Protect and recover databases from ransomware attacks
foreign good morning everyone and thank you for the opportunity of being here and listening to me talking about yeah ransomware and you know how to protect the recover databases so you know ransomware is the topic but you know the key words I'd like you you know to consider and to focus on is protect our recover that's what we've uh gonna talk about cyber attacks today are really the next generation of business outages historically um you know data protection has always been focused about Disaster Recovery uh basically what you know we were focusing and looking at horror failures disaster natural disaster power failures those those type of things where uh data loss of outages I.T issues were kind of a side effect of of the problem uh now you know cyber attacks are becoming definitely the largest security threats and the point is that those attacks are really designed specifically to paralyze your I.T environment and and basically cause business outages and there are not only obviously Financial legal consequences but also reputation problems I have a short list here and there's news every day of ransomware attacks and the first one I have here is you know University of California San Francisco they were attacked and where you know in in a Docker you know fashion and all their research data web basically locked and made and available to you know the researchers and everyone and they didn't have a good backup they were not able to recover they had to pay the ransom and you know the reason why it made news is that because it's a public university so they were forced to uh publish in the in their report the fact that they were attacked it and also the fact that they had to pay 1.1 million dollars for that uh to to get the data back um financial services are attacked according to a report from from Boston Consulting 300 times more than other sectors but no one is really in a safe position uh all Industries all sectors all type of companies are constantly attacked and I have a little more here and the frequency of ransomware attacks is growing and we went from you know according to this report frame broker around one attack every 40 seconds into 2016 to one attacked every 11 seconds in 2021 and again there are a number of reports right like the FBI over 400 the 4 000 attacks every day that cost U.S
organizations uh more than seven billions in 2018 and the average cost to remediate this type of attacks is close to 2 million they probably most staggering statistics about this is the average downtime 19 days now imagine what it means to be for 19 days without you know access to your I.T and you know and and tools that the company needs to to make business especially now given what that's that's you know our main focus imagine if you are for 19 days without access to your databases what even just a short outage of Menus can impact hundreds of thousands of transactions which means last orders it means you know means millions of dollars in in Damages imagine being out and not having as a studio database for 19 days and I was saying as I was saying before it's not just a matter of healthcare and financial which are usually considered that most you know uh targeted uh Industries for ransomware but really no one is safe and and the slides for also from broken and you have the links here if you want you can go and read the the reports it's quite interesting um and nobody said there are different type of attacks and you know different type of attacks can have different effects on different Industries some are more complicated or more damaging but the point that they want to make here is that you know really no one is safe and so what what happens what are we really talking about when we talk about a ransomware attack so there is that you know nowadays a big a big change some also start calling this type of attacks really Transformers as a ransomware as a service and it's it's not the time anymore where you know it just was one laptop of one employee infected that clicked on an email or something and got Justice local files encrypted and and maybe a network share or something like that now attackers are really organized so they are sophisticated they are very very good at what they do and they really set up um you know some kind of command and control centers and from there they start their operation and they plan for their tax targeting and identifying the targets and what they're gonna do and now then they start you know pushing out the the type of attack vectors that they want to use again normally it's just no phishing emails SMS um software upgrades is something that's been seen a few times um where you know um malware was embedded into a corrupted software upgrade so customers downloaded an upgrade for the software they owned and sold it and you know they were attacked in this way again this is just a simple malware it's just as the crypto Locker itself that comes with this this malwares are really agents that are installed on the target computer and this from this command control centers they really take controls of these agents and they can be sitting there for quite some time and from there they start uh usually uh credential harvesting so they start trying to identify what type of users and and passwords they can see and you wouldn't believe how many customers and sometimes I have to say companies that are you know working and doing Outsourcing and doing database management for example for also for customers just use Excel files with all the password these users and and and their passwords on access Excel files on the desktop of the you know the the laptop of the users so through these agents once they can get access to that type of information uh they start basically identifying what applications are used what databases are there