By Robert MacAdams on Saturday, 10 December 2022
Category: Uncategorized

IBM Immutable Backups for Cyber Resilience

Immutable backup technology is crtical component for Cyber Resiliency and Disaster Recovery for organizations of any size. Cyber resilience is a measure of an organization’s ability to protect data and continue business operations despite a successful cyberattack involving data that is either corrupted or destroyed, such as from a malware or ransomware attack. The measure of cyber resiliency is based on amount of data loss and recovery time required to resume normal business operations. If you were to conduct a cyber resiliency analysis of your environment based on NIST CSF, it would assesses and score your organization’s readiness to sustain and recover from an attack, including ability to continue operations, recoverability of your data and an estimated amount of time it would take to recover affected data.

At the end of the day, a security incident that destroys data is a modern day disaster recovery event. However, unlike a typical unplanned outage event caused by a mundane failure or environmental factor where the root cause is likely easily discoverable and can be resolved quickly, malware and ransomware security incidents have likely been present for quite some time, so identifying and restoring the most recent clean backup copy can be a more difficult and lengthy process. To make matters worse, we are now witnessing military grade attacks at a much greater frequency, and are more likely to get pass the most advanced security tools and staff, of which are much more prone to stealthily expand their foothold on the victim’s infrastructure before being discovered.

Immutable backup solutions protect data by preventing ransomware, viruses and other forms of malware from altering or destroying data, to ensure business continuity and quick recovery times with minimal data loss. Comparing different vendors’ immutable backup solutions is critical for a number of very important reasons, but recovery times and recovery points are the utmost important. If your backup and recovery plan relies on recovering data from the cloud or a remote site, you must realize that the magnitude of the attack will greatly impact recovery times. For many business, operations do not recover for days or weeks. Ideally, your backup and recovery plan should encompass both local and remote backups.

IBM's immutable storage features plays a critical role in its first and last line of cyber security defense. First, IBM uses the Safe Guarded Copy function for FlashSystems to create immutable backup snapshots automatically based on a schedule, or when anomalies in data changes are detected by the Cyber Vault software. The Safe Guarded immutable backup “snapshots” are stored on the IBM FlashSystem in logical partition known as a clean room, of which the data validation processes are run, and cannot be accessed by servers, individuals or any process. The immutable backup and restore processes do not impact the production environment. The snapshots also cannot be modified or deleted except according to pre-planned scheduled policies, which further prevents human error and ill intent from harming the protected backups. If you need to access a copy of your production data, it can only be used after the recovery process.

The last line of defense is IBM’s Cyber Vault software, which is not only constantly monitoring backup snapshots for corrupted data, but helps identify which backup copies are clean and ready for rapid restore. Between the two, the Safe Guarded Copy and Cyber Vault features significantly reduce downtime cause by a cyber-attack or internal threat.

Other immutable backup solutions, especially those that rely on remote replication for disaster recovery, replicate all data changes, including maliciously altered data. This is a major problem, as this results in replicating corrupted data to your external backup. Detecting a threat before it becomes a problem and spreads, is the key to speeding up recovery time and the recoverability of your data. Security tools like QRadar SIEM, Cloud Pak for Security, Splunk, Guardium and other enterprise tools will certainly help prevent cybersecurity threats, but if attack was successful and damages both your production and backup data, you now have a much bigger problem. If you have a Security Orchestration, Automation and Response (SOAR) tool at your disposal, you have a much better chance of finding a clean backup copy faster and maximizing your cyber resiliency capabilities.

Detecting unusual behaviors and anomalies associated with cyber-attacks in your infrastructure and any inter-connected system and processes is what is needed to be 100% cyber resilient. Furthermore, integrated and automated access controls would need to work in conjunction with threat detection would also be required to ensure data and assets are protected or isolated from damage. However this level of ultimate security and automation is highly unlikely to be deployed at any company. So companies must prepare and plan for a successful attack. After all, it is only a matter of time before a cyberattack is successful on your watch, or more likely, hit again, or again - again.

On average, about 30% of an organization’s public facing assets are unknown to the security team. Most company perform periodic “point in time” scans to assess their security defenses, but companies seldomly or never test their disaster recovery plan involving a successful security incident. IBM offers a no charge External Threat Analysis to bring these unknown targets to your attention. The assessment will illustrate how an attacker views your infrastructure, and help you better understand which of your assets are the easiest and most likely targets. The assessment utilizes IBM’s SAS based penetration testing platform, focuses on your IPv4 and IPv6 associated assets and will identify compromised domains, login pages, outdated applications, assets revealing internal data and services being unintentionally exposed. This service does not require anything to be installed and would be provided at no cost to your organization. As a result, IBM will provide your company with the assessment report that will help your teams resolve any discovered risks. Please send the Threat Assessment Team (TAT) an email to initiate this service: This email address is being protected from spambots. You need JavaScript enabled to view it.

In addition, IBM also offers a Cyber Resiliency Analysis that is based on NIST CSF, which assesses your organization’s readiness to sustain and recover from an attack. The analysis helps illuminate your organization’s ability to continue operations, determine the recoverability of your data and provide an estimated amount of time it would take to recover from a successful attack. As a result, the assessment should provide your organization an accurate depiction of your current data protection state, help identify gaps and provide recommendations to build an effective cyber resiliency plan. This service requires a Q&A session. Please send the Cyber Resiliency Team an email to initiate this service: This email address is being protected from spambots. You need JavaScript enabled to view it.

