Once again, IBM TechU live event is virtual. The COVID-19 pandemic has not been kind to the IT Conference industry. This is a 4-day live event October 25-28, with the option to watch replays until December 28. Here is my summary for Day 2.

This post is part of a four-part series: [Day 1], [Day 2], [Day 3], and [Day 4]

[s203974] Cyber attack: It’s not IF but WHEN. Will you know how to respond

Greg Tevis, VP of Strategy at Cobalt Iron, and Chris Snell, Senior Solution Architect at Cobalt Iron, presented this session. Cobalt Iron is a third-party Independent Software Vendor (ISV) that provides ransomware protection for the backup landscape, using IBM Spectrum Protect.

The session started with an example ransomware demand notice. Your data has been encrypted, in place, with a unique private/public key pair. The private key will be available for a price for only 72 hours, after which the private key will be deleted, and you will not be able to decrypt your data.

A recent study shows that 80 percent of organizations that paid a ransom were hit by a second attack, and almost half were hit by the same threat group! Sadly, only 8 percent of organizations that paid ransom got all their data back.

Typical attack points are: Primary workloads, Backup management servers, Backup storage and catalogs, and the Network itself.

Why not just recover the data instead of paying the ransom? Several challenges inlcude: limited bandwidth, complex processes and prerequisites, lack of expertise, and untested/unvalidated recovery procedures.

In an example case study, the attack was against the Active Directory Domain Controller on a Windows Server. Immediately, the customer turned off replication, deferred taking new backups, and turned off expiration of existing backups. Everyone is asked to change their passwords. The company purchased additional cloud resources and did pre-attack vs post-attack differential analysis. Result: they were able to restore 1,200 servers, no data loss and no ransom paid!

The session ended explaining Cobalt Iron's Compass Cyber Shield™ offering.

[s203968] IBM Data Resilience Vision and Roadmap

Del Hoobler, IBM Program Director, Product Management for IBM Spectrum Protect Systems, presented this NDA session.

A few of my readers have asked me why I am attending these TechU sessions live, when I could just watch the replays later in the day at a more reasonable hour. There are two reasons:

1. The real-time chat and Question/Answer (Q&A) panel provides some insight on what the audience is most interested in. While the pre-recording is playing live, the speaker and other assistants can address these questions and comments without disrupting the presentation flow.
2. Sessions like this one, which are protected under a Non-Disclosure Agreement (NDA), are only available live, no replays available.

[s204116] Cyber Resilience: Cutting through the hype

Nile Zahran, Head of Product Innovation at Predatar (pictured on the left), and Alistair Mackenzie, CEO at Predatar (pictured on the right), jointly presented this session.

Predatar is a third-party independent software vendor (ISV) that provides automation and orchestration software that adds value to existing Spectrum Protect and Spectrum Protect Plus deployments.

Data loss can happen for many reasons, including natural disaster, user error, hardware failure, and now also cyber crime. There are many ways to help mitigate this, including data snapshots, system clustering, and geo-dispersion. Recovering can be complicated by having different backup methods for different workloads.

Most people will tell you that you need four fundamentals to ensure your recoverability:

1. Air Gap - this is a physical network gap between the internet cyber criminals can access, and your backup copies, such as tape removed from an automated tape library and stored on a shelf in a vault.
2. Immutability - sometimes referred to as "logical air-gap" or Write-Once-Read-Many (WORM). This applies to copies of data that cannot be altered or deleted. In some cases, the protection is done through software enforcement.
3. Encryption - encryption has been around for awhile, but now is pervasive, mature, and fast enough on today's processors.
4. 3rd Copies - this is often referred to as the "3-2-1" rule, a backup strategy that simply states you should have 3 copies of your data (your production data and 2 backup copies) on two different media (flash, disk or tape) with one copy off-site for disaster recovery.

Nile then narrated a live demo of their Predatar software.

[s204187] How is Recovering from a Large Scale Cyber Attack Different than a Disaster Recovery

Dan Thompson, IBM Storage Software Technical Specialist, presented this session.

While Cyber attacks are now considered the #1 threat, they represent only 23 percent of all outages. Scan-and-exploit attacks have surpassed email phishing. Mostly Microsoft Windows machines are the target, but the IBM X-Force team is now seeing new families of Linux malware.

The Verizon 2020 Data Breaches Report reviewed over 40,000 security incidents, of which over 2,000 were confirmed data breaches of public sector, healthcare, financial, and education facilities. About 30 percent of these involved internal actors (such as disgruntled employees) that provides reason to adopt a Zero Trust approach.

Unlike a large-scale recovery from a natural disaster, with critical systems up and running within days, the recovery after cyber attack may take weeks or even months to recover. This is because backups and snapshots that you normally rely on for recovery could also be corrupted, and you are recovering into a "hostile" environment that may still have malware deployed or other exposures during the recovery process.

Cyber resiliency is the ability of an organization to continue to function with the least amount of disruption in the face of cyber attacks. The United States National Institute of Standards and Technology [NIST.gov] has developed a five-part standard for dealing with Cyber Resilience:

1. Identify - it is important for you to know what you have, your workloads, your resources, and their importance to your business
2. Protect - this includes both protecting against access, encryption and security, as well as data protection with backup software like IBM Spectrum Protect and Spectrum Protect Plus.
3. Detect - again, this is both detection from the access side, such as using IBM QRadar and analyzing access logs, as well as in data protection. For example, IBM Spectrum Protect has ransomware detection by noticing changes in patterns, ingest volume, and changes in deduplication rate.
4. Respond - Not surprisingly, companies are slow to respond. Either because they don't know how to respond, who is authorized to respond, or they are afraid of the consequences. After analysis, the choices are often to pay the ransom, in Bitcoin or other cryptocurrency, and receive a decryption key, or not pay the ransom, and perform a recovery and hope the hackers do not expose any data they had access to your competitors or the public. In either case, the company may need to notify law enforcement, stakeholders, business partners, and customers
5. Recover - if clean backups are available, recovery needs to be planned and executed

Dan's recommendations included hardening the backup systems, consider read-only point-in-time copies, and ensure critical backups are stored on non-disk storage such as tape or cloud object storage. IBM Spectrum Protect can be supplemented with something like IBM Security SOAR, formerly Resilient, which is designed to help your security team respond to cyber-threats with confidence, automate with intelligence, and collaborate with consistency.

Today's topics all mentioned Cyber Resiliency. The risks are increasing for the theft of data and ransom money, as well as the disruption to operations.  IBM offers solutions for both security and data protection.