what applications are there what credentials they can get and they start moving laterally they start attacking specifically Storage storage Mount points again application databases whatever they can get onto with particular attention to backup systems so they try to identify what type of backup system are you using they know how to treat them they know how to render them inoperable going to the point of deleting existing backups rendering backup device or with the objective of preventing you from recovering because they know that you know your last resort is okay restoring from a good backup if you got a store from a good backup and you're not losing a lot of data uh you can avoid paying the ransom and that's not what they want so when everything falls in line and everything is done obviously part of this process as you are well aware is also exfiltrating the data they seal data because they also try to threaten you that you know in case you try to ignore our requests and try to restore from backup but you'll know that we have a copy of your data and we will publish it and you may not be happy already know your business data or your customer data out there uh on the on the internet so they you know try to steal data and and also you know have this second try to do and they when when they're done they send your Ransom requests um so again this is really a sophisticated process it's not just a simple malware crypto locate that class locks your deed and I was saying the the the uh it takes time to do all of this and the happened right that again from the same and broker report um on average the time to discover that the system were breached is around 197 days so almost a year that that you had some customer had some agents and and malware and and people criminals actually uh you know lurking and working on the systems uh totally unknown uh obviously the sooner you identify this uh the lower is the cost of remediating right the companies that were able to identify this within 30 days to identify Bridge within 30 days saved more than one million again this is just statistics but it's really to give you the the perspective of you know how sophisticated this type of attacks are and and how long it takes so focusing on databases specifically what can you do and I want to mention this because again this is not the focus but um on on Oracle databases there's a number of tools products so additional products and features and tools that comes with the Oracle database that can help you um discovering the bridge uh as early as possible when it happened and making the life of those criminals that are trying to do what I just described um more complicated okay so you have tools like TDE transparent that encryption encrypt your data encrypt the data in your database because again that is the risk of exfiltration so it is respond even if someone is able to access the database server and still you are here database files they would not be able to to publish the data they would not be able to find what's in there because the data is encrypted you can use Oracle keyboard which is a key manager to store the TD encryption keys on an external secure server so again if if the database service is is attacked the data are encrypted and the keys are not there there are other tools like you know database wall data reduction again this is not the factor so I want to really at this point give you anything Peter later will have something to say about this too but you know the the give you the the Overview at you know the all the tools that that are there and and the actions that you can take to access to identify what the situation is to prevent attacks from happening and also to detect them quickly right so you can use things like database firewall for example to filter all the SQL requests going into database and be able to detect attempts to attack through equal on on your database and obviously detect and report and store everything in in data safe and audit Vault where you can run reports and again all of this with the purpose of identifying as quickly as possible that bridge happened and to limit the risk of know the side effects of stealing data but again that's not uh all and if you know you look at this this is an example of the data security maturity model the foundation is always data recoverability the first thing that you should look at is make sure that whatever happens you have a valid secure backup of your data that you can restore quickly and that you can restore up to the closest point in time right up to the closest time to to the attack so minimizing data loss basically zeroing on minimizing data loss restoring fast in a timely manner with minimal impact to the business and with validated data possibly maintaining a copy of your data in an isolated Zone where it's even more protected so that's what I want to focus on and that's what we're going to talk so if we put it back on the life cycle of the ransomware attack if you wanted I showed you before and this is where we are we are at the point where we want to secure backups we want the attackers first of all not being able to compromise your backups and we want to be able to have a capture all the data up to the closest point in time to the attack and then going back there are the other things that I was mentioning so TDE and security uh um on Haddon had an excitating infrastructure so having the database storage not accessible to everyone for example to protect your data using audit wall firewall or using the security assessment tool to make sure the old user accounts and Privileges and role verification so our roles are protected you don't have unsecured users out there Etc so all the things that you can do and that again will not will not talk in more details now but um text that you can do to try to prevent tenants but the point is if