MeriTalk recently sat down with Matt Trudewind, senior technical marketing engineer on security at NetApp, to talk about all things ransomware. During the discussion, Matt dove into the growing threat of cyberattacks targeting Federal agencies, and walked through the critical steps needed in ransomware remediation. With this ever-increasing threat comes a need for a robust cybersecurity strategy with solutions and technology in place to address attacks both before – and after – they occur. Today, Matt shares his insights on the best ways to get to those goals.
MeriTalk: To start, can you tell us a bit about your background and your role at NetApp? What are your primary responsibilities?
Trudewind: I’ve been a security technical marketing engineer at NetApp for the last three years. I’m primarily focused on helping NetApp customers and our employees in the field understand the cybersecurity capabilities of NetApp’s ONTAP software. This includes how our data-centric security features work from a technical perspective and, most importantly, how ONTAP security solutions can help with real-world cybersecurity threats.
MeriTalk: Ransomware is front and center in the national security agenda because of severe attacks against critical infrastructure operators (e.g., Colonial Pipeline) and an increasing number of attacks against schools, healthcare providers, and local governments. How big of a threat is ransomware to Federal agencies?
Trudewind: I would say the threat is significant, and point to the recent White House memo indicating the Federal government is stepping up to do its part against ransomware, but also that the private sector has a critical responsibility to protect against ransomware attacks.
I saw some data recently from a Sophos report on the state of ransomware, and the average cost to recover from an attack in the U.S. was $1.85 million. That’s up from just over three-quarters of a million the year before. The threat from ransomware is very real today, unfortunately.
MeriTalk: How can Federal agencies effectively prepare for ransomware attacks? What steps can they take now to prevent these attacks from happening in the first place?
Trudewind: Ideally, you want to detect ransomware as early as possible to prevent the spread, and so that agencies can continue normal operations with minimal disruption. However, no ransomware detection or prevention solution is 100 percent fool-proof, so it’s critical to have a solid remediation and recovery strategy. We know attackers aim for the backup files first, so the ability to have immutable backups and keep them from being deleted is key. ONTAP has capabilities in both of those areas of ransomware prevention and remediation.
MeriTalk: What is the first step Federal agencies should take after a ransomware attack? What about the subsequent steps?
Trudewind: The first thing to do is contain the threat and isolate the impacted clients and servers as quickly as possible. If you don’t, the ransomware will continue to spread unfettered. Next, you should patch the vulnerability and clean the affected machines to ensure all ransomware has been removed.
Only then is it recommended to restore the data. If you simply go straight to restore without completing the prior steps, you’re likely to have data you just restored infected with ransomware, and then you’re back at square one.
MeriTalk: What missteps are common in ransomware remediation, and how can they be avoided?
Trudewind: One is restoring data too soon, as I just mentioned. Another common issue is that restoration takes too long. Going back to the report I mentioned about $1.85 million being the average cost to restore after an attack; the most significant factor cited was downtime. Downtime was a factor – as much as ten times the cost of the actual ransomware payment itself. So you want to ensure that you can restore your backups as quickly as possible and avoid the downtime.
This is another area where NetApp ONTAP has a great solution. Our Snapshot copies feature allow you to restore hundreds of terabytes in seconds.
MeriTalk: How does the threat of ransomware attacks in the public cloud differ from the threat of attacks in a private data center? Does the process of ransomware remediation in the public cloud differ from the process for a private data center?
Trudewind: They don’t differ all that much from a threat standpoint. Ransomware generally spreads through unpatched client machines, through a malicious email link or attachment. From there, it can extend equally well into the public or private cloud if you don’t have the right ransomware protection strategy in place.
On the remediation side, the biggest thing you need to remember for the public cloud is that you still need backups.
MeriTalk: President Biden recently announced a rapid strategic review of the global ransomware threat. Based on your experience, what advice would you give to the leaders of this review?
Trudewind: There are two main trends that we’ve seen in the last year, one is going after the backups and the other is the rising cost to recover from a ransomware attack. The backups need to be protected, but they’re mainly focusing on and pushing air gap solutions if you look industry-wide.
While there’s nothing wrong with an air gap solution, air gaps tend to be slow when it comes to restoring the backups. They increase downtime because you have to reconnect those backups to the network, thus increasing overall costs. The backups are what agency leadership teams should look at and advocate for non-air gap solutions that prevent the backups from being deleted.
These teams want air gap solutions because they don’t want those backups to be deleted. But, there are ways to do that so that compromised administrators – or even the backup provider’s technical support team themselves – cannot delete the backups. NetApp ONTAP has a solution called Snaplock Compliance that ensures no one can delete your snapshot backups, but they’re still online for quicker restores.
MeriTalk: How does NetApp help Federal agencies combat ransomware and remediate ransomware attacks? What about NetApp’s solutions is unique compared to other providers?
Trudewind: NetApp provides solutions in all of the critical areas for ransomware – detection, prevention, and remediation. However, there’s really two key areas where we differentiate. One is NetApp’s ONTAP FPolicy (or File Policy), which is our ransomware detection solution. When you combine it with a third party partner server, it can prevent brand-new zero day ransomware attacks by leveraging user behavioral analytics.
The second area where NetApp really differentiates is our Snaplock Compliance solution, which not only prevents the administrator accounts from deleting Snapshot backup copies, but it also prevents NetApp support from doing so as well. That’s very important because we don’t believe in adding security backdoors into our systems, which sets us apart from other providers.
MeriTalk: Is there a prevailing thought from customers that have their data in public clouds that those cloud providers will protect their data for them? Is that a kind of misconception that some customers might have?
Trudewind: I think some customers misunderstand and think the hyperscaler is making their data available and protected at all times. It really depends on what service you’re buying, whether it’s right from the hyperscale or if it’s not, maybe it’s a full software-as-a-service solution. With NetApp Cloud Volumes ONTAP, we have the capabilities for customers to maintain backups in the cloud and provide excellent data security with Zero Trust architecture and end to end encryption. If the customer is using something else that isn’t ONTAP, then they need to look deeply into what that solution provides as backup, and data protection may not be a part of it.