CHECKLIST

5
PILLARS OF
RANSOMWARE
DEFENSE
CHECKLIST // 5 PILLARS OF RANSOMWARE DEFENSE

Mission-critical data now lives in

more places than ever before —
in data centers, on endpoints, in
clouds and in SaaS applications.
Through all the change, one
constant remains — your data is
perennially under attack. Ransomware is on the rise and continues to
be a disruptive force for organizations of all sizes, across all industries.

Today’s ransomware is built to overcome traditional security mechanisms. According

to the 2021 Cyber Security Statistics report, 75% of organizations infected by
ransomware ran up-to-date endpoint protection1 and 53% of organizations running
multiple antivirus solutions fell victim to an attack.2

Authorities and industry experts alike tout a complete business continuity and
disaster recovery (BCDR) strategy as the most certain way to resume operations
after an attack. At Unitrends, we’ve identified five pillars of defense: Secure, Protect,
Detect, Test and Recover. In combination, these pillars are the best protection
against ransomware.

The following checklist breaks down these categories and is designed to

help you understand the different options in the market today. We’ve also
outlined questions to ask your vendor to help you determine the right
BCDR solution for your organization today and in the future.

1 2 3 4 5
SECURE PROTECT DETECT TEST RECOVER

© 2022 UNITRENDS // ALL RIGHTS RESERVED // WWW.UNITRENDS.COM 2

CHECKLIST // 5 PILLARS OF RANSOMWARE DEFENSE

SECURE
1. In response to widespread attacks on Windows machines, many organizations
are transitioning away from malware-susceptible Windows-based backup
software. Beyond hardening of the backup appliance kernel and standard
environmental security measures, additional controls (such as Role-Based
Access Control) should be available for further customization.

CAPABILITY/
DESCRIPTION
ATTRIBUTE

Fewer A multivendor protection strategy increases IT complexity, risk and cost. Deploying an all-in-one
Point Products solution means managing fewer licenses and service agreements, and saves on management and
technician time.

Purpose-Built A purpose-built turnkey data protection solution is easier to install, upgrade, service and manage.
Appliance

Non-Windows- AV Test’s 2020 Security report revealed that more than 78% of malware developed in the last
Based Backup 24 months was built to target and penetrate Windows systems.3 Running a solution on a different
Appliance (i.e., OS (such as Linux) differentiates the backup environment from production. Further hardening
hardened Linux) of the appliance kernel and the hierarchical nature of the Linux OS makes them more difficult
to compromise.

Immutable Immutable storage enables you to store data in a format that cannot be modified or removed.
Storage This secures backup data from ransomware changes since no external client can read, modify or
delete data once it’s been ingested.

Role-Based Role-Based Access Control (RBAC) helps secure the backup environment from unwanted access.
Access Control Each user may operate within the environment under a defined scope, limiting the operations they
can perform or the assets they have access to, as required.

Immutable Immutable logs and routine monitoring ensure data being handled by your backup and recovery
Audit Logs systems is being appropriately managed and accessed by staff.

AES Encryption Encryption secures data privacy both at-rest and in-flight. In addition to encrypting data backups,
office email communication should be secured and any removable storage devices (HDDs, USB
drives) should be encrypted.

Integrated Two-thirds (67%) of ransomware attacks are deployed via spam and phishing emails.4 Integrated
Anti-Phishing anti-phishing defense empowers end users to defend against phishing and account takeover
Defense attacks. Solutions that provide visual cues (i.e., banner notifications) alert employees to external
senders, spoofed and/or imitated users and enable them to quarantine suspicious emails while
automating workflows and feedback loops to streamline IT review and investigation.

Questions to ask vendors

1. How do you guarantee backups are secure against ransomware?

2. How do you store backups? Are they in native formats susceptible to attack?

3. What level of encryption do you offer for data? Is data encrypted in-flight,
at-rest or both?

© 2022 UNITRENDS // ALL RIGHTS RESERVED // WWW.UNITRENDS.COM 3

CHECKLIST // 5 PILLARS OF RANSOMWARE DEFENSE

PROTECT
2. Regardless of whether your environment is largely physical servers, virtual
servers or a mix of both, you need to be able to protect it all. Your solution
should offer a number of different backup approaches to enable you to build
a strategy to meet the unique needs of your environment. You may want to
leverage agent-based, agentless protection, or a combination thereof to meet
your recovery objectives.