it happens if the attack happens if it's successful what can you do and that's where the zero data rust recovery appliance comes into place providing exactly those features the ability to have transaction level protection the ability to be configured in a air gapped architecture with a secure copy on a normally disconnected location Etc and that's what I would like to talk a little bit more in the next payments and or with the purpose of not paying rents being able to kind of ignore the ransom requests and restore your data and recover and be safe also because those are criminals so there's no guarantee that even if you pay the rent some they will actually give you the keys to decrypt the data uh because they don't care all they care about your money and that's what they want um so let me let me um call that a little bit in more details now which is really the focus again protect and recover the zero dollar loss recovery Appliance and and position it and and describe how it is you know a good a good um solution uh to help in protecting from ransomware attacks so um we have three pillars if you want that you see here recovery issuance um ability to have real-time transaction protection real time continuous recovery validation and fast database restore resilient architectures with separation of Duty user models and and I will talk more in details in a moment immutable backup policies and you can you can make sure that no one can alter the maps and you have the same hardened compute and storage service I was mentioning before for exadata because it's actually built on an exadata platform so the hardware is the same as an exadata server and Excel data system and um it means that there is no access to the directly to the storage of the recovery appliances backups are not stored in the NFS Mount location or something like that where it sees it for someone to get access to the content of it it can only be accessed to Armin and the cyberbot architect to the cyber world deployment where you can have a nargap copy that is is normally disconnected from the tattoo so an additional copy of your backups that is actually not accessible regularly on the network so let's go a little bit into more detail so what it is for those of you that are less familiar or never heard about the recovery Appliance again it's a it's a backup Appliance and that can be used to backup any Oracle database on any platform and it provides real-time protection so data are every block that is updated on an Oracle database is immediately transferred from the database memory to the recovery Appliance and backups are also done in an incremental Forever Fashion so there's only the changed are copied and and they are very fast backups are then virtualized so they are converted into virtual full backups in the recovery Appliance so when you do a storage they're stored as a full backup and it supports immutable backup configuration so you can configure policies that have a certain retention during which backup cannot be deleted or modified uh by anyone uh as I was saying it supports a cyber Vault architecture so it can be configured with a replica copy on a location that is normally disconnected most of us most of the customers that are doing this are doing this through firewall rules so they have tools that open the firewall ports um to connect to the Cyber vault only at certain intervals and that can be very short because you only transfer an incremental backup into the Cyber Vault and then the virtual food is created on the cyber world as well and and they are kind of logs obviously that's what's going to be copied and then the connection is closed and that copy is safe and it's validated locally so you're sure that it's not tampered with by anyone backup can also be copied off-site to for example to Archive storage in in oci where you also can Define immutable buckets immutable policies where you can create rules that make the content of the bucket or make the bucket like a warm storage location where you can only write and not delete or update for a certain period of time and you can also use VFS storage Appliance as an additional Target again with the same immutable policies configured and that can also be the first tab in this example you see it in the cyber world it can also be outside of this what you can configuring however you like ddu encryption is supported across the whole life cycle and the important thing is validation of the data the data is validated at every step I will get into more details in a moment so let's talk about transaction level protection what it means so normally when you back up an Oracle database to a traditional destination what happens is that you probably want to use a full and incremental backup pattern that is then intervened with with archive log backups and what happens is that you can recover up to the last backup that you have so after you backup your last archive log you start having an unprotected window you start having some time where you don't have any protection uh until the next archive log backup is background so if you have an interval of let's say four hours between archive log backups you potentially lose four hours of your data so if you have a ransomware attack happening you may end up losing if you if you want to restore from such a you know a type of backup solution you can lose up to four hours of of your work with the recovery appliances I was saying you have a real-time protection every single block update that happens on an Oracle database is immediately transferred to the recovery Appliance it means that you can recover really up to the last second before a ransomware attack happened it means that you are not losing any data you can recover and basically start going from the you know last transaction before the disaster happened this is also important when you