Adaptive backup as a security enhancer.Electronic parasites are spreading through the computing fabric at an alarming rate; new vulnerabilities are constantly unearthed Unearthed is the name of a Triple J project to find and "dig up" (hence the name) hidden talent in regional Australia. Unearthed has had three incarnations - they first visited each region of Australia where Triple J had a transmitter - 41 regions in all. , and they morph morph 1 n. An allomorph. [From morpheme.] morph 2 n. into threats with ever-shrinking lag time. Yet security-related issues are not the only worries for IT. Systems management and integration tasks are a continuing challenge--and what technician doesn't get a little queasy QUEASY - An early system on the IBM 701. [Listed in CACM 2(5):16 (May 1959)]. when the CEO (1) (Chief Executive Officer) The highest individual in command of an organization. Typically the president of the company, the CEO reports to the Chairman of the Board. calls in a panic needing a backup restored before the board meeting in fifteen minutes? Diverging di·verge v. di·verged, di·verg·ing, di·verg·es v.intr. 1. To go or extend in different directions from a common point; branch out. 2. To differ, as in opinion or manner. 3. Disciplines What's interesting is that all these issues are handled by a single team in most organizations, but they're mapped to separate disciplines: a network/security administrator configures firewalls, network intrusion detection systems A network intrusion detection system (NIDS) is an intrusion detection system that tries to detect malicious activity such as denial of service attacks, port scans or even attempts to crack into computers by monitoring network traffic. , and antivirus software See antivirus program. (tool) antivirus software - Programs to detect and remove computer viruses. The simplest kind scans executable files and boot blocks for a list of known viruses. ; a deploy and configuration guru runs the systems management framework; and the storage and backup technician thinks about disaster recovery so everyone else can sleep at night. Sometimes one person wears several hats--but that's an artifact A distortion in an image or sound caused by a limitation or malfunction in the hardware or software. Artifacts may or may not be easily detectable. Under intense inspection, one might find artifacts all the time, but a few pixels out of balance or a few milliseconds of abnormal sound of compressed IT budgets more than philosophy or inclination. The full potential of network, systems, and storage management depends on powerful synergies that each discipline brings to the others. In Search of Synergy Backup is a case in point. Today's carefully implemented backup systems chug (jargon) chug - To run slowly; to grind or grovel. "The disk is chugging like crazy." away, continually adding layers of protection as old backups become obsolete or join the federally-mandated compliance archive in a vault somewhere. For example, if you're taking daily backups of your Exchange server when a vulnerability in Exchange is announced, the pattern continues through threat, attack, infection, patch remediation, or whatever else occurs. This is what we expect, given the separation of disciplines within IT and the software industry. Is this what we want? [GRAPHIC OMITTED] Backups exist to enable recovery, of course, and security events are one cause of recovery; that alone should tell us that the disciplines are synergistic. But like human health care workers, backups don't just help the sick recover--they're vital to preventing further spread and secondary infection. No battle is complete without them. Wouldn't it be nice to give our backup systems an early warning of relevant threats, and trigger by configurable policy a corresponding adjustment to the rate or retention of backups? Wouldn't it help to certify the health of backups before a restore, so we don't re-release the same virus we just finished purging? Wouldn't we be better off if backup systems could cooperate with systems management and patch remediation frameworks to decide which machines are most at risk and therefore get highest priority in our backup storage A storage device used to hold copies of data for backup and recovery. In the IT world, tape drives and tape libraries have been the traditional backup storage medium; however, magneto-optic (MO) and other optical discs as well as regular magnetic disks are also used. See LAN free backup. pool until a threat subsides? What if, upon restore, our backup software See backup program. (tool, software) backup software - Software for doing a backup, often included as part of the operating system. Backup software should provide ways to specify what files get backed up and to where. automatically reapplied patches that occurred after the backup date? From Wishes to Reality If such notions sound like a utopian daydream, you are half right. Until recently, a number of factors prevented the kind of adaptive, intelligent integration that such a system would require. The good news is that the technological landscape now includes some key enablers that could make adaptive backup a reality. Of course, what is possible and what is available today are two different things--but perhaps not for long! The advent of cheap disk-to-disk backup is one enabler. While tape continues to have an important place in an overall strategy, it is now possible to use disk snapshot and imaging products such as Symantec's V2i Protector to capture backup data (both full and incremental) without interrupting the system, and to stream it quickly to a secondary location. It's also possible to access individual files and folders within a backup in a straightforward manner (e.g., by mounting an image as a volume), which dramatically alters the supportable scenarios during recovery. You can restore an uninfected PowerPoint out of an infected operating system operating system (OS) Software that controls the operation of a computer, directs the input and output of data, keeps track of files, and controls the processing of computer programs. image, for example. You