Re: [EXTERNAL] Re: [SECURITY] Offline Backups for Ransomware Protection

[Kevin Cleary <kpcleary () BUFFALO EDU>]

I'll jump on with the "immutable" band wagon here.  We chose to go the
immutable approach as this was almost as good as air-gapped (or offline)
backups but much simpler and quicker to manage and leverage during a
mass-restore scenario.  Through a combination of disk-based virtual tape
libraries and immutable backups we found the best balance of RPO, RTO, cost
and data security.

 

We looked at the cloud storage route also but ultimately decided against
this for the same RTO reasons.  Under a mass restore scenario, it would take
quite a while to get all of our data out.  I'm also pretty sure it would
cost a pretty penny as many of the cloud storage offerings are
metered/charged based on data flow in and out.  I've also heard,
anecdotally, that Amazon is running short on snowball devices right now
given the uptick in ransomware attacks and customers needs a fast cheap way
to get their data back.

 

--

Kevin Cleary, CISSP

Interim Information Security Officer

Manager, Systems Software

University at Buffalo Information Technology

305 Computing Center

Buffalo NY 14260-1407

Phone:  716-645-4767

 

From: The EDUCAUSE Security Community Group Listserv
<SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Frank Barton
Sent: Thursday, August 26, 2021 11:54 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [EXTERNAL] Re: [SECURITY] Offline Backups for Ransomware Protection

 

We looked at the ongoing cost of cloud storage, and ended up going much more
old-school... LTO tapes... Once they're out of the tape robot, they are
truely Air-Gapped

 

Frank

 

On Thu, Aug 26, 2021 at 11:40 AM Blake Brown <Blake.Brown () mhcc edu
<mailto:Blake.Brown () mhcc edu> > wrote:

Concur as well with using Veeam/AWS and/or Azure for offline storage. We are
re-designing our entire backup infrastructure and will be deploying this
model using Pure Storage Safemode and Veeam's immutable technologies to AWS.
Just cannot happen quickly enough for me with all the risk out there!

 

 

https://community.veeam.com/blogs-and-podcasts-57/3-2-1-1-0-golden-backup-ru
le-569
<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcommunity
.veeam.com%2Fblogs-and-podcasts-57%2F3-2-1-1-0-golden-backup-rule-569&data=0
4%7C01%7Ckpcleary%40buffalo.edu%7C7710679d5f23422edfd108d968a9d1ab%7C96464a8
af8ed40b199e25f6b50a20250%7C0%7C0%7C637655901011476041%7CUnknown%7CTWFpbGZsb
3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000
&sdata=6YjtMC17Z6b%2FrLJbeQ0t0crnWgO7iiNlRlZY4lRlSp4%3D&reserved=0> 

https://www.veeam.com/blog/v11-immutable-backup-storage.html
<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.veeam
.com%2Fblog%2Fv11-immutable-backup-storage.html&data=04%7C01%7Ckpcleary%40bu
ffalo.edu%7C7710679d5f23422edfd108d968a9d1ab%7C96464a8af8ed40b199e25f6b50a20
250%7C0%7C0%7C637655901011486039%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDA
iLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=r93vKhJE%2F0Iw3
jbIGf1eS3Dgug1Cn2b6wacJAYVWxL8%3D&reserved=0> 

https://blog.purestorage.com/products/protect-your-data-from-ransomware-with
-safemode-snapshots/
<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fblog.pure
storage.com%2Fproducts%2Fprotect-your-data-from-ransomware-with-safemode-sna
pshots%2F&data=04%7C01%7Ckpcleary%40buffalo.edu%7C7710679d5f23422edfd108d968
a9d1ab%7C96464a8af8ed40b199e25f6b50a20250%7C0%7C0%7C637655901011486039%7CUnk
nown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXV
CI6Mn0%3D%7C2000&sdata=ht2whnDmIOserWBQsO%2BT0n7vq%2BCGB2xDdZHlOP8SXWs%3D&re
served=0> 

 

 

Blake Brown

Infrastructure Manager

 

  _____  

From: The EDUCAUSE Security Community Group Listserv
<SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU> > on
behalf of Shane Kroening <skroening () QUALYS COM <mailto:skroening () QUALYS COM>
>
Sent: Thursday, August 26, 2021 8:23 AM
To: SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU>
<SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU> >
Subject: Re: [SECURITY] Offline Backups for Ransomware Protection 

 

External Email 

Jeremy,

 

I would echo John in using VEEAM and making sure your backups are digitally
air-gapped from your network so in the event of a compromise or data loss it
will not impact your backups. 

