Protecting Against Ransomware with Cohesity

Protecting Against Ransomware with Cohesity:

As most of you are aware, 2020 has been especially riddled with Ransomware attacks against large corporations. However, large corporations are not the only ones under attack. These attacks are against all types of businesses from the largest corporations all the way down to the small mom and pop businesses. Government agencies to include federal, state, and local are under constant attack as well.

The most notable ransomware attacks that most have heard about include Garmin, Travelex, University of California San Francisco, Honda, and Canon USA. Click on the appropriate company name to go to an article specific to that companies attack.

Most of the data protection solutions on the market (especially the legacy solutions) today have fallen pray to the above list of recent Ransomware attacks as well as many others.

To this day, not one Cohesity customer has had a successful ransomware attack to where they gained access to their Cohesity backups to delete or encrypt them and where they have followed our security hardening guidelines. That means that our customers have been able to detect, prevent, and/or recover and not have to pay any ransom whatsoever.

Here is an example of what can happen in your typical ransomware attack of today:

  • Employee clicks on link in an email and hackers gain access to your network.
  • Hacker then installs a key logger and gets an administrators credentials to systems (including your data protection system) on the network.
    • Hackers delete your backups of systems to ensure you can’t recover from backups and have to pay them the ransom.
  • If they don’t get administrator credentials to backup solution, they encrypt the backs first to again make sure you can’t recover any systems from backups and force you to pay the ransom.
  • If the company has any CCPA, GDPR, or other compliance related requirements and associated data, they collect that data.
  • They then encrypt the systems on the network.
  • Hackers notify the company that they have encrypted their systems and tell them they must pay a ransom to get the encryption keys to decrypt their systems. If they obtained any compliance related data, they also tell the company that they will publicly post the private data. If they do that, the company by law then has to publicly announce that they had a data breach. They then can be fined a very large amount of money for breaking compliance itself. This is a separate cost from the ransom.
  • Hackers typically give the company a certain time frame to pay the ransom or lose everything after that date as well as post any compliance related information on the internet.
  • If the company pays the ransom, it typically requires payment in Bitcoin because it is private and untraceable. Most companies don’t have a Bitcoin account, so they will need to pay a 3rd party company to convert the payment to Bitcoin in which the hackers will accept.
  • Once the ransom is paid, the hackers will provide all the decryption keys for every system that was encrypted.
  • The customer then has to randomly associate each decryption key to each server which can take days to do. The hackers don’t tell them which key goes to what specific server. If you have thousands of servers, that is a painfully long process all while your IT systems are still down.
  • Each virtual machine has to have twice the size of space on it in order to decrypt the system. Otherwise if there is not enough room on drive, decryption will fail until additional drive space is added. The time to go through this process can be painfully long based on how many systems need to be configured with additional storage.
  • At this point, this entire process from start to finish could be from days to weeks or more for a company to fully recover IF they pay the ransom.

For the company that has been attacked, if they have to pay the ransom due to being unable to restore from backups, this could mean a huge revenue loss for the company long term.

There are numerous costs associated to the attack:

  • The ransom itself.
  • The cost for 3rd party company to convert payment to Bitcoin.
  • Potential fines for breaking compliance due to leaked data if ransom not paid.
  • The associated cost of lost revenue due to systems being down for days, weeks, or more due to attack and recovery time frame of IT internal and externally facing services.
  • The associated cost of lost revenue due to bad reputation after personal data leaked.
  • The associated cost of massive increased hours worked by IT staff and any other employees to recover systems until they are back to normal operations.
  • Cost of new hardware/software implementation and associated man hours to implement new security measure to keep from being attacked again.
  • Legal actions against company for personal data leaked and other various reasons.

There are numerous precautions that can be taken to minimize the risk of your organization being attacked as well as recover easily and quickly to get your IT services up and running again. With that, securing your data protection (backup) solution becomes critical to protecting yourself against ransomware attacks.

How Cohesity Protects You Against Ransomware:

Cohesity takes security very serious and has extensive integrated cybersecurity in our solution. Listed below are the ways in which we protect your backups in our platform with the below principles and capabilities.

  • Reduce Attack Surface –
    • Zero trust architecture.
    • Bank-grade encryption (FIPS 140-2, NIST certified).
    • Single global platform.
    • No Windows or Linux front-end server.
  • Assess Security Posture & Vulnerabilities –
    • Vulnerability Management:
      • CyberScan App – Uncover cyber exposures and blind spots within your production environment by running on-demand and automated scans on backup snapshots against known vulnerabilities.
    • Advanced Threat Detection:
      • SentinalOne App – AI-powered prevention engine to Cohesity storage clusters, delivering the highest efficacy, lowest false positives, and most performant prevention technology. 100% signature-free and relies on machine learning models to deliver next-generation prevention. 
    • ClamAV App – Scan the files stored in the Cohesity DataPlatform directly, without sending the files to an external scanner.
    • Configuration analysis.
  • Access Management & Auditing –
    • Web UI, CLI, REST API’s all use SSL with TLS 1.2 and above.
    • Self-signed X509 certificates or company CA/certificates can be used.
    • (2FA) Two Factor Authentication (CAC / SAML).
    • Microsoft Active Directory integration and (RBAC) Role-Based Access Control.
    • Operational & file level accounting.
    • System & product level auditing.
    • Exportable granular audit logs.
    • Send logs to external syslog server.
    • Global whitelists network segments, individual IP’s, etc.
  • Data Governance / Compliance –
    • SEC 17a-f (f) certified.
    • FIPS 140-2 certified.
    • Common Criteria EAL2+ certification.
    • TAA certification.
    • (ATO) Authority to Operate.
    • Certified for AWS Govcloud, C2S, and Azure Govcloud.
    • GDPR / CCPA Governance –
      • Global actionable search.
      • We reduced copies of data on average from 8-10 copies to potentially 1-2 copies.
  • Defend –
    • Immutable file system.
    • DataLock / (WORM) Write-Once-Read-Many.
    • Provides a virtual “air gap”.
  • Detect –
    • Helios machine learning driven anomaly detection.
      • Daily change rate on Logical data.
      • Daily change rate on stored data.
      • Pattern based on historical data ingest.
  • Respond –
    • Google-like global actionable search.
    • Instant mass restore – Recover hundreds or more virtual machines and have services up and running in the matter of minutes.
    • Salable file system to store years worth of backup copies.

Additional Resources – Cohesity & Ransomware Protection:

Cohesity & Pure Storage Partnership Announcement

On August 12, 2020, Cohesity has officially announced the partnership with Pure Storage for their joint solution called Pure FlashRecover – Powered by Cohesity which is the industry’s first jointly-engineered all-flash modern data protection solution for rapid recovery, ransomware protection, and reuse of data.

Pure and Cohesity have formed this partnership based on strong customer demand for an integrated all-flash data protection solution that empowers customers to easily, quickly, and reliably back up and recover their data at scale. The companies have also formed this partnership at a time when more customers are embracing cloud services and are seeking ransomware protection.

Pure FlashRecover, Powered by Cohesity delivers all-flash data backup and recovery capabilities that enterprises require for restoring data rapidly in the face of a disaster or a ransomware attack. It enables flash-to-flash-to-cloud data protection and allows rapid, independent scaling of processing, throughput, and storage capacity for the most efficient use of all resources.

The solution also empowers organizations to future-proof data center investments and realize new levels of performance to meet growing petabyte-level recovery requirements. In addition, the solution enables backup data to be reused for analytics and DevOps, allowing multiple applications to leverage data stores on the high-performance, unified fast file and object FlashBlade platform.

By combining Cohesity DataProtect software with Pure’s unified fast file and object FlashBlade platform, the integrated solution delivers:

  • Performance: up to 3x faster backup and restore throughput than disk-based alternatives, capable of recovering thousands of virtual machines and up to 1PB of data a day to meet large-scale disaster recovery needs.
  • Integration: single-point purchasing, deployment and support all delivered through Pure, eliminating the need for customers to go through two vendors. Pure is now a Cohesity Technology Partner and the companies have committed to joint innovation.
  • Scalability: disaggregated compute and storage to enable independent scaling for backup / recovery processing, throughput, and storage capacity for the most efficient use of resources.
  • Simplicity: ease of management provided by cloud integration that enables flash-to-flash-to-cloud backup and recovery, low-cost public cloud storage for long-term retention, and non-disruptive upgrades.

Availability
Pure FlashRecover, Powered by Cohesity is being tested by joint customers today and will be generally available in the United States in Q4 CY2020 and in countries outside the United States in the coming quarters.