IBM Storage product details and feature notes related to Cyber Security:
Safe Guarded Copy helps prevent data from being compromised, either accidentally or deliberately and allows for recovery from protected backups, in the event of a cyber-attack. It provides secure, point-in-time copies or snapshots of active production data that cannot be altered or deleted (immutable copies), and that can later be used for identification, repair or replacement of data that has been compromised by either cyber or internal attack or corrupted by system failures or human error. The Safe Guarded backups or copies of data are protected with additional security provided through unique user roles with dual management control (separation of duties). Safe Guarded Copy on IBM FlashSystem family and IBM SAN Volume Controller integrates with IBM Copy Services Manager software, starting with Copy Services Manager version 6.3.0.1, leveraging its automated, built-in copy and retention scheduling, testing and ease of recovery capabilities. IBM Copy Services Manager also coordinates the Safe Guarded Copy function across multiple systems.

QRadar is a Security Information and Event Management (SIEM) solution that can monitor, inspect, detect, and derive insights for identifying potential threats to the data stored on IBM FlashSystem and IBM Spectrum Virtualize. It is one of the most popular SIEM solutions on the market today. It provides powerful cyber resilience and threat detection features such as centralized visibility, flexible deployment, automated intelligence, machine learning, proactive threat hunting, and much more. The data management and storage features of IBM FlashSystem and IBM Spectrum Virtualize combined with log analysis, deep inspection, and detection of threats provided by IBM QRadar offer an excellent platform for hosting unstructured business data, reducing the impact of cyber threats, and increasing cyber resilience. QRadar can detect malicious patterns leveraging a number of data sources and analysis tools and techniques, including access logs, heuristics, correlation with logs from other systems such as network logs or server logs, network flow, and packet data, and even unknown threat vector detection using IBM Watson for Security resources. And its open architecture enables third-party interoperability so that many solutions can be integrated, making it even more scalable and robust.

QRadar can be deployed:
SIEM On-premise as hardware, software or as a virtual machine
SIEM in a cloud of choice, including AWS, Azure, Google Cloud or IBM Cloud
SIEM SaaS, with the backend infrastructure managed by IBM
Or SIEM as a managed service MSIEM

Cyber Vault solution complements IBM Safe Guarded Copy by automatically scanning the copies created regularly by Safe Guarded Copy, and by monitoring for signs of data corruption introduced by malware or ransomware. This scan serves two purposes. First, it can help identify a classic ransomware attack rapidly once it has started. Second, it is designed to help identify which data copies have not been affected by an attack. Armed with this information, customers are positioned to more quickly identify that an attack is underway and to more rapidly identify and recover a clean copy of their data. When preparing a response to an attack, knowing the last snapshots with no evidence of an attack can speed the determination of which snapshot to use. And since Safe Guarded Copy snapshots are on the same FlashSystem storage as operational data, recovery is designed to be faster than restoring from copies stored separately. With these advantages, FlashSystem Cyber Vault is designed to help reduce cyberattack recovery time from days to just hours.

Solution use cases
By combining the capabilities of IBM Safe Guarded Copy and IBM QRadar, organizations can develop comprehensive cyber resilience solutions that cover the Protect, Recover, and Detect functions of the NIST framework. IBM FlashSystem can log all object activity in the access logs that contain all access information from storage objects. In order to identify and detect potential malicious access and for compliance auditing purposes, such access logs should be integrated with the SIEM solution By combining IBM FlashSystem access logs, application logs, network or server logs, flow and packet data, and discovering unknown threat vectors using IBM Watson, IBM QRadar can provide 360-degree protection to enterprise data.

IBM Cyber Resiliency solution addresses the following IT business security and resiliency challenges:
Availability of immutable copies of data (Safe Guarded backups) that cannot be altered or deleted, or mapped to host
Early threat detection for proactive data protection with logically, air-gapped immutable snapshots/backups
Active monitoring for anomalies in user login activity, patterns, and operations (control and data path)
Alerting IBM Spectrum Virtualize in the event of a detected threat to take a cyber-resilience action to generate a Safe Guarded backup or prevent further user action.
Timely identification and action to recover from your protected Safe Guarded backups

The combined solution is easy to deploy:
IBM FlashSystem is configured to forward audit logs to IBM QRadar, but can send event logs to any SIEM. These logs contain information about every control path action, including but is not limited to volume creation, deletion, resize, or user creation executed using both CLI or GUI.
Similar to IBM FlashSystem, applications are also configured to log application-related events and forward them using the operating system’s standard log forwarding mechanism.
IBM QRadar is configured to receive any forwarded events, normalize them and persistently store them.
When the logs are in IBM QRadar, an administrator can set various rules, map log relationships, and configure additional parameters to detect potential malicious data access.
Based on analysis and threat detection, IBM QRadar can invoke custom scripts or cyber resilience workflow such as Safe Guarded Copy invocation to protect the data.

IBM QRadar and IBM FlashSystem cyber resilience solution overview IBM QRadar collects data from extensive data sources, then applies correlation and deep inspection to gain exceptionally accurate and actionable insights. Once threats are identified, administrators can respond quickly to mitigate or reduce the impact of incidents and increase cyber resilience across the entire business application environment.

Cyber resilience assessments
In addition to the capabilities of IBM Spectrum Virtualize, IBM FlashSystem and IBM QRadar, IBM's ethical hacking team provides professional services offers a Cyber Incident Response Assessment, which is a multi-phase approach that includes a workshop, implementation services, and health checks that help organizations assess their needs, develop strategies, and deploy and configure solutions to support cyber resilience. Also, based on the NIST Security Framework, the Storage Cyber Resiliency Assessment Tool (CRAT) provides a bridge mechanism to evaluate your organization's current data protection state, identify gaps, strengths, weaknesses, and provide recommendations to build an effective cyber resilience plan.

Related Posts