HPE Shadowbase Digital Resilience* and Data Recovery Solutions

Recover Critical Applications and Data After a Malware* or Ransomware* Attack

Enterprises around the globe are racing to protect themselves because Malware and Ransomware have become massive and potentially existential threats.

A comprehensive defense requires multiple layers of protection, including strong Data Resilience.

Gravic has provided Digital Resilience solutions for 45+ years: use HPE Shadowbase software to replicate data into immutable storage* and quickly recover applications on an air-gapped*, isolated*, and hence fully protected system.

"Global cybercrime damages are projected to reach $9.5 trillion USD in 2024, rising to $10.5 trillion by 2025."

-Cybercrime magazine

"Always keep software updated. Install the most recent software updates for devices and apps to ensure you are protected against the latest threats. Invest in cybersecurity resources for your company. Is your company prepared to stand against any cybercrime event that may occur? "

-Meridian Bank

Global Impact

DORA was enacted on January 16, 2023

The Digital Operational Resilience Act (DORA) is a list of data resilience and cyber security requirements and regulations that are currently taking effect in the European Union.  It aims to strengthen digital resilience within the financial sector and applies to financial entities such as banks, insurance companies, and investment firms.

The overall goal is to ensure that financial entities can withstand and recover from malware and bad actor attacks, or any other operational problems related to information and communication technology (ICT).  DORA also applies to critical third parties who provide ICT-related services to financial entities such as cloud platforms, solution/software vendors, data analytics, and audit services.

Similar regulations and guidelines are being set by the U.S. government and other worldwide federal regulatory bodies.

According to Malwarebytes:
  • 1,900 total Ransomware attacks occurred within just four countries – the U.S., Germany, France, and the U.K. – in one year.”
  • “The U.S. shouldered a hefty 43 percent of all global attacks.
  • “A total of 48 separate Ransomware groups attacked the U.S. in the observed period.”
  • “If more groups start adopting CL0P’s zero-day exploitation techniques, the Ransomware landscape could tilt from service-oriented attacks to a more aggressive vulnerability-focused model – a move that could skyrocket the number of victims.”
According to Veeam:
  • 93% of attacks targeted backup repositories.”
  • “4% of Ransomware victims paid the ransom and could not recover their data.”
  • “77% of payments were covered by insurance.”
  • “On average, only 66% of affected data was recoverable.”

Business Continuity with Digital Resilience Requires:

  1. Digital Resilience (Applications, System, Network and Infrastructure)
  2. Data Resilience (Database Replication and Validation, Encryption, and Tokenization)
  3. Cyber Resilience (Protection, Security, Scanning, and Monitoring)

HPE Digital Resilience Framework

HPE

HPE Digital Resiliency Framework based on the NIST* Cybersecurity Standards

  1. IDENTIFY Understand environment
  2. PROTECT Implement safeguards and controls
    • Shadowbase supports Encryption and Data in Motion, integrating with Tokenators
    • Backup Processes, Procedures, and Testing; Shadowbase supports automatic failover detection and recovery
  3. DETECT Discover cyber events
    • File Integrity: Shadowbase Compare can help monitor for unwanted file/table changes
  4. RESPOND Actions to address attacks
  5. RECOVER – Maintain resilience and business continuity
    • Prove synchronization: Shadowbase Compare helps verify that the source and target databases match
    • 3rd Site (not the DR site): Shadowbase can be configured under a separate Nonstop user so that the different Business Continuity and Digital Resilience environments can be separated, similar to a data firewall
    • Immutable Backup: Shadowbase Q Files contain change data, which can be sent to Immutable Storage
    • Shadowbase enables following the 3-2-1-1 Rule
    • Shadowbase enables non-disruptive testing before being put into production

The Continuous Loop

As HPE presented at eBITUG25, the Framework is a “continuous loop,” meaning it requires constant and continuous efforts to strengthen an enterprise’s Digital Resilience Framework.

New Approaches to Thwart These Attacks

Today, state-of-the-art is post-attack Detection and Recovery (Gravic is investigating this; if it interests you, please contact us). Note that this is different than the ultimate goal, pre-attack Identification and Prevention. As solutions develop, Identification and Prevention measures will surface and enable enterprises to shift from being reactive to proactive with their Digital Resilience solutions.

HPE Shadowbase Software Provides Data Resilience for Detection and Recovery:

  • Fingerprinting of inter-process communication (IPC) messages and data files to detect tampering
  • Data recovery in real-time to minimize downtime
  • Support for air-gapped architectures and immutable storage to aid in isolation and recovery efforts
HPE NonStop Shadowbase Software Provides Unique Capabilities
  • HPE Shadowbase software provides unique Data Resilience capabilities for NonStop users since it integrates with the NonStop transaction logging facility, TMF, to extract database change data and assist with data recovery should an attack occur
  • Detects data in motion and MiTM* attacks (which could disrupt critical backup processes and corrupt recovery data) between key processes, since messages are fingerprinted
  • Fingerprints Shadowbase Queue Files to detect data file tampering
HPE NonStop TMF (Transaction Monitoring Facility) — Your First Line of Defense!
  • Using TMF provides ACID* transaction protection, guarantees database changes are logged, and enables HPE Shadowbase to use the Audit Trail change data for recovery.
  • Non-audited data/data replication does not have the same advantages, capabilities, nor protection.
    • In a non-audited environment, if malware invaded and performed data tampering – how would someone know since changes are not being logged by TMF?
  • TMF guarantees all database changes are always logged.
    • Note that Non-audited applications can log changes to an application-generated log file
Learn More About TMF

Read the White Paper — Only the Truth: Debunking TMF NonStop Data Protection Myths

Ransomware Recovery Architecture #1

Local Data Vault

Local Data Vault

RTO: Moderate

  • Recovery time is dependent on the ability to create a clean system and recover the Production environment and restore the DB
  • DB is online and available to the application during SB recovery process

RPO: Low

  • SB “Q Files” contains change data captured into Data Vault in short intervals (e.g., 1 min) which minimizes potential for data loss

Data isolation: Limited

  • SB Data Vault is not completely isolated and may be vulnerable to cyberattack on PROD (although unlikely)

Cost: Moderate

  • No additional NS HW required;  Immutable storage required
  • Requires SB Digital Resilience Software licenses

Other considerations

  • Data Vault is on direct connect tape management subsystem (e.g., VTC) connected to its corresponding NonStop system
  • Requires a periodic backup of the application environment including a consistent DB backup for baseline

Ransomware Recovery Architecture #2

Ransomware Recovery System (RRS)*

rw recovery arch 1

Real-time, Online Recovery System

Option 1: Isolated RRS (relatively faster)

  • Isolated and people-gapped* RRS
    • The RRS is “isolated” because its network is heavily monitored and has a limited amount of connections (such as only being able to “pull” and request data through a single uni-directional, heavily monitored port with inbound traffic while having its fingerprints verified)
  • Capture and store (queue) database change data (from either \PROD or \DR systems) and periodically transfer (e.g., SFTP*) queued data to RRS

Option 2: Immutable Storage to Air-gapped RRS (relatively slower)

  • Air and people-gapped RRS
  • Capture and store (queue) initial load and database change data on immutable storage
  • Periodically transfer (e.g., SFTP) queued data from immutable storage to RRS

Both options:

This architecture satisfies the 3-2-1-1 rule (when leveraging both options); it also provides flexibility:

  • The customer decides how often to synchronize the RRS database to bring it current
  • After an attack, recover the application and operations on the RRS
    • Having a “staged” RRS greatly expedites application recovery and reduces the Recovery Time Objective (RTO)
  • Replicate queued data from either system
    • Shadowbase Q Files are validated to detect MitM attacks or other corruption
  • Supports TCP/IP or Expand feed from either system to RRS
  • Capture and store (queue) database change data directly on RRS or first through immutable storage

Ransomware Recovery Architecture #3

Bare Metal Recovery System (BMRS)

rw recovery arch 2

Bare Metal Recovery System (BMRS)

Option 1: Isolated RRS (relatively faster)

  • Isolated and people-gapped RRS
    • We call the RRS in option 1 “Isolated” because its network is heavily monitored and it has a limited amount of network connections (such as only being able to “pull” and request data through a single uni-directional, heavily monitored port)
  • Capture and store (queue) database change data (from either \PROD or \DR systems) and periodically transfer (e.g. SFTP) queued data to RRS
  • A second RRS system for Disaster Recovery purposes is optional but recommended

Option 2: Immutable Storage to Air-gapped RRS (relatively slower)

  • Air and people-gapped BMRS
  • Capture and store (queue) database change data on immutable storage
  • Option 2a: Periodically transfer (e.g., SFTP) queued data to BMRS
  • Option 2b: Wait until Bare Metal Restore sequence to transfer (e.g., SFTP) queued data to BMRS
  • A second BMRS system for Disaster Recovery purposes is optional but recommended

Both options:

This architecture satisfies the 3-2-1-1 rule, especially with Option 2: Immutable Storage to Air-gapped BMRS.