 

I've seen a lot of success using VEEAM alongside Azure for storage and I'm
sure AWS or GCP could be viable options as well. Please feel free to reach
out if you'd like more details.

 

Best,

 

Shane Kroening
<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.linke
din.com%2Fcompany%2Fqualys&data=04%7C01%7Ckpcleary%40buffalo.edu%7C7710679d5
f23422edfd108d968a9d1ab%7C96464a8af8ed40b199e25f6b50a20250%7C0%7C0%7C6376559
01011496030%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJB
TiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=ytIsl4EN62t%2FSF5C50%2FqNak31nHYBi86
fOk7DMJxEWI%3D&reserved=0> 

Technical Account Manager, Pre-Sales, Central (SLED)

 

skroening () qualys com <mailto:skroening () qualys com> 

414.791.5674

 

Qualys, Inc. -
<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fqualys.co
m%2Fblog&data=04%7C01%7Ckpcleary%40buffalo.edu%7C7710679d5f23422edfd108d968a
9d1ab%7C96464a8af8ed40b199e25f6b50a20250%7C0%7C0%7C637655901011496030%7CUnkn
own%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVC
I6Mn0%3D%7C2000&sdata=faood%2Bb1doiagrg1fPKSQT0gZFAOPqvKfyrAuRlfzhs%3D&reser
ved=0> Blog |
<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcommunity
.qualys.com%2F&data=04%7C01%7Ckpcleary%40buffalo.edu%7C7710679d5f23422edfd10
8d968a9d1ab%7C96464a8af8ed40b199e25f6b50a20250%7C0%7C0%7C637655901011506023%
7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwi
LCJXVCI6Mn0%3D%7C2000&sdata=%2FXx1BaaERS3jbtLnscgQ0Pzwa57fUIEnGhkYTq4hjjo%3D
&reserved=0> Community |
<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.c
om%2Fqualys&data=04%7C01%7Ckpcleary%40buffalo.edu%7C7710679d5f23422edfd108d9
68a9d1ab%7C96464a8af8ed40b199e25f6b50a20250%7C0%7C0%7C637655901011506023%7CU
nknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJ
XVCI6Mn0%3D%7C2000&sdata=OiMWRIpEpPVMJ5W8JCEO%2BDM7jQDMvoEHoNUViATe6Ss%3D&re
served=0> Twitter

 

Schedule a Call
<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Foutlook.o
ffice365.com%2Fowa%2Fcalendar%2FShaneKroening%40qualys.onmicrosoft.com%2Fboo
kings%2F&data=04%7C01%7Ckpcleary%40buffalo.edu%7C7710679d5f23422edfd108d968a
9d1ab%7C96464a8af8ed40b199e25f6b50a20250%7C0%7C0%7C637655901011516021%7CUnkn
own%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVC
I6Mn0%3D%7C2000&sdata=ZCYgvluzjF%2Bz6lvVJystN8MuniwQxnpuL9TLIeMv3BA%3D&reser
ved=0> 

 

 

 

From: The EDUCAUSE Security Community Group Listserv
<SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU> > on
behalf of John Ramsey <jramsey () STUDENTCLEARINGHOUSE ORG
<mailto:jramsey () STUDENTCLEARINGHOUSE ORG> >
Date: Thursday, August 26, 2021 at 9:49 AM
To: SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU>
<SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU> >
Subject: Re: [SECURITY] Offline Backups for Ransomware Protection

We're using a combination of AWS and VEEAM.  Attached is a really good two
pager on back up strategies as a best practice, it's worth a quick read if
you have a second.  I think the interesting stat that is out there from Net
Diligence states "

 

Keep offline copies. Keep offline backups of your vital data to avoid the
accidental spread of malware from publicly connected infected computers.
Make sure your external storage drives or cloud backups are properly
disconnected from your main corporate network to prevent backups from being
accessed/infected by the spread of ransomware. Cybersecurity experts have
posited that in up to 80 percent of incidents, certain types of ransomware
impacted both regular network/devices and the backups. Timely recovery
following a successful ransomware attack is significantly impacted by the
efficacy of backup and backup segregation practices.

 

John

 

John Ramsey, Chief Information Security Officer
National Student Clearinghouse
Certified: CISSP, CISM, PMP, CSSLP, CRISC, CGEIT

2300 Dulles Station Blvd., Suite 220
Herndon, VA 20171
703.742.4428 |
<https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.studen
tclearinghouse.org%2F&data=04%7C01%7Ckpcleary%40buffalo.edu%7C7710679d5f2342
2edfd108d968a9d1ab%7C96464a8af8ed40b199e25f6b50a20250%7C0%7C0%7C637655901011
516021%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6I
k1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=95F9%2BSinuuGu%2BficjGfmRkrDKxWLAreD7k%2F
wUmUq4TY%3D&reserved=0> studentclearinghouse.org
 
<https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.linked
in.com%2Fcompany%2Fnational-student-clearinghouse&data=04%7C01%7Ckpcleary%40
buffalo.edu%7C7710679d5f23422edfd108d968a9d1ab%7C96464a8af8ed40b199e25f6b50a
20250%7C0%7C0%7C637655901011526013%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwM
DAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=2EpqmXXg4bI7j
ENzqQtowsiZ8FKvW6LvkKZGx1rxF%2B4%3D&reserved=0> LinkedIn |
<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.c
om%2Fnsclearinghouse&data=04%7C01%7Ckpcleary%40buffalo.edu%7C7710679d5f23422
edfd108d968a9d1ab%7C96464a8af8ed40b199e25f6b50a20250%7C0%7C0%7C6376559010115
26013%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik
1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=V5fy3Snz4n62%2BjBisoQPlxF09zDDfaGxDNAqaY2P
6o4%3D&reserved=0> Twitter |
<https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.facebo
ok.com%2FNSClearinghouse&data=04%7C01%7Ckpcleary%40buffalo.edu%7C7710679d5f2
3422edfd108d968a9d1ab%7C96464a8af8ed40b199e25f6b50a20250%7C0%7C0%7C637655901
011536005%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTi
I6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=RlkgNTJjuNfQBIEhBqe1jTOcyUaT464Vlf3C6h
pwnCw%3D&reserved=0> Facebook |
<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.stude
ntclearinghouse.org%2Fnscblog%2F&data=04%7C01%7Ckpcleary%40buffalo.edu%7C771
0679d5f23422edfd108d968a9d1ab%7C96464a8af8ed40b199e25f6b50a20250%7C0%7C0%7C6
37655901011536005%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMz
IiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=FpFOEnTZKjVxu2PExh1ynVRcC%2F%2
B5vE6cRQOA0toERNI%3D&reserved=0> Blog |
<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.insta
gram.com%2FNSClearinghouse%2F&data=04%7C01%7Ckpcleary%40buffalo.edu%7C771067
9d5f23422edfd108d968a9d1ab%7C96464a8af8ed40b199e25f6b50a20250%7C0%7C0%7C6376
55901011546006%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiL
CJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=3lIayZve0HJpWKVHh17sFtPVgn8Mlr62E
tPuDyqjs18%3D&reserved=0> Instagram 

Serving Education Since 1993

 

This message is proprietary to the National Student Clearinghouse, is
intended only for the addressee and may contain confidential or privileged
information. If you receive this message in error, please contact the sender
and delete all copies.

 

From: The EDUCAUSE Security Community Group Listserv
<SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU> > On
Behalf Of Pelegrin, Jeremy J
Sent: Thursday, August 26, 2021 10:42 AM
To: SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU> 
Subject: [SECURITY] Offline Backups for Ransomware Protection

 

EXTERNAL MESSAGE

All,

 

As we work to improve our ransomware posture, what are others doing for
offline backups for recovery? Is it a subset of systems/data only? What
technologies are being used?

 

Happy to discuss offline if preferred.

 

All the best,
Jeremy

 

 

Jeremy Pelegrin, MBA (He/him/his)

Interim CISO | Information Technology

Tulane University | 504-988-8548 (o) | 504-444-3536 (c) 

 

 
<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fts.tulane
.edu%2F&data=04%7C01%7Ckpcleary%40buffalo.edu%7C7710679d5f23422edfd108d968a9
d1ab%7C96464a8af8ed40b199e25f6b50a20250%7C0%7C0%7C637655901011546006%7CUnkno
wn%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI
6Mn0%3D%7C2000&sdata=41ccWQhWQ7nRWMDq80EkffSc5NtXv5uGPvg6SgjZX4Q%3D&reserved
=0> Collaborate | Innovate | Deliver

 

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community
list. If you want to reply only to the person who sent the message, copy and
paste their email address and forward the email reply. Additional
participation and subscription information can be found at
https://www.educause.edu/community
<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educa
use.edu%2Fcommunity&data=04%7C01%7Ckpcleary%40buffalo.edu%7C7710679d5f23422e
dfd108d968a9d1ab%7C96464a8af8ed40b199e25f6b50a20250%7C0%7C0%7C63765590101154
6006%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1
haWwiLCJXVCI6Mn0%3D%7C2000&sdata=o0cS0w9iWRqAFI25p4KyqZfZAJC62v3AKWwYC3f6gWw
%3D&reserved=0>  

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community
list. If you want to reply only to the person who sent the message, copy and
paste their email address and forward the email reply. Additional
participation and subscription information can be found at
https://www.educause.edu/community
<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educa
use.edu%2Fcommunity&data=04%7C01%7Ckpcleary%40buffalo.edu%7C7710679d5f23422e
dfd108d968a9d1ab%7C96464a8af8ed40b199e25f6b50a20250%7C0%7C0%7C63765590101155
5998%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1
haWwiLCJXVCI6Mn0%3D%7C2000&sdata=3rEGFKBjDEFOzyxi03XIn2Ulimc31PQLHu0oxzgUgjs
%3D&reserved=0>  

 

 
<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.qualy
s.com%2Femail-banner&data=04%7C01%7Ckpcleary%40buffalo.edu%7C7710679d5f23422
edfd108d968a9d1ab%7C96464a8af8ed40b199e25f6b50a20250%7C0%7C0%7C6376559010115
55998%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik
1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=6wCzI%2BEeOCs8mZm1PW18%2BWekTZLw5u7d2Pq%2F
Kl5AXPM%3D&reserved=0> 

 

This message may contain confidential and privileged information. If it has
been sent to you in error, please reply to advise the sender of the error
and then immediately delete it. If you are not the intended recipient, do
not read, copy, disclose or otherwise use this message. The sender disclaims
any liability for such unauthorized use. NOTE that all incoming emails sent
to Qualys email accounts will be archived and may be scanned by us and/or by
external service providers to detect and prevent threats to our systems,
investigate illegal or inappropriate behavior, and/or eliminate unsolicited
promotional emails ("spam"). If you have any concerns about this process,
please contact us.

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community
list. If you want to reply only to the person who sent the message, copy and
paste their email address and forward the email reply. Additional
participation and subscription information can be found at
https://www.educause.edu/community
<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educa
use.edu%2Fcommunity&data=04%7C01%7Ckpcleary%40buffalo.edu%7C7710679d5f23422e
dfd108d968a9d1ab%7C96464a8af8ed40b199e25f6b50a20250%7C0%7C0%7C63765590101156
5991%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1
haWwiLCJXVCI6Mn0%3D%7C2000&sdata=LD%2BYWdjizrA7eLESSBT4tw5w6jhyWOP93cWU9imUf
G0%3D&reserved=0>  

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community
list. If you want to reply only to the person who sent the message, copy and
paste their email address and forward the email reply. Additional
participation and subscription information can be found at
https://www.educause.edu/community
<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educa
use.edu%2Fcommunity&data=04%7C01%7Ckpcleary%40buffalo.edu%7C7710679d5f23422e
dfd108d968a9d1ab%7C96464a8af8ed40b199e25f6b50a20250%7C0%7C0%7C63765590101156
5991%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1
haWwiLCJXVCI6Mn0%3D%7C2000&sdata=LD%2BYWdjizrA7eLESSBT4tw5w6jhyWOP93cWU9imUf
G0%3D&reserved=0>  




 

-- 

Frank Barton, MBA

Security+, ACMT, MCP

IT Systems & InfoSec Administrator

Husson University

PGP Key Fingerprint: 0249DC644EC78D2F6B5CD2C6C94D3EDB57946437

(He/Him/His)

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community
list. If you want to reply only to the person who sent the message, copy and
paste their email address and forward the email reply. Additional
participation and subscription information can be found at
https://www.educause.edu/community
<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educa
use.edu%2Fcommunity&data=04%7C01%7Ckpcleary%40buffalo.edu%7C7710679d5f23422e
dfd108d968a9d1ab%7C96464a8af8ed40b199e25f6b50a20250%7C0%7C0%7C63765590101157
5989%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1
haWwiLCJXVCI6Mn0%3D%7C2000&sdata=8TbC2htlJBnI0M9ykqXyMHSo2pSHTLwxg1X%2FuV1oz
zA%3D&reserved=0>  


**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Attachment: smime.p7s
Description: