ransomware veeam

Ransomware tips from VeeamON

I attended the Veeam Ransomware session at VeeanON.  I picked up some useful tips so thought I would share my notes from the session. Credit for all the information to Rick Vanover,Dave Kawula, Brett Hulin.

ransomware veeam

Background

  • Data is key to all businesses
  • Must protect data and therefore the business from threats including ransomware

Prevention

Three pronged approach, not just technical considerations:

  • Education of users and administrators
  • Backup and recovery implementation
  • Remediation plan

Attack methods

Ransomware attacks occur in three most common ways:

  • RDP compromise, number one method of ransomware attack
  • Email phishing, second most common attack method. Surprising I would have thought this was the most frequent
  • Software vulnerabilities

Veeam Data Labs

Allows testing patches and quick recovery

  • ON demand sand box – restore not directly into production for safety
  • Sure backup and sure replica – boot VM in virtual lab and test before re-introducing to production
  • Secure restore – Mount backup for AV scan before restore

Ultra-Resilient Backup

Safest option is to have an ultra-resilient backup.  This could be air gapped, immutable or offline. For example:

  • Tape
  • Immutable backups e.g. S3 – Backup onsite to performance tier then have policy tier to cloud storage which can be S3. Policy can be set for an immediate copy of data or an archive of the oldest data. Based on Scale Out Repositories
  • Veeam Cloud Connect + Insider protection. Insider Protection provides an additional data copy that can only be access with a call to support to make it visible

Brett Hulin General Tips

  • Establish a DR site. Cloud or physical
  • If possible run Veeam replication to this secondary site
  • Have your DR plan documented
  • Understand your recovery order
  • Involve multiple people
  • Consider licencing implications of being at fail-over site
  • Establish chain of command before an incident

Brett Recovery Tips

  • Shut down servers to prevent further infection
  • Consider when attack occurred and which backups and replicas are therefore clean
  • Recover servers without network and check with AV before re-enabling network
  • Recover infrastructure servers, e.g. AD first
  • Force password resets
  • Have multiple restore copies at recovery site. So can recover from different times
  • Have an air gapped backup e.g. tape

Other tips I picked up from the Veeam Ransomware guide at the Veeam resource library:

  • Veeam server ensure it has no internet access
  • Accounts as much separation as possible
  • Tight file permission on datastore shares
  • Veeam servers require 2FA for RDP access
  • Prepare early
VeeamOn2020

VeeamOn 2020

VeeamON starts this week, which is Veeam’s annual conference and will be a mix of news and technical learning opportunities. I was lucky enough to attend VeeamON last year and got a lot out of it.

VeeamOn2020

This year due to the Covid situation they have decided to make it an online event making it more accessible since you can view all the sessions from your home plus even better news it completely free to register.

Similar to a traditional conference it will be a mixture of a main agenda sessions plus breakouts to dive deeper into areas of interest for you.

Some of the sessions I will be tuning into

  • AWS and Azure Backup Best Practices
  • Veeam Backup Ransomware Resiliency Tips: Preparation & Recovery From Experience
  • Version 10: Unleash the Power of NAS Backup
  • 10 Easy Steps To Harden Your Veeam Availability Infrastructure
  • Plus of course the keynote

You can check out the full agenda and breakout session list yourself. VeeamON On starts 17th and 18th of June.

Veeam v10 NAS

Veeam v10 Roundup

Veeam Backup and Replication v10 has now been made publicly available.  The update contains 150 enhancements, let’s take a look at a few of them

NAS Protection

One of the most requested features from customers has been NAS protection, that is now available natively in V10.  The system is software based and hardware agnostic, able to backup SMB and NFS shares.  The NAS feature is also able to backup SMB file shares hosted on Windows systems and NFS shares on Linux servers.  The v10 implementation of NAS backup utilises changed file tracking allowing incremental jobs to backup only what has changed.

Veeam v10 NAS

Credit Veeam for image

Setting up NAS backups will look familiar to those already working with Veeam, file proxies act as the data movers, a new role the cache repository is responsible for the changed file tracking.  Backups can be stored like any other Veeam backup in repositories but can also be tiered to the public cloud for longer term retention

Multi-VM Instant Recovery

Instant Recovery has been available for some years now , this allows the immediate recovery of a VM by running it from the backup.  The updated VM Instant Recovery enhances performance by methods including caching to RAM and read ahead.  A knock on impact of this enhanced performance has been that multiple VM’s can now be instantly recovered in a single operation.

vSphere Any Backup Restore

It is now possible to restore any backups to your vSphere environment no matter what format the original backup was.  This for example allows you to restore backups of physical servers, Hyper-V VM’s or cloud backups to vSphere.

Veeam Cloud Tier

Veeam 9 update 4 added a move functionality to a cloud based capacity tier, this allowed older data to be aged off to the capacity tier. v10 adds a “copy” feature which allows backups to be copied to object storage as soon as the original backup is created. This allows data to be copied offsite for redundancy purposes and as the capacity tier is S3 object based this also acts as a secondary format to store backups.

Ransomware Protection

Given recent high profile ransomware cases v10 now offers the capability to store data online but in an immutable format to prevent attacks.  It is based on the new Veeam cloud tier copy facility, plus the immutable data option for S3. Once the data has been copied to S3 with the immutable option for S3 set it cannot be changed for the length of time specified, protecting backup data from any kind of change be that accidental, ransomware or a rouge admin.

Veeam v10

Credit Veeam for image

Linux Proxies

There is now greater flexibility for environments that favour Linux, allowing the deployment of backup proxies that are Linux based.

Vendor Integration

Good news for those using HPE storage, Primera is added as a supported primary storage array allowing all storage snapshot integration capabilities.  StoreOnce also added for support for catalyst copy.

Checkout this podcast with Rick Vanover and Calvin Zito for the full story on Veeam v10 and HPE integration.

To see all the new features check out the v10 what’s new document