom and could not recover their data.”
  • “77% of payments were covered by insurance.”
  • “On average, only 66% of affected data was recoverable.”

Malware and Ransomware Require Multiple Layers of Resilience

Malware and Ransomware Recovery architectures require an innovative approach with distinct personnel, processes, procedures, hardware, software, and infrastructure from existing Disaster Recovery (DR) and Business Continuity (BC) architectures.

Business Continuity with Digital Resilience Requires:

  1. Digital Resilience (Applications, System, Network and Infrastructure)
  2. Data Resilience (Database Replication and Validation, Encryption, and Tokenization)
  3. Cyber Resilience (Protection, Security, Scanning, and Monitoring)

HPE Digital Resilience Framework

HPE Digital Resiliency Framework based on the NIST* Cybersecurity Standards

  1. IDENTIFY Understand environment
    • Identify assets to protect
  2. PROTECT Implement safeguards and controls
    • Zero Trust Security
    • Data Protection
    • Rigorous security hardening
  3. DETECT Discover cyber events
    • Monitor activity (use AI/ML)
    • Monitor environment integrity
  4. RESPOND Actions to deal with attacks
    • Standard operating procedures
  5. RECOVER – Maintain resilience and business continuity
    • Data backup and recovery strategy
    • Implement 3-2-1-1 rule*

The Continuous Loop

As Graham Rogers (HPE) presented during VNUG23, the Framework is a “continuous loop,” meaning it requires constant and continuous efforts to strengthen an enterprise’s Digital Resilience Framework.

New Approaches to Thwart These Attacks

Today, state-of-the-art is post-attack Detection and Recovery. Note that this is different than the ultimate goal, pre-attack Identification and Prevention. As solutions develop, Identification and Prevention measures will surface and enable enterprises to shift from being reactive to proactive with their Digital Resilience solutions.

HPE Shadowbase Software Provides Data Resilience for Detection and Recovery:

  • Fingerprinting of inter-process communication (IPC) messages and data files to detect tampering
  • Data recovery in real-time to minimize downtime
  • Support for air-gapped architectures and immutable storage to aid in isolation and recovery efforts
HPE NonStop Shadowbase Software Provides Unique Capabilities
  • HPE Shadowbase software provides unique Data Resilience capabilities for NonStop users since it integrates with the NonStop transaction logging facility, TMF, to extract database change data and assist with data recovery should an attack occur
  • Detects data in motion and MiTM* attacks (which could disrupt critical backup processes and corrupt recovery data) between key processes, since messages are fingerprinted
  • Fingerprints Shadowbase Queue Files to detect data file tampering
HPE NonStop TMF (Transaction Monitoring Facility) — Your First Line of Defense!
  • Using TMF provides ACID* transaction protection, guarantees database changes are logged, and enables HPE Shadowbase to use the Audit Trail change data for recovery.
  • Non-audited data/data replication does not have the same advantages, capabilities, nor protection.
    • In a non-audited environment, if malware invaded and performed data tampering – how would someone know since changes are not being logged by TMF?
  • TMF guarantees all database changes are always logged.
    • Note that Non-audited applications can log changes to an application-generated log file
Learn More About TMF

Read the White Paper — Only the Truth: Debunking TMF NonStop Data Protection Myths

Ransomware Recovery Architecture #1

Ransomware Recovery System (RRS)*

Real-time, Online Recovery System

Option 1: Isolated RRS (relatively faster)

  • Isolated and people-gapped* RRS
    • The RRS is “isolated” because its network is heavily monitored and has a limited amount of connections (such as only being able to “pull” and request data through a single uni-directional, heavily monitored port with inbound traffic while having its fingerprints verified)
  • Capture and store (queue) database change data (from either \PROD or \DR systems) and periodically transfer (e.g., SFTP*) queued data to RRS

Option 2: Immutable Storage to Air-gapped RRS (relatively slower)

  • Air and people-gapped RRS
  • Capture and store (queue) initial load and database change data on immutable storage
  • Periodically transfer (e.g., SFTP) queued data from immutable storage to RRS

Both options:

This architecture satisfies the 3-2-1-1 rule (when leveraging both options); it also provides flexibility:

  • The customer decides how often to synchronize the RRS database to bring it current
  • After an attack, recover the application and operations on the RRS
    • Having a “staged” RRS greatly expedites application recovery and reduces the Recovery Time Objective (RTO)
  • Replicate queued data from either system
    • Shadowbase Q Files are validated to detect MitM attacks or other corruption
  • Supports TCP/IP or Expand feed from either system to RRS
  • Capture and store (queue) database change data directly on RRS or first through immutable storage
  • But is this really S-A-F-E?
    • Critics argue that this truly isn’t “air-gapped” because there is a connection between the PROD systems and the RRS (critics, please see Architecture 2 below)

Ransomware Recovery Architecture #2

Architecture 2: Bare Metal Recovery System (BMRS)

Bare Metal Recovery System (BMRS)

Option 1: Isolated RRS (relatively faster)

  • Isolated and people-gapped RRS
    • We call the RRS in option 1 “Isolated” because its network is heavily monitored and it has a limited amount of network connections (such as only being able to “pull” and request data through a single uni-directional, heavily monitored port)
  • Capture and store (queue) database change data (from either \PROD or \DR systems) and periodically transfer (e.g. SFTP) queued data to RRS
  • A second RRS system for Disaster Recovery purposes is optional but recommended

Option 2: Immutable Storage to Air-gapped RRS (relatively slower)