For More Information
To find out how your organization can leverage the benefits of Pure FlashRecover, Powered by Cohesity, visit:

For the full announcement on the Cohesity Blog page, see the below link.

Announcement (Blog): https://www.cohesity.com/press/pure-storage-and-cohesity-forge-strategic-partnership-to-deliver-rapid-recovery-at-scale/

Cohesity Data Protection DEMO (Short)

Cohesity Data Protection DEMO (Short): https://youtu.be/PxT4zBS-L68

In this demo, I do a quick run through of the Cohesity 6.4.1 user interface related to the Data Protection use case specifically. This is not meant to be a complete demo of the entire interface and functionality, just a quick overview for the Data Protection use case only.

I start off by showing the types of sources you can connect to such as External Cloud Providers (AWS, Azure, GCP, etc.) as well as hypervisors, physical servers, databases, O365, Active Directory, NAS, etc.

Then I show how simple it is to create policies so that you can do local and long term retention, replication to other clusters, archive to the cloud, database logs, and much more.

The next step is to create a protection jobs for the various sources we mentioned above. We select the appropriate policy to associate to this protection job, and set various other settings such as QOA policy, SLA time frame, priority, etc.

If you would like to see a complete demo of the entire interface of our new 6.5.0 version, see my other video titled “Cohesity 6.5 User Interface Overview (DEMO)“…Click Here!

Cohesity 6.5 User Interface Overview (DEMO)

Cohesity 6.5 User Interface

Cohesity 6.5 User Interface Overview (DEMO): https://youtu.be/S-JfmpeUe7I

Want to know more about the new Cohesity 6.5 (UI) User Interface and all the core capabilities, watch the below video of the demo. Not all capabilities (old and new) are covered in this demo, it is meant to provide an overview of the core capabilities.

Topics covered in this demo:

  • Registering Sources
  • Registering External Sources
  • Creating Policies
  • Creating Protection Jobs
  • Restores (File & Virtual Machine)
  • Clone Virtual Machine
  • Creating Views/Shares (SMB/NFS/S3)
  • Cohesity Marketplace Apps
  • Reporting
  • System Information

What’s New in 6.5:

  • Comprehensive Protection for Kubernetes Namespaces
  • (CDP) Continuous Data Protection for Mission-Critical Virtual Machines
  • Heterogenous Cluster Support
  • ROBO Appliance Availability
  • Dramatically Faster SQL Database Migration
  • Higher Data Resiliency
  • Runbook Automation for VMware Failover (DR)
  • Helios Mobile App

For more detailed information on what’s new in Cohesity 6.5, see the below link.
https://www.cohesity.com/blog/cohesity-pegasus-6-5-innovation-doesnt-have-to-be-zero-sum-game/

Cohesity Public Website: https://www.cohesity.com/

Backing Up & Restoring Active Directory With Cohesity 6.5

Backing Up & Restoring Active Directory With Cohesity 6.5: https://www.youtube.com/watch?v=azFuXXZpW68

In this video, I quickly run through how to connect to (AD) Active Directory as a source and register it as an Active Directory server using our latest software version 6.5. Then I show a Active Directory protection job I had already ran previously. And finally, I show how easy it is to perform a Active Directory restore of a user account in which I deleted at the beginning of the video.

Cohesity has an agent install that allows us to do granular backups and recoveries of Microsoft’s Active Directory objects. Anyone that has had to do an “Authoritative AD Restore” in their day knows how painful that can be after someone has deleted an entire (OU) Organizational Unit from Active Directory!

With Cohesity, you are able to backup the entire Active Directory database. Then do a granular restore of a single or multiple AD objects. The user interface presents you a comparison screen to show what AD objects are missing compared to a previous backup snapshot making it easy to see what has been deleted.

If you have enabled the AD Recycle Bin feature, we will restore it from there to ensure all the properties of the AD object are restored with it. If you do not have AD Recycling Bin enabled, we will restore the object but may be missing some properties in the same way it would with an Authoritative Restore after the Tombstone period has passed.

So system administrators can celebrate…no more are the days of doing an “Authoritative Restore” on your Domain Controllers! It is now quick and easy to restore an object.

Cohesity Public Website: https://www.cohesity.com/

Cohesity Documentation (Active Directory): https://docs.cohesity.com/6_5/Web/UserGuide/Content/Doc/ActiveDirectory.htm?tocpath=MS%20Active%20Directory%7C_____0

Backing Up, Restoring, & Cloning SQL Databases With Cohesity (v6.4.1)

Backing Up, Restoring, & Cloning SQL Databases With Cohesity (v6.4.1): https://www.youtube.com/watch?v=oUfYxIuWhD8

In this video, I will show you how to register SQL servers as a source in the Cohesity version 6.4.1 user interface. Then I show how to create two protection jobs, one for a stand-alone SQL server and another for a SQL AAG.

Then we walk through how to recover the SQL (AAG) Always on Availability Groups database to the stand-alone SQL server as well as clone it. The we wrap up by taking a quick look at the SQL Dashboard.

Cohesity has an agent install that allows us to do more granular backups and restores to SQL databases. You can protect stand-alone, clustered and (AAG) Always on Availability Groups SQL servers. You can use our “Auto-Protect” feature so that when a new SQL server has been added to a SQL cluster or AAG, it automatically gets backed up as they are added. The agent also allows you to selectively pick which databases you want to protect.

Cohesity Public Website: https://www.cohesity.com/

Cohesity Documentation (SQL): https://docs.cohesity.com/6_4_1/Web/UserGuide/Content/MSSQL/SQLRequirements.htm?tocpath=MS%20SQL%7C_____1

Running ClamAV App on the Cohesity Platform 6.5

Running ClamAV App on the Cohesity Platform 6.5.0a: https://www.youtube.com/watch?v=iXGJVCdIseY

In this video, I walk you through enabling the use of apps on the Cohesity platform, installing, configuring and running the Clam AV app to protect file shares located on the Cohesity platform.

The Cohesity platform can act as a File/Object store (NAS) to replace your existing NAS or Windows File Shares. We also run Cohesity and 3rd party applications as containers on our platform. See our Marketplace for a full list of the available apps.

ClamAV App Description:

Protecting data on your file storage against viruses is important but relying on antivirus sitting outside of your NAS environment is inefficient. Moving data over the network for antivirus scans outside of your NAS servers adds unnecessary overhead and makes data vulnerable.

Now, with the integrated Clam AV app offered by Cohesity, users can scan the files stored in the Cohesity DataPlatform directly, without sending the files to an external scanner.

Cohesity Marketplace: https://marketplace.cohesity.com/app-details/clamav

Cohesity Public Website: https://www.cohesity.com/

Running the Insight Application on the Cohesity Platform 6.5

Running the Insight Application on the Cohesity Platform 6.5.0a: https://www.youtube.com/watch?v=u3-M_DV0RBI

In this video, I walk through the process of downloading, installing, configuring and running the Cohesity Insight application on the Cohesity platform. I show the power of the app and how it can search for text patterns in numerous file types. See below for additional information on the Cohesity Insight application.

Insight App Description:

As backup and unstructured data grows exponentially, customers are often unaware of what data is stored, who has access to it and for how long. Customers need to retrieve or take action on files that contain specific information to gain business insights or for compliance purposes.

The Cohesity Insight app can help you easily perform an interactive text search on data stored on the Cohesity DataPlatform. The file types covered include office, text, pdf’s and zipped folders of these file types. The app can be pointed to Cohesity file shares (Views) as well as backed up objects.

Marketplace – Insight App: https://marketplace.cohesity.com/app-…

Cohesity Public Website: https://www.cohesity.com/

Cohesity Initial Configuration – Basic Overview

As of October 30th, 2019, I started a new professional journey as a pre-sales Sr systems engineer with Cohesity. After six years working for VMware doing the same thing, I decided I needed a change. So far I have been very impressed with the company and our solutions.

So here is my second enablement video with Cohesity content where I provide a basic overview of an initial configuration of a Cohesity environment (version 6.1.1).

Link: https://www.youtube.com/watch?v=sxTUPPh3Zps&feature=youtu.be

Cohesity (UI) User Interface – Overview Video

As of October 30th, 2019, I started a new professional journey as a pre-sales Sr systems engineer with Cohesity. After six years working for VMware doing the same thing, I decided I needed a change. So far I have been very impressed with the company and our solutions.

So in true fashion, I have learned enough to be dangerous and have created my first set of enablement videos with Cohesity content. Check out my first official video I created with Cohesity where I provide an overview of the Cohesity (UI) User Interface (version 6.1.1).

Link: https://www.youtube.com/watch?v=sxTUPPh3Zps&feature=youtu.be