Contributed by Qumulo
Written by Andrew Keating, PhD, Senior Director, Industry Solutions

Banks, insurance companies, and other financial services organizations have spent significant time and effort developing their business continuity strategies over many years and successive generations of business technology. Encouraged by regulators, plans generally account for the myriad regulations and compliance considerations that protect against fraudulent transactions, protect private and sensitive data, and ensure data preservation for audits, among other things. And, of course, ideally, they include near-instant failovers and recoveries.

More recently, with the rise of ransomware attacks[1] many financial institutions are reassessing their business continuity strategies. They are considering how best to update them considering the threat posed by ransomware and what steps they need to take in order to ensure that their plans reflect the full capabilities of their file data platforms.

The Menace of Ransomware

Ransomware – generally defined as malware that either holds a victim’s data hostage or threatens to publish that data until a ransom is paid – can adversely impact any organization, but, for banks and other financial services organizations, it poses especially exigent risks. In addition to the potential financial losses and reputational damage, financial services organizations are especially vulnerable to business interruption if critical systems are taken offline during an attack (or to recover from an attack). For insurance companies, the threat also manifests an impact to the business, with loss ratios on cyber insurance increasing nearly 75% in 2020 from their previous five-year annual average, resulting in greater uncertainty and higher premiums.[2]

According to New York State’s Department of Financial Services (DFS), which investigated 74 ransomware attacks between January 2020 and May 2021, there was a similar pattern to the incidents, involving unauthorized “entry to the victim’s network using one of three techniques: 1) phishing, 2) exploiting unpatched vulnerabilities, or 3) exploiting poorly secured Remote Desktop Protocols.”[3] Prevention strategies can be designed around these insights and leverage established cybersecurity controls and “best practices.” And regulators are taking steps to require additional prevention strategies, with DFS “evaluating what additional controls should be added to its Cybersecurity Regulation.”[4]

File Data Platform Considerations

Financial services organizations’ most valuable digital assets, which are both crucial for day-to-day operations and the ultimate prize sought in a ransomware attack, are stored on their file data platforms. This could be on premises in their data center; in cloud infrastructures; or, increasingly, in a hybrid combination of physical and cloud locations.

When considering file data management as it relates to the ransomware threat, as well as how business continuity strategies should be enhanced and improved to reflect the advantages a modern file data platform provides, organizations are focused on how their file data platforms can help with prevention, detection, and, most significantly for business continuity, correction.

  • Prevention: A software-only file system provides significant advantages, such as a “locked down” underlying operating system that allows only operations needed to perform the tasks of the file system. In addition, rapid update release cycles, security fixes being shipped automatically, and reactive patches coming even faster than regular releases ensure the file system is continually up to date. The file data management platform’s role-based access control (RBAC) is critical to ensuring admins can assign fine-grained privileges to regular users or groups and to alleviate their privileges where needed while keeping them as minimal as possible. Prevention can also be achieved through configuration choices such as hiding file shares from unauthorized users, requiring explicit knowledge of the share path to mount the share, and implementing access-based enumeration for every share. The file data management platform also provides additional host restrictions such as limiting access by client IP address range and other options to reduce risk surface.
  • Detection: The file data management platform is also a critical part of a ransomware detection strategy and uncovering malicious activities as early as possible. Implementing a holistic security approach that includes network, compute, device, and event-monitoring techniques, together with data correlation and analysis, is preferable over siloed solutions that are embedded in the storage system. This can be achieved through API integration between the file data management platform and the Security Information and Event Management (SIEM) software, which in turn enables automated mitigation actions from any place should a malicious activity be detected. The file data management platform should leverage an industry-standard syslog format that can be read, parsed, and indexed by the SIEM, passing all data access and management tasks. Ultimately, this is the most effective approach because malware can be identified and stopped before it hits the storage system. While the first line of antivirus prevention should be the data center security infrastructure, the file data management platform should support scheduled and on-demand scanning.
  • Correction: Even the best preventive controls can be overcome by attackers so having a robust recovery strategy is essential. A modern file data platform supports recovery strategies, and, ideally, is radically simple to implement. Snapshots of file data can be taken at any point in time and should not consume any space (only file changes will consume extra space). In case a file or directory needs to be rolled back to a previous version, files can be copied back easily. Since these snapshots are immutable, a potential malware or ransomware will not be able to change its content. Replicating snapshots is essential, both to another cluster and/or to cloud infrastructure, adding additional reliability. A file data platform’s API integration can easily identify changes between two snapshots and integrate with a backup solution allowing instantaneous incremental backups with minimal effort. Snapshots can also be automatically stored in cloud infrastructure, and, once there, the cloud provider’s intelligent tiering can move older files to more cost-effective methods of storing data that is not actively being used. Of course, these snapshots enable effective failovers, and the file data platform should enable the organization to leverage any number of recovery point objectives and recovery time objectives.

Conclusion: Evolve Business Continuity Strategies

 Many financial services organizations are reviewing and revising their business continuity strategies because of the ransomware threat. They are increasingly developing strategies based upon a modern file data platform’s capabilities — such as engaging a rich set of data services and APIs to implement a holistic defense strategy against all kinds of malware including ransomware. Simple management, granular data access, and management event stream processing enable an organization’s file data platform to be integrated into its security architecture. Corrective controls such as easy data movements to the cloud, integrated backups, and snapshot replications to support secure and robust recovery strategies should be simple to engage. In addition to becoming the cornerstone of business continuity strategies, such platforms also provide significant day-to-day and operational advantages and enable them to leverage cloud infrastructure for additional benefits and layers of protection.

 

Author:
Andrew Keating, PhD, Senior Director, Industry Solutions, Qumulo

Company Info:
Qumulo is the breakthrough leader in simplifying enterprise file data management. Qumulo is a high performance file data platform that helps organizations store, manage and build with petabytes of unstructured data in its native file form across cloud and on-prem environments with radical simplicity. To learn more, visit: https://qumulo.com/

References:
[1] According to the US Department of Homeland Security increasing 300% in 2020.

[2]U.S. Cyber Insurance Market Update (Spike in Claims Leads to Decline in 2020 Underwriting Performance),” Fitch Ratings, May 26, 2021.

[3]Ransomware Guidance,” New York State Department of Financial Services, June 30, 2021

[4] ibid.