AWS Partner Network (APN) Blog
Elastio Integrates with AWS Backup for Secure Backups to Enhance Ransomware Defense
By Sabith Venkitachalapathy, Solutions Architect – AWS Data Protection Services
By Adam Nelson, CTO – Elastio
By Cris Daniluk, Founder and Lead Architect – Rhythmic Technologies
Elastio |
Many companies are falling victim to ransomware attacks despite having strong security measures in place. Attackers often take advantage of system vulnerabilities to deploy their payload undetected and target data that’s replicated and backed up.
Companies are concerned about the higher dwell times between a malware infection and the execution of a ransomware attack, as this highlights the potential for recovery operations to restore infected applications.
While Amazon Web Services (AWS) customers use multiple cyber frameworks to defend themselves from cyberattacks including ransomware, the Cyber Security Framework from the National Institute of Standards and Technology (NIST) has become the de facto framework they adopt as a ransomware defense-in-depth strategy.
To help customers ensure their backups are clean, non-compromised, recoverable, and resilient to ransomware attacks, Elastio launched an integration between its Cyber Recovery as a Service (CRaaS) platform and AWS Backup.
Elastio is an AWS Storage Competency Partner and AWS Marketplace Seller that scans supported AWS Backup recovery points for threats, continuously recovery tests them, identifies the last clean recovery point, and seamlessly integrates with existing notification processes when ransomware, corruption, or any other threat is detected.
The platform is run completely from within the customer’s AWS account, and Elastio does not have access to view or take custody of customer data, nor does it have access to encryption keys. AWS customers control all policy details, including which account(s) to run it in, what assets to scan, and whether to automatically scan or do so on a point-in-time basis.
Data Protection Using AWS Backup
AWS offers the largest number of distinct services that correspond to the five functions of the NIST Cyber Security Framework:
- Identify critical data
- Detect ransomware events
- Protect your data
- Respond to the ransomware event
- Recover your data.
AWS Backup Vault Lock enforces write-once, read-many (WORM) backups to help protect backups (recovery points) in your backup vaults from inadvertent or malicious actions.
To help protect against a security event that impacts stored backups in the source account, AWS Backup supports cross-account backups and the ability to centrally define backup policies for accounts in AWS Organizations.
Based on the Data Protection Reference Architectures, customers can copy backups to a known logically isolated destination account within their AWS Organization, restore from the destination account, or alternatively to a third account.
This provides customers with an additional layer of protection if the source account experiences disruption from accidental or malicious deletion, disasters, or ransomware.
How Elastio Works with AWS Backup
The Elastio integration with AWS Backup can be automated through a simple AWS CloudFormation template. Once enabled, a custom AWS Lambda function sends Elastio notifications for recovery points that are tagged explicitly for scanning after an AWS Backup copy or backup job is completed.
Elastio imports these recovery points into its globally deduplicated and compressed cyber vault (ScaleZ), scans them, and reports/alerts on results in real-time through a variety of integrations, including security tools such as AWS Audit Manager, AWS Security Hub, Splunk, and Datadog powered by Amazon EventBridge.
Elastio scans completed AWS Backup recovery points in real-time for ransomware, malware, corruption, and other factors that affect restorability. Amazon Elastic Compute Cloud (Amazon EC2) and Amazon Elastic Block Store (Amazon EBS) recovery points are supported in this version.
Figure 1 – Elastio + AWS Backup architecture diagram.
In the event of security threats and issues being detected, Elastio collects detailed file-level information to provide historical context and give the ability to reconstitute material information for forensic interrogation.
Customers can respond to an incident seamlessly with one click, recover entire instances, selected volumes, or individual files for further forensic analysis or rely on AWS Backup’s capabilities to restore the recovery point to a secure and isolated environment away from production.
Elastio aligns with existing incident response processes, sending logs, events, and alerts to leading Security Information and Event Management providers (SIEMs) through webhooks. Alternatively, customers can use the Elastio Tenant Dashboard to dive deeper into the details without additional tooling.
Figure 2 – Restore infected volumes for investigation and clean volumes for recovery.
Deploying Elastio’s AWS Backup Integration
In this walkthrough, we will discuss the following:
- Prerequisites for installing Elastio.