  • Air and people-gapped BMRS
  • Capture and store (queue) database change data on immutable storage
  • Option 2a: Periodically transfer (e.g., SFTP) queued data to BMRS
  • Option 2b: Wait until Bare Metal Restore sequence to transfer (e.g., SFTP) queued data to BMRS
  • A second BMRS system for Disaster Recovery purposes is optional but recommended

Both options:

This architecture satisfies the 3-2-1-1 rule, especially with Option 2: Immutable Storage to Air-gapped BMRS. Similar to the previous architecture:

  • The customer decides how often to synchronize the RRS or BMRS database to bring it current
  • After an attack, recover the application and operations on the RRS or BMRS depending on RTO vs. Data Integrity requirements
    • Having a “staged” RRS greatly expedites application recovery and reduces the RTO
    • However, critics argue that this truly isn’t “air-gapped” because there is a connection between the PROD systems and the RRS, thus, the BMRS provides a truly air-gapped, offline, backup system for recovery
  • Replicate queued data from either system
    • Shadowbase Q Files are validated to detect MitM attacks or other corruption
  • Support TCP/IP or Expand feed from either system to RRS

 

Shutterstock

HPE Shadowbase is a Critical Piece of a Comprehensive Digital Resilience Solution

Malware and Ransomware Are Complex and Rapidly Evolving Threats

As described above in the HPE Digital Resilience Framework, combatting Malware and Ransomware requires a comprehensive, integrated approach that also involves other solutions (for example, to address Malware that stealthily reads and steals data).

HPE Shadowbase is a critical piece of the HPE Digital Resilience Framework, helping provide an integrated solution and Data Resilience for mission critical NonStop and Other Server environments.

Contact Us to Discuss Your Needs
Related Content
Publications: October 4, 2023 — Gravic Publishes Article on “Ransomware Protection and Data Recovery”
Featured: June 20, 2023 — Gravic Publishes EBITUG Presentation: HPE Shadowbase Technical Architecture Overview for Digital Resilience (Malware and Ransomware Protection)
Featured: May 2, 2023 — Gravic Publishes New White Paper: The Advantages of Transaction Protection
Shutterstock

*Key Terms

  • 3-2-1-1 Rule
    • Have 3 copies of your data,
    • on 2 different media,
    • at least 1 air-gapped copy, and
    • at least 1 copy on immutable storage (managed by different staff)
  • ACID Transaction Protection – ACID is an acronym for Atomic, Consistent, Isolated, and Durable; ACID transaction protection is a mainstay for mission critical architectures (for more information: Only the Truth: Debunking TMF NonStop Data Protection Myths)
  • Air-gapped – Backup system or storage solutions that are geographically separated from the primary datacenter, and are typically offline (meaning physically disconnected from each other and no internet access)
  • Bare Metal Recovery – A system recovery sequence that involves wiping (deleting all data and settings) in an idle, air-gapped system down to its “bare metal” factory defaults
    • Bare Metal Recovery System (BMRS) can be used in a Ransomware Recovery architecture
  • DORA – Digital Operations Resilience Act is an EU regulation that entered into force on January 16, 2023 and will apply as of January 17, 2025
  • Digital Resilience – According to DORA, “the protection, detection, containment, recovery and repair capabilities against information and communication technology (ICT) related incidents”
  • ICT – Information and Communication Technology
  • Immutable Backup – A backup system that can only be written to once (such as WORM, Write Once Read Many, or append-only storage devices) that can transfer data to a Ransomware Recovery System in the event of an attack
  • Isolated – (Similar to “air-gapped”) backup systems that are geographically separated from the primary datacenter, typically with limited network connections (such as only being able to “pull” and request data through a single uni-directional, heavily monitored port)
  • Malware – Software that is specifically designed to disrupt, damage, or gain unauthorized access to a computer system
  • Man-in-the-Middle (MiTM) Attack – When a hacker intercepts and may even alter communications between two parties without either party knowing
    • Cyberattack where the hacker secretly relays and possibly alters the communications between two parties who believe that they are directly communicating with each other
  • NIST – National Institute of Standards and Technology is a U.S. Department of Commerce organization that produces “measurements, standards, and legal metrology provide solutions that ensure measurement traceability, enable quality assurance, and harmonize documentary standards and regulatory practices”
    • NIST has produced and defined the Cybersecurity Framework’s five Functions:
      • Identify – Understand your environment; identify assets to protect
      • Protect – Implement safeguards and controls, such as Zero Trust Security, Data Protection, and rigorous security hardening
      • Detect – Discover cyber events and monitor activity (use AI/ML) and environment integrity
      • Respond – Actions to deal with attacks; use standard operating procedures
      • Recover – Maintain resilience and business continuity, utilize data backup and recovery strategy, and implement the 3-2-1-1 rule
    • The HPE Digital Resilience Framework is based on these NIST standards
  • People-gapped – Different staff manages the Production systems versus the Ransomware Recovery systems and storage solutions; this staff is typically offsite and follows a different set of procedures, with no communication or awareness of other teams
  • Ransomware – Malicious software designed to block access to a computer system until a sum of money is paid
    • Ransomware is insidious since it stealthily spreads across systems while stealing data over time (typically weeks or months), and then locks a Production system after encrypting and locking the Backup system
  • Ransomware Recovery System (RRS) – Backup system which is used to recover critical applications and data after a Ransomware attack
  • Secure File Transfer Protocol (SFTP) – Common network protocol used for securely reading, sharing, and managing files across systems