CAPABILITY/
DESCRIPTION
ATTRIBUTE

Wide Coverage of To reduce the number of point products you need to rely on, your backup solution should be able
Protected Assets to natively support hundreds of versions of operating systems, hypervisors and applications.

Policy-Based Admins should have the choice of how backups are scheduled, either by entering a specific
Management schedule or using intelligent, policy-based scheduling technology.

Data Reduction Data reduction (deduplication, compression) reduces the overall size of files and eliminates
redundancy among stored blocks, making movement, management and storage more efficient.

Global As stated above, consider solutions that offer global deduplication across the entire backup
Deduplication volume. This enables more efficient storage utilization than job-based duplication, which reduces
blocks on a per-job basis.

Support for Today’s solution should easily integrate with hyperscale clouds, such as AWS or Azure, to protect
Hyperscale IaaS workloads, store backups for off-site and/or long-term retention requirements, and enable
Clouds disaster recovery.

Purpose-Built A cloud provider offering a dedicated cloud provides a turnkey solution specifically tuned to
Cloud meet the needs for immutable off-site storage, long-term retention and disaster recovery. Key
functions are delivered as-a-service, reducing the reliance on internal IT to develop DR as a core
IT competency.

Questions to ask vendors

1. How do you get data off-site? What types of targets do you integrate with?

2. Do you offer dedicated cloud services? If yes, what security controls

are implemented?

© 2022 UNITRENDS // ALL RIGHTS RESERVED // WWW.UNITRENDS.COM 4

CHECKLIST // 5 PILLARS OF RANSOMWARE DEFENSE

DETECT
3. The latest innovations in ransomware include variants designed to overcome
backup defenses with phased attacks aimed at defeating backups in a number
of ways, typically including the use of gestation periods or dormancy. In the
fight against ransomware, early detection means faster recovery. Backup
vendors are increasingly making use of predictive analytics and machine
learning to recognize possible attacks and alert administrators of abnormal
fluctuations of data as backups are ingested, providing insights into data
anomalies not found by security solutions such as antivirus.

CAPABILITY/
DESCRIPTION
ATTRIBUTE

Predictive Your solution should use machine learning to detect an active infection in near real-time. Artificial
Threat Detection Intelligence (AI) is used to identify anomalies in data. Automatic notifications alert admins,
enabling them to take immediate action to slow the spread and speed up recovery efforts.

Data Loss Utilize intelligent tools that simulate different disasters and outage scenarios to determine how
Prediction much data would be lost in a downtime event. This will help you refine your strategy and ensure
RPOs are being met.

Internal Secure servers, data and network with an AI-augmented solution that identifies threats that
Anomalous traditional security tools can’t such as misconfigurations, unauthorized logins, new devices being
Monitoring added to the network, gaps in backups, admin rights being granted and more.
and Detection

Dark Web At a time when workforces are remote and cloud email adoption is at an all-time high, businesses
Monitoring have an even greater need for strong cybersecurity defenses. A compromised account grants
hackers access to your network. Once they are in your network, they can use stolen credentials to
further spread the infection. Look for a solution that includes built-in dark web monitoring to alert
you of compromised or stolen credentials. Automated alerts enable you to quickly take proactive
steps to secure those accounts before any malicious activity occurs.

Questions to ask vendors

1. Does your solution analyze for abnormal changes to backup data?

2. Do you alert to environmental anomalies and/or misconfigurations?

3. Do you flag and alert where backups may be potentially impacted

by ransomware?

© 2022 UNITRENDS // ALL RIGHTS RESERVED // WWW.UNITRENDS.COM 5

CHECKLIST // 5 PILLARS OF RANSOMWARE DEFENSE

TEST
4. Once backup and recovery processes are implemented, configured and running
in production, it is critical to establish a cadence for regular recovery testing to
ensure valid, recoverable backups in the event of a ransomware attack or other
downtime event.

CAPABILITY/
DESCRIPTION
ATTRIBUTE

Application-Level Legacy methods of testing, such as screenshot verification, leave much to be desired since they
Certification don’t provide any means of identifying data corruption within backups or whether applications
and services are functional upon recovery. Look for a solution that certifies backups at the
application level, often through use of scripting, to verify workloads will perform as expected
upon restore.