- Where to find the product for deployment.
- Steps to deploy Elastio.
To see the deployment prerequisites, refer to Elastio’s technical documentation.
- From AWS Marketplace, purchase or request a trial of Elastio and follow the provisioning process to create a new Elastio Tenant. This process can be completed in as little as 15 minutes.
- Once logged into the Elastio Tenant Dashboard, select On-Boarding and then Get Started under Deploy Elastio.
- Enter the Account ID of the AWS account that contains your AWS Backup Vault and complete Step 2 to create the necessary AWS Identity and Access Management (IAM) roles and policies to install Elastio.
- Return to the Elastio Tenant Dashboard and specify the region containing the AWS Backup Vault to install Elastio.
- Deploy the Elastio AWS Backup integration CloudFormation template. The deployment instructions are available on GitHub.
Once the Elastio AWS Backup integration is installed, Elastio will begin importing and scanning AWS Backup recovery points according to the policy set by the customer.
As these scans are completed, they will publish results to Amazon EventBridge, which can be saved to an Amazon Simple Storage Service (Amazon S3) bucket. Additional integrations can be configured through EventBridge with security tools such as AWS Security Hub, Splunk, and Datadog.
Elastio AWS Backup Integration Architecture
Elastio supports several deployment approaches depending on the customer’s requirements, but the two most common patterns are single-account and cross-account configurations.
Single-Account Deployment
The single-account deployment allows customers to begin protecting data within minutes, linking existing AWS Backup Vaults and recovery points to Elastio’s threat detection and response engine.
Figure 3 – Scan recovery points and provide scan reports to Amazon S3.
- AWS Backup creates a recovery point for an Amazon EC2 instance in the AWS account.
- An Amazon EventBridge event is triggered when the recovery point is completed.
- A Lambda function is triggered on the event and invokes Elastio, which imports the recovery point and scans all associated EBS volumes.
- A Job Status Lambda function is triggered to copy scan artifacts to an S3 bucket. This Lambda function can be customized to control which recovery points are scanned.
- The artifacts are stored in an S3 bucket. Customers can also use the Elastio Tenant Dashboard to provide additional notifications to SIEMs, email, Slack, and other tools.
Cross-Account Deployment
Many customers utilize separate backup or recovery accounts as an additional layer of protection, particularly against ransomware attacks that often leverage credentials to encrypt source data and corrupt or delete backup copies.
Elastio’s AWS Backup integration works seamlessly with such deployment models, with a few key differences between the single-account deployment that are highlighted below.
Figure 4 – Provide notifications when recovery pint copy operations are completed.
- AWS Backup creates a recovery point for an EC2 instance in the AWS account.
- An Amazon EventBridge event is triggered when the recovery point is completed, triggering a copy to the AWS Backup Vault in the Central Bunker account.
- Once the copy is completed, an event is triggered in the Job Trigger Amazon EventBridge.
- A Lambda function is triggered on the event and invokes Elastio, which imports the recovery point and scans all associated EBS volumes.
- A Job Status Lambda function is triggered to copy scan artifacts to an S3 bucket. This Lambda function can be customized to control which recovery points are scanned.
- The artifacts are stored in an S3 bucket. Customers can also use the Elastio Tenant Dashboard to provide additional notifications to SIEMs, email, Slack, and other tools.
Customer Use Case
Rhythmic Technologies is a partner for a global media intelligence firm and uses AWS Backup to ensure the availability and recoverability of its critical information in the event of an application failure or a data loss scenario.
Rhythmic’s client prioritizes survivability from ransomware and protecting its business’s reputation and long-term revenue. Because no company is immune to ransomware, they take a broader approach at the AWS Organizational level to protect their data.
This approach includes immutable backups, security solutions that detect ransomware as close to the infection as possible, forensics capabilities inside of the data for interrogation into the root cause, and recovery-tested backups.
Using Elastio, Rhythmic’s client can continuously monitor AWS Backups for cyber threats like ransomware, malware, and corrupted data. This helps their systems proactively protect data and the confidential data of its customers from cyber-attacks and data breaches.
Elastio alerts the client’s systems to data security and integrity issues through Splunk and provides mechanisms