We live in a world where cyberattacks are inevitable, and this ‘not if, but when’ thinking is now directly affecting IT spend and prioritization. I have met with several IT professionals who have told me that their security budget, which previously was repeatedly rejected, now is a top priority for their senior leadership teams. I learned recently that one large health care organization has redirected their entire infrastructure spend to address current and emerging cybersecurity threat vectors. This is no coincidence. While the threat of a cyberattack is nothing new, the increased rate at which they occur is on the rise by a significant margin. In fact, a report from cybersecurity ventures quoted that ransomware is expected to attack a business, consumer, or device every 2 seconds by 2031.
This is a terrifying statistic and an opportunity, for a MSP, to step in and provide the necessary foundation to a robust cyber-resilient client strategy. Traditionally businesses have been focused on protecting data from power failures, system failures, natural disasters, and some perimeter-level network protection. With a cyber-attack, more than just data needs protecting—at risk is really the entire physical infrastructure from applications and operating systems down to low-level firmware and BIOS. We’ve entered an era where IT infrastructure is materially more complex, distributed, and harder to defend against today’s sophisticated cyber attackers, requiring an even more sophisticated protection, response, and recovery solution than what was available even 2 years ago.
The state of the world today: where your customers are covered and where they aren’t
If you’re an MSP building a cyber-security practice and looking to go-to-market with a cohesive strategy, a good place to start is to review the NIST Cybersecurity Framework and apply it to your specific infrastructure offerings. There are multiple layers of protection necessary when securing data center infrastructure–no single solution can do it all. Choosing best-in-class protection, detection, response, and recovery solutions for each layer of your client’s infrastructure layer is the recommended strategy.
While several vendors already offer some outstanding solutions to help protect, detect, identify, and recover across various infrastructure layers, few operate at the ‘deep’ infrastructure layer. Deep and shallow infrastructure operations within multi-vendor data centers are important elements in maintaining the health and security of a client’s IT operating environment. Shallow infrastructure is the stuff that is easy to do, essentially from the operating system up to the application stack, and most MSPs offer cybersolutions and are available to manage it today. Deep infrastructure operations are the difficult part, and sophisticated cyber-attacks have taken advantage of out-of-date software revisions to infect physical infrastructure.
According to a global survey from Microsoft, more than 80 percent of the firms surveyed experienced a firmware related attack in the past two years. Further validating the point is that 70 percent of organizations that lack firmware upgrade plans will be attacked as a result of a firmware vulnerability by 2022 according to Gartner.
All infrastructure needs to be cyber-resilient
These statistics demonstrate that protection, detection, response, and recovery strategies are only viable when the critical layers in the infrastructure have the appropriate data security technology in place. And, simply put, all infrastructure layers are critical, including deep infrastructure layers, when needing to recover from an attack with the least amount of damage (or cost) as possible. The best way to achieve this is with infrastructure that is cyber-resilient by default, which I examine in further detail below.
3 essential elements of cyber-resilient infrastructure
1. Immutable Infrastructure (OS & Deep Infrastructure Firmware) Protect (share the gaps)
Infrastructure operations teams have spent years attempting to keep their software up to date with the latest flood of patches and firmware in an effort to remove vulnerabilities in the different layers of their infrastructure. However, as most of us know, this is a burdensome task. Managing each update with its own unique set of dependencies requires a level of planning and precision that infrastructure operations teams too often don’t have the time or bandwidth to complete, which means that deep infrastructure is often neglected.
We can look to the public cloud, more specifically Immutable Infrastructure, as an example of how to eliminate the complexity and anxiety associated with infrastructure updates. The simplest way to think about Immutable Infrastructure is that you don’t make changes to your infrastructure stack, but instead deploy a new stack from a golden image to completely replace the existing one.
Bringing this concept to your client’s physical infrastructure means you no longer change individual aspects of their server-storage stack: you are no longer applying firmware updates, patches, drivers, application binaries, etc. individually. Instead, you deploy an updated, well-tested, and well-known stack from an image that includes updated firmware, operating system, binaries, and configuration. Now, a server-storage deployment, apart from application data, becomes an immutable unit that you can easily secure, deploy and operate consistently and predictably.
How does this relate to cyber-resiliency? Being able to centrally design, harden and test an ideal stack and then making it immutable, means your clients have a known, good source for deploying infrastructure, and have a reliable means to maintain this state indefinitely, whenever and wherever they want. If you know what your clients are running, you know what is vulnerable and what is not. If there are gaps, you can fix them easily by constructing an updated golden image centrally and rolling it out across data center infrastructure estates. If this sounds familiar, it is the container approach used in modern cloud applications, such as Kubernetes, but applied to the physical infrastructure layer.
2. Ransomware Detection Detect (go deeper)
Ransomware, in the broader scheme of cyber-resiliency best portrays the current level of threats in IT. There is an undeniable surge in ransomware threats that infrastructure providers, infrastructure teams, and operations teams need to arm themselves against.
The good news is that in a cyber-resilient infrastructure model, unlike traditional distributed infrastructure models, ransomware cannot hide when it is attacking (encrypting) application data, operating system binaries or configuration data as it must pass the storage layer. Moreso, when it reaches the storage layer, all other means of protection at higher levels, i.e. operating system and network perimeter protection have failed. With monitoring and analytics capabilities on the storage layer, you can identify client attacks quickly, and precisely when and where the attack happened, allowing you to limit infection, narrow down the scope of recovery and minimize the amount of data loss, saving your clients countless hours and dollars.
3. Ransomware Recovery Recover(smarter, faster)
Rapid recovery is an essential element of a cyber-resilient infrastructure offering. Most if not all your infrastructure vendors offer a recovery solution and rely on end-users capturing snapshots or backups of their application data to recover from an attack. While this helps, recovery of application data is not enough.
Your client’s applications are built as a layered stack of software–as indicated by the illustration above. For your clients to reliably recover, the recovery starts from the bottom up. To recover storage, firmware must be healthy; to recover an operating system or application data, storage must be operational; to access application data, operating systems need to be recovered… you get the idea. So, in order to become fully operational, the environment requires rapid full stack recovery. And remember that the scope of recovery depends on the scope of attack. An attack on firmware causes any layer above to be untrustworthy and will require recovery at the deepest infrastructure levels. An attack on individual files can be accommodated by simple snapshot or backup restores. So, being able to recover on any infrastructure layer is a critical property of a cyber-resilient infrastructure solution.
How we deliver it: smartInfrastructure, a cyber-resilient cloud operating platform
Nebulon has developed cyber-resilient cloud operating platform for on-premises infrastructure that allows CISOs/CIOs to address the elevated threat of ransomware as well as achieving the same efficiencies, and user experience, as the public cloud for their on-premises infrastructure deployments. With this approach, Nebulon extends the cloud operating platform concept in a number of ways specific to the needs of the enterprise and non-hyperscaler cloud service providers. Read our smartInfrastructure value paper to learn more.