Compliance To understand whether or not your current backup strategy is sufficient to meet the RTOs and
Tracking RPOs demanded by your organization’s SLAs, ensure your solution enables tracking and reporting
of Recovery Point and Recovery Time Actuals to ensure goals are being met.

Automated Many organizations are unable to test backups and disaster recovery, often due to the significant
Testing investment of manpower and time required to execute it. Look for a solution that automates
testing in a pre-determined, isolated environment on a set schedule according to predefined
parameters such as boot orders, machine reconfiguration and application verification.

Audit-Mode Audit Mode is a method of recovery by which you can selectively verify that particular machines
Restore can be recreated from any given recovery point. Isolated from production (no network
connectivity), audit-mode restores verify that machines are booting correctly and that data is
accessible. Upon verification, the audit-mode instance can be safely torn down.

Exportable Your solution should provide exportable reporting on the outcomes of all testing to support
Reports compliance with your DR plan.

Questions to ask vendors

1. How does your solution test for recovery? Do you have an approach more
thorough than screenshot verification?

2. What automation is available for recovery testing?

3. How does your solution report on the outcomes of testing?

© 2022 UNITRENDS // ALL RIGHTS RESERVED // WWW.UNITRENDS.COM 6

CHECKLIST // 5 PILLARS OF RANSOMWARE DEFENSE

RECOVER
5. The required recovery efforts following a ransomware attack will vary from
case to case. When the infection is caught early on, replacing infected files
may prove sufficient. In other cases, rebuilding a portion or the totality of your
environment may be required. After an attack, you need to have several options
available to restore operations as quickly as possible.

CAPABILITY/
DESCRIPTION
ATTRIBUTE

File Recovery Should the infection be caught early on and contained to specific systems, removing the malware
and recovering any infected files may prove sufficient. Your solution should make it intuitive
and easy to find and restore individual files from backups with only a few clicks. Indexed search
capabilities and self-service capabilities (with role-based access control) enable quick recovery.

Flexible Your solution should be flexible in both how you can recover assets and where you can
Recovery Options recover data to. Look for solutions that support a wide range of recovery modes including
physical-to-virtual (P2V), V2V, V2P and replicas.

Instant Recovery In the wake of an attack, it is imperative to respond as quickly as possible to stop the infection,
investigate, remove the threat and recover. If a server or VM is attacked, your appliance should be
able to orchestrate failover to bring applications back up from your most recent verifiable backup
with a near-zero RTO.

Bare Bare Metal Recovery (BMR) technology is used for disaster recovery of protected assets.
Metal Recovery BMR enables system and application recovery across servers from different vendors and
hardware configurations.

Disaster Reduce cost, complexity and time-to-recovery in the wake of an attack with DRaaS. DRaaS
Recovery-as-a- providers deliver rapid spin-up of critical systems and applications in a secure cloud location and
Service (DRaaS) help you reroute user traffic until the on-prem site is operational.

Questions to ask vendors

1. Can you deliver near-zero RTOs for VMs, databases and file shares?

2. What recovery options are available for recovery to

alternate/dissimilar targets?

3. Do you index files for search capabilities?

© 2022 UNITRENDS // ALL RIGHTS RESERVED // WWW.UNITRENDS.COM 7

 CHECKLIST // 5 PILLARS OF RANSOMWARE DEFENSE

CONCLUSION
Defense against ransomware requires a multipronged,

continuous effort from end-user training and awareness to

security controls and a well-tested BCDR strategy. Unitrends,

as part of your BCDR solution, provides protection against

and enables quick recovery from these advanced threats

through our five pillars of defense:

SECURE, PROTECT, TEST, DETECT AND RECOVER.

LEARN MORE
TODAY!

ABOUT UNITRENDS
Unitrends makes efficient, reliable backup and recovery as effortless and hassle-free as possible.
We combine deep expertise gained over thirty years of focusing on backup and recovery with next
generation backup appliances and cloud purpose-built to make data protection simpler, more
automated and more resilient than any other solution in the industry.

Learn more by visiting unitrends.com or follow us on LinkedIn and Twitter @Unitrends.

    

© 2022 UNITRENDS // ALL RIGHTS RESERVED // WWW.UNITRENDS.COM PART #IN-9016-ENG-A