can also scan the contents of a backup with traditional antivirus technology. Another enabler--detailed and automated warning of security threats--is available through systems like Symantec's DeepSight, which monitors data from thousands of sensors on the Internet and publishes sophisticated threat descriptions to subscribers. Of course, warnings can be collected in simpler ways as well. The press releases of vendors and industry watchers and the BugTraq mailing list An automated e-mail system on the Internet, which is maintained by subject matter. There are thousands of such lists that reach millions of individuals and businesses. New users generally subscribe by sending an e-mail with the word "subscribe" in it and subsequently receive all new at www.securityfocus.net/ are good places to start. Couple these tools with a sophisticated patch remediation technology that works hand-in-hand with systems management frameworks, and you could create a true boon for harried IT staff. Here's how such a system might work. Adaptive Backup in Practice First, network and backup administrators collaborate to create a definition of low- and high-exposure states for a machine. The low-exposure state is hopefully the default; high exposure is tied to various conditions such as a known vulnerability A bug in software that has been identified. It typically refers to bugs that have been used for malicious purposes. For example, bugs in Web server, Web browser and e-mail client software are widely exploited by attackers. that applies to the specific software on a machine, a virus or worm that exploits that vulnerability circulating in the proximate proximate /prox·i·mate/ (prok´si-mit) immediate or nearest. prox·i·mate adj. Closely related in space, time, or order; very near; proximal. proximate immediate; nearest. environment, ongoing deployment of new software by systems management tools, hardware aging, or other factors. Of course, the definitions of state are not necessarily binary; perhaps a particular organization wants to evaluate exposure on a scale of one to ten A scale of one to ten or scale from one to ten is a general and largely vernacular concept used for rating things, people, places, ideas and so on. It is the naturally most popular choice of scale used in ordinary speech, followed by scales of one to five and then one to . It is also important to recognize states that are "beyond" potential problems--"known to be infected" is an obvious one. In any case, the second step is to map these states onto backup policies. In most cases, high exposure probably correlates to more frequent backups. However, if network bandwidth is a constraint, perhaps the depth of backup retention is a better way to tune behavior. This mapping must reflect the unique storage constraints, budget pressures, and SLAs of each organization; it's a complex balancing act that requires careful thought (see Figure). An important aspect of these backup policies relates to Hierarchical Storage Management See HSM. (HSM (1) (Hierarchical Storage Management) The automatic movement of files from hard disk to slower, less-expensive storage media. The typical hierarchy is from magnetic disk to optical disc to tape. ), quarantine, and ongoing validation. Once a worm contaminates your database server, do you want to make sure its most recent backup isn't removed from disk as part of routine tape archival? If you discover the contamination long after it occurs, do you quarantine a certain set of backups so they are not used for full-system restores but are still available to retrieve individual files? Will you re-scan your backups on an on-going basis every time your virus definitions get updated? With states and policies carefully defined, administrators of an adaptive backup solution need to connect it to data sources that provide intelligence about the threat environment. When a threat is reported and the system decides that a transition to a new exposure level has occurred, it can send e-mail to the backup administrator to announce the suggested policy be applied, and await approval, possibly with default action after a specified timeout. And when a threat subsides, it can relax its posture without manual reconfiguration. Adaptive Backup and the Patch Remediation Window Today, long intervals often elapse e·lapse intr.v. e·lapsed, e·laps·ing, e·laps·es To slip by; pass: Weeks elapsed before we could start renovating. n. between the announcement of a patch and the time when IT is confident enough to roll it out on production servers. Running aggressive auto-update features may be fine for isolated workstations, but patches to business-critical apps are regularly tested for 30 or even 60 days before they go live. This is a period of elevated exposure that attackers know about. With adaptive backup in place, administrators have protected themselves in several ways. They dramatically improve the restore outcome and thus ameliorate a·mel·io·rate tr. & intr.v. a·me·lio·rat·ed, a·me·lio·rat·ing, a·me·lio·rates To make or become better; improve. See Synonyms at improve. [Alteration of meliorate. the consequences of an intrusion if it occurs before they've deployed the patch. They may be able to deploy the patch sooner because any resulting instability is more treatable (again through better backups). And by correlating a backup policy to systems management, they can make cross-infection or resurrected vulnerability through restore far less likely. Converging on the Future The intersection of the disciplines of networking, security, systems and storage management has great potential to make our computing more secure and productive. Gains will come not just from mainstream security offerings, but also from savvy cross-pollinations. Adaptive backup is one such exciting hybrid technology on the horizon. Its advent is yet another proof that the only secure infrastructure is a managed infrastructure. www.symantec.com Daniel Hardman is a software architect with Symantec Corporation's Enterprise Administration business unit (Cupertino, CA) |
|
||||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion