In the ongoing battle against ransomware, companies are becoming more resilient. Reports from Coveware by Veeam and Chainalysis show a significant decline in ransomware payments in Q4 of 2024. This success is attributed to several key factors, including improved federal regulations, successful takedowns of major cybercriminal groups, and most importantly, organizations being better prepared and more resilient in responding to and recovering from encryption-based malware attacks.
Data protection has evolved significantly in recent years. Discussions have shifted from inline vs. post-process deduplication to security focused topics such as workload immutability, incident response, and malware detection. Backups scanning for malware was and never is meant to replace traditional endpoint or extended detection and response tools. It is meant to provide an additional layer of detection for a defense-in-depth approach for detecting malware. Veeam provides the most practical and comprehensive malware scanning capabilities before, during, and after a backup in the data protection industry. Let’s explore each use case.
Before Backup: Proactive Threat Assessment
Based on the MITRE ATT&CK framework and data from Coveware by Veeam, we know that threat actors target backups once they gain initial access. Veeam is the only vendor that proactively looks for suspicious behavior before a backup is taken.
- Recon Scanner: Provides proactive alerts on potential threats to your backup server, detecting suspicious events like unfamiliar IPs attempting remote access or compromised accounts trying brute force attacks. It helps identify vulnerabilities and builds a timeline of events to pinpoint clean restore points.
- Observability, Analytics, & AI-powered Insights: Detects anomalies in the production environment before a backup, identifying unusual VM patterns, brute force attacks on ESXi and vCenter, and suspicious SSH activity.
- Veeam Incident API: Allows third-party security tools to integrate with Veeam, flagging potential malicious restore points and triggering out-of-band backups for actively encrypted workloads.
During Backup: Multiple Layers of In-line Detection
Veeam diligently detects and mitigates threats in real-time during backups, surpassing alternatives that require post-process scanning and metadata be sent to their cloud just to identify basic bulk changes.
- IoC Scanner: Validates if harmful tools known to be used by cybercriminals are running on machines and detects newly installed tools, even if they are living off the land tools, that can exfiltrate, encrypt or damage data.
- Entropy Analysis: Scans data blocks for randomness, looking for encrypted data, onion links, and ransom notes.
- File Indexing: Uses a signature-based analysis to scan Veeam’s database for known malware extensions, ensuring quick flagging of potential threats.
- Immutable Backups: Ensures backups are recoverable from encrypted cyberattacks with options like Veeam Hardened Repository, Veeam Vault storage, and third-party immutability.
After Backup: Ensuring Fast and Clean Recovery
Unfortunately, ransomware wouldn’t exist if prevention and detection tools caught everything. Organizations must prepare for the worst but hope for the best. Post-process scanning is crucial to ensure clean data restoration and avoid reinfection if a threat actor evades detection.
- Recon Blast Radius: Identifies the actual scope of a ransomware attack, detecting corrupted or non-encrypted files and building a timeline of events.
- Threat Hunter: Scans restore points for malware using a signature-based antivirus engine, ensuring only clean data is used for recovery.
- YARA Rule-based Scanning: Looks for indicators of compromise, detecting malware that might have been missed by other tools or is a zero-day
- Orchestrated Restore & Cleanroom Capabilities: Creates detailed recovery plans, testing and validating the recovery of critical applications.
Putting it All Together
These scanning capabilities are most effective when security teams are involved. Forwarding events to the tools and dashboards your security team already uses enables automated processes. Let’s put this all together in an example to better visualize how all these components work together:
- Veeam or an EDR/XDR tool detects suspicious behavior on a machine before or during a backup.
- Event is forwarded to the organization’s SIEM tool.
- A playbook automatically kicks off that triggers an instant restore of the suspected infected machine to a cleanroom environment for a second opinion from Veeam Threat Hunter.
- If the scan comes back clean, it marks the event as a false positive.
- If the scan confirms malware, Recon Blast Radius scans the machines to better understand the timeline and scope of impacted data.
- Finally, don’t be stuck just recovering from spinning disk backup. Recover from more than just backup once the scope of the attack is known and the threat actor is properly eradicated.
Conclusion
Veeam’s commitment to cybersecurity extends throughout the entire data lifecycle. From before backup, during backup, and after backup. Veeam ensures that your data is protected at every stage. This comprehensive approach not only minimizes the risk and impact of cyberattacks but also ensures that organizations can recover quickly and efficiently. In conclusion, Veeam’s sophisticated scanning technologies and proactive strategies make it the most reliable solution for malware detection and recovery. By integrating advanced tools and maintaining a vigilant approach to cybersecurity, Veeam helps organizations stay one step ahead of cyber threats, ensuring that their data remains resilient and their operations uninterrupted.
The post Veeam’s Comprehensive Malware Detection: Before, During, and After a Backup appeared first on Veeam Software Official Blog.
from Veeam Software Official Blog https://ift.tt/dZNfgIY
Share this content: