Over many years and successive generations of information technology, financial services organizations have invested a great deal of time and effort in developing their business continuity strategies. These plans generally take into account the myriad of regulatory and compliance considerations that protect against fraudulent transactions, protect confidential and sensitive data, and ensure data retention for audits, among other things. And of course, ideally, they include near-instant failovers and recoveries.
In recent years, due to the rise of ransomware attacks, many financial institutions are re-evaluating their strategies to include ransomware prevention. They are considering how best to update them taking into account the threat posed by ransomware and the steps they need to take to ensure that their business continuity plans reflect the full capabilities of their file data management platforms.
The financial peril of ransomware
Ransomware is defined as a subset of malware that holds a victim’s data hostage or threatens to publish that data until a ransom is paid. Ransomware can adversely impact any organization, but, for banks and other financial services organizations, it poses especially exigent risks. In addition to the potential financial losses and damage to reputation, financial services organizations are especially vulnerable to business interruptions should critical systems be taken offline during an attack (or to recover from an attack).
For insurance companies, the threat also manifests an impact to the business, with loss ratios on cyber insurance increasing nearly 75% in 2020 from their previous five-year annual average, resulting in greater uncertainty and higher premiums.
According to New York State’s Department of Financial Services (DFS), which investigated 74 ransomware attacks between January 2020 and May 2021, there was a similar pattern to the incidents, involving unauthorized “entry to the victim’s network using one of three techniques”:
- Exploiting unpatched vulnerabilities
- Exploiting poorly secured Remote Desktop Protocols
Ransomware prevention strategies can be designed around these insights and leverage established cybersecurity controls and “best practices.” And regulators are taking steps to require additional prevention strategies, with DFS “evaluating what additional controls should be added to its Cybersecurity Regulation.”
The advantages of file data management for ransomware prevention
Financial services organizations’ most valuable digital assets, which are both crucial for day-to-day operations and the ultimate prize sought in a ransomware attack, are stored on their file data management platforms. This could be on-premises in their data center; in cloud infrastructures; or, increasingly, in a hybrid combination of physical and cloud locations.
When considering file data management as it relates to the ransomware threat, as well as how business continuity strategies should be enhanced to reflect the advantages that a modern file data platform provides, enterprises are focused on how their file systems can help with ransomware prevention, detection, and, most significantly for business continuity, data recovery and correction.
A software-only file system, like Qumulo Core, provides significant advantages, such as a “locked down” underlying operating system that allows only operations needed to perform the tasks of the file system.
In addition, rapid update release cycles, security fixes being shipped automatically, and reactive patches coming even faster than regular releases ensure the file system is continually up to date. The file data management platform’s role-based access control (RBAC) is critical to ensuring admins can assign fine-grained privileges to regular users or groups and to alleviate their privileges where needed while keeping them as minimal as possible.
Ransomware prevention can also be achieved through configuration choices, such as hiding file shares from unauthorized users, requiring explicit knowledge of the share path to mount the share, and implementing access-based enumeration for every share. Modern file data management platforms also provide additional host restrictions, such as limiting access by client IP address range and other options to reduce the risk surface.
The file data management platform is also a critical part of a ransomware detection strategy and uncovering malicious activities as early as possible. Implementing a holistic security approach that includes network, compute, device, and event-monitoring techniques, together with data correlation and analysis, is preferable over siloed solutions that are embedded in the storage system. This can be achieved through API integration between the file data management platform and the Security Information and Event Management (SIEM) software, which in turn enables automated mitigation actions from any place should a malicious activity be detected.
As part of a holistic ransomware prevention strategy, modern file data management platforms should leverage an industry-standard syslog format that can be read, parsed, and indexed by the SIEM, passing all data access and management tasks. Ultimately, this is the most effective approach because malware can be identified and stopped before it hits the file storage system. While the first line of antivirus prevention should be the data center security infrastructure, the file data management platform should support scheduled and on-demand antivirus scanning.
Even the best preventive controls can be overcome by attackers so having a robust ransomware recovery strategy is essential. A modern file data platform supports ransomware recovery, and, ideally, is radically simple to implement.
Snapshots of file data can be taken at any point in time and should not consume any space (only file changes will consume extra space). In case a file or directory needs to be rolled back to a previous version, files can be copied back easily. Since these snapshots are immutable, a potential malware or ransomware will not be able to change its content. Replicating snapshots is essential, both to another cluster and/or to cloud infrastructure, adding additional reliability.
A file data management platform’s API integration can easily identify changes between two snapshots and integrate with a backup and disaster recovery solution allowing instantaneous incremental backups with minimal effort. Snapshots can also be automatically stored in cloud infrastructure, and, once there, the cloud provider’s intelligent tiering can move older files to more cost-effective methods of storing data that is not actively being used. Of course, these snapshots enable effective failovers, and the file data platform should enable the organization to leverage any number of recovery point objectives and recovery time objectives.
Evolve business continuity strategies to help guard against ransomware
Many financial services organizations are reviewing and revising their business continuity strategies because of the ransomware threat. They are increasingly developing strategies based upon a modern file data platform’s capabilities—such as engaging a rich set of data services and APIs to implement a holistic defense strategy against all kinds of malware including ransomware.
Simple file data management, granular data access, and management event stream processing enable an organization’s file data management platform to be integrated into its security architecture. Corrective security controls such as easy data movements to the cloud, integrated backups, and snapshot replications to support secure and robust recovery strategies should be simple to engage.
In addition to becoming the cornerstone of business continuity strategies, file system platforms like Qumulo Core also provide significant day-to-day and operational advantages and enable financial services organizations to leverage cloud infrastructure for additional benefits and multiple layers of protection.
- How to Detect Ransomware Access Patterns with Qumulo and Azure Sentinel
- How to Detect Hidden Ransomware with Data Correlation
- How to Detect Ransomware using Threat Intelligence
- How to Automate Ransomware Detection using Analytics Rules in Azure Sentinel
Written by Andrew Keating, PhD, Senior Director, Industry Solutions, this story was originally published by Qumulo for the Wall Street Technology Association and has been repurposed for this blog and modified for depth and comprehensiveness.