Similar to the previous architecture:

  • The customer decides how often to synchronize the RRS or BMRS database to bring it current
  • After an attack, recover the application and operations on the RRS or BMRS depending on RTO vs. Data Integrity requirements
    • Having a “staged” RRS greatly expedites application recovery and reduces the RTO
  • Replicate queued data from either system
    • Shadowbase Q Files are validated to detect MitM attacks or other corruption
  • Support TCP/IP or Expand feed from either system to RRS
    • However, critics argue that this truly isn’t “air-gapped” because there is a connection between the PROD systems and the RRS, thus, the BMRS provides a truly air-gapped, offline, backup system for recovery
  • Certain hardware technologies such as those from dell enable logical airgapping
Shutterstock

HPE Shadowbase is a Critical Piece of a Comprehensive Digital Resilience Solution

Malware and Ransomware Are Complex and Rapidly Evolving Threats

As described above in the HPE Digital Resilience Framework, combatting Malware and Ransomware requires a comprehensive, integrated approach that also involves other solutions (for example, to address Malware that stealthily reads and steals data).

HPE Shadowbase is a critical piece of the HPE Digital Resilience Framework, helping provide an integrated solution and Data Resilience for mission critical NonStop and Other Server environments.

Contact Us to Discuss Your Needs
Related Content
Featured: Gravic Publishes New White Paper: The Advantages of Transaction Protection
Shutterstock

*Key Terms

  • 3-2-1-1 Rule
    • Have 3 copies of your data,
    • on 2 different media,
    • at least 1 air-gapped copy, and
    • at least 1 copy on immutable storage (managed by different staff)
  • ACID Transaction Protection – ACID is an acronym for Atomic, Consistent, Isolated, and Durable; ACID transaction protection is a mainstay for mission critical architectures (for more information: Only the Truth: Debunking TMF NonStop Data Protection Myths)
  • Air-gapped – Backup system or storage solutions that are geographically separated from the primary datacenter, and are typically offline (meaning physically disconnected from each other and no internet access)
  • Bare Metal Recovery – A system recovery sequence that involves wiping (deleting all data and settings) in an idle, air-gapped system down to its “bare metal” factory defaults
    • Bare Metal Recovery System (BMRS) can be used in a Ransomware Recovery architecture
  • DORA – Digital Operations Resilience Act is an EU regulation that entered into force on January 16, 2023 and will apply as of January 17, 2025
  • Digital Resilience – According to DORA, “the protection, detection, containment, recovery and repair capabilities against information and communication technology (ICT) related incidents”
  • ICT – Information and Communication Technology
  • Immutable Backup – A backup system that can only be written to once (such as WORM, Write Once Read Many, or append-only storage devices) that can transfer data to a Ransomware Recovery System in the event of an attack
  • Isolated – (Similar to “air-gapped”) backup systems that are geographically separated from the primary datacenter, typically with limited network connections (such as only being able to “pull” and request data through a single uni-directional, heavily monitored port)
  • Malware – Software that is specifically designed to disrupt, damage, or gain unauthorized access to a computer system
  • Man-in-the-Middle (MiTM) Attack – When a hacker intercepts and may even alter communications between two parties without either party knowing
    • Cyberattack where the hacker secretly relays and possibly alters the communications between two parties who believe that they are directly communicating with each other
  • NIST – National Institute of Standards and Technology is a U.S. Department of Commerce organization that produces “measurements, standards, and legal metrology provide solutions that ensure measurement traceability, enable quality assurance, and harmonize documentary standards and regulatory practices”
    • NIST has produced and defined the Cybersecurity Framework’s five Functions:
      • Identify – Understand your environment; identify assets to protect
      • Protect – Implement safeguards and controls, such as Zero Trust Security, Data Protection, and rigorous security hardening
      • Detect – Discover cyber events and monitor activity (use AI/ML) and environment integrity
      • Respond – Actions to deal with attacks; use standard operating procedures
      • Recover – Maintain resilience and business continuity, utilize data backup and recovery strategy, and implement the 3-2-1-1 rule
    • The HPE Digital Resilience Framework is based on these NIST standards
  • People-gapped – Different staff manages the Production systems versus the Ransomware Recovery systems and storage solutions; this staff is typically offsite and follows a different set of procedures, with no communication or awareness of other teams
  • Ransomware – Malicious software designed to block access to a computer system until a sum of money is paid
    • Ransomware is insidious since it stealthily spreads across systems while stealing data over time (typically weeks or months), and then locks a Production system after encrypting and locking the Backup system
  • Ransomware Recovery System (RRS) – Backup system which is used to recover critical applications and data after a Ransomware attack
  • Secure File Transfer Protocol (SFTP) – Common network protocol used for securely reading, sharing, and managing files across systems