have multiple databases because if you have multiple databases you want them to be kind of synchronized right you want to be able to recover all of them to the same point in time and if you have different archive log policy backups on different databases you may end up losing even more time than what you have just because you know for one of the databases you don't have the the same the same time the category exactly the same time as another one so you have to go back a little more um with with the recovery Appliance as I was saying you can really go to the last transaction so you have a total consistency that goes you know above all your database Fleet and and it can recover really the same at the same time the backups as I was saying are virtual um and what it means is that we use this incremental forever pattern it means that only the first backup taken to uh recovery Appliance is a full backup and after that for the life of the database you are only taking incremental backups so on day one you have your obviously day one backup which is the full on day two you back up only the changes and only the changed blocks are sent to the recovery Appliance so the backup is is short it's very fast and inside the recovery Appliance a virtual fool is created combining the blocks from the previous day with the blocks of you know so the blood from the full day one with the blocks that are changed on day two and there's a virtual full is great there is no merge process there is no data movement here it's just this kind of set of virtual pointers creation and you have your full backup representation for day two and this keeps going forever there's no need of taking a full backup anymore and this allows us to have very fast backups it also means that again when you use a cyber Vault replica you are only transferring the changes so only the incrementals to the cyber world so the cyber world can be open always for a very short period of time where the incremental plus some archive lots are transferred and then it can be closed the firewall can be closed again the virtual four so this same process happens also in the Cyber vault the other advantage of this is that when you want to do a restore you are always restoring a full backup you don't have to worry about restoring a full and then do the recovery through all the incrementals because for every incremental backup you send recovery plans you have a virtual full backup at that time okay so then you can restore to any time that you have protected um the other important topic that um we're going to talk about is validation and the recovery Appliance knows what an oracle block is it means that validation is not just based on a simple kind of storage Block in an agnostic fashion uh validation but it's really done at the Oracle Block Level and Armin also does the same type of validation it means that if ransomware attack if if any type of attack happens on an Oracle database that tries to tamper with Oracle data because again we just use Armin to transfer the data to the recovery plan so we only move Oracle blocks and if anything happens um and any any attempt tamper with an oracle data would be detected by Armin because you know an invalid Oracle block would be detected so the backup would be blocked so if something happens on the database and we want to entertain the idea that someone can try to tamper with an oracle data on a database server that data is not gonna reach the recovery Appliance because Armand would block it it would it would be detected the moment Armin tries to create the block if we assume that we want to consider the idea that something may happen in transit over the network when the data is transferred to the recovery Appliance the same thing happens when the data are received because when the recovery plans receive the backup data it actually opens the backup file that Armin sent and it indexes all the blocks and validates all the blocks and if an oracle block has invalid data in it it would be detected so if we want to assume that anything happens even transit or in the Honda recovery Appliance it is detected because um it would fail the validation and the same thing happens at every step when it's copied to the to a ZFS destination to a cloud again data movement is done the same way and the data is validated again similarly on the Cyber Vault the data is validated when it's transferred and when it's received on the replica plans in the Cyber food so this also means that we don't need in the Cyber Vault complicated architectures including database servers to do validation of the data in the cyber world because the validation is done by the recovery plans itself so if the data is there it means that it's it's valid and it's good uh in terms of separation of Duty what does it means it means that you can have dbas database administrators that take care of the databases only it means that they can initiate backups they can initiate restores of the databases but that's it they have no access to the recovery Appliance and also the recovery plans can be configured in a way that an arm and delete commands are rejected so the DBA would not be allowed to run an arm and delete backup command to delete specific backups the recovery plans is managed by recovery Appliance administrators the recovery Appliance administrators Define the policies on the recovery Appliance that determine for how long the backup must be tag must be must be kept so what is the retention on the recovery plans and this is not controlled by the dbas is controlled by the recovery plans administrators similarly recovery plans administrator in decidable sorry the recovery plans in a cyber cyber world can have a different recovery plans administrators so different different users different personas and these limits even more the ability for someone to steal the credentials and of dbas for example and log into Harman and do a delete backup command and delete all the backup for a certain databases because it would not work at the same time if someone was able to find the credentials of recovery plans administrator may do something on One recovery Appliance but not the other one and also not have access to the databases directly so it you know the the process I described before through which you know this this criminals try to you know move laterally across different systems we can't a lot more more complicated okay and there are also immutable backups that can be configured so the recovery plans administrators can set um in addition to the recovery window goal which is the goal and it's the retention time that is configured for Recovery plans an immutable window it means that there is a period of time during which no one can ever change the retention for those backups um an administrator can change the policy and reduce that but the backup that were taken when the like in this example the immutable Windows of 60 days will live there for 60 days no matter what similarly a different policy but with the same concept can be configured in the Cyber Vault and also on oci buckets where you can touch what it's called retention rules a retention rule on on a bucket making it as I was saying before a warm type bucket and you can set whatever type of retention can be seven years like the example which is more kind of Regulatory Compliance type of retention or it can be just I don't know seven days or whatever it's considered usually shorter just for ransomware protection so making sure that even if someone can get access to the bucket where the backups are located it would be impossible to delete them because the actual Cloud infrastructure would prevent that from happening um when backups are sent to the cloud as I was saying before it can be also for compliance reasons not only but you know in that case it's more a kind of long-term retention type of backup that is sent there and it can be stored both in standard here on in the archived here which is more cost effective and it eliminates the needs for tape vaulting so if you have the requirement of storing backups of site and and keeping that for a long period of time you can do that sending them from a recovery Appliance to the to the cloud and those backups sent to the cloud are in standard arm and format it means that it can be restored directly without a recovery Appliance so and if you assume that you know you may lose your data center completely and you know recover price is not available you can still restore just using Armin and the backups that are in the cloud buckets and they can also restore the into Cloud instances directly so if you do it for compliance and you need to be able to store for just I don't know accessing some old data or whatever um for auditing purposes you can spin up an instance in the cloud restore into the database cloud service or Excel data cloud service whatever restore the database there use it for whatever you did and then you can destroy it and don't pay for it anymore all the backups in the cloud are encrypted encryption keys are stored in in Oracle key Vault and again back as I think this the third time I'm saying this already buckets can be configured as Regulatory Compliance packets so with retention rules preventing deletion so before um you know closing this um I wanted to mention a few more things um one and a couple of examples of what customers are doing this is a large Global financial institution global bank and they're being used in the recovery plans for some time they have a quite large environment a lot of a lot of databases g8000 or more databases 18 petabytes of Mecca but they recently started using a kind of cyber Vault configuration with a replica recovery Appliance and also using traditional tapes or moving data and copying data today for additional layer of protection day so you know your them their backup and Recovery operation improve and being four times faster now and about savings that that's the other thing that I wanted to mention I think someone should be able to post the link here but otherwise when you get a slide you'll be able to find it that is an interesting report from IDC specifically on the business value on the recovery Appliance and they did a nice exercise interviews customers Etc and they found out that there's an average six month payback four times faster backups five times faster recoveries and 100 RKO RPO this is quota one of the customers that they interviews right about the Improvement of efficiencies on down on the back end right they went to uh 20 hours once a week and then now down to minute in terms of you know backing up the databases so to summarize this before handing back to Peter I hope I didn't take all the time um that's on which breaches can be devastating I think we'll agree on on this uh there's no material impact on revenue and also on on trust and and you know and uh reputation of the company attacks are increasingly complex and sophisticated and they become more complex and sophisticated by the day so this type of problems require modern data protection solution and databrasion is as I was saying before a pillar and the foundation if you want uh friends and web protection you just goes behind traditional backup and recovery and you know and you need to to include into this also integrity and availability of your databases and and for these recovery plans is the world's best Oracle data prediction is designed by the same team design arm and So that obviously owns everything around protecting and recovering and nautical database it has recovery Assurance such as a resilient architecture can it be deployed in the cyber world and it's deeply integrated with the Oracle database thank you
2023-02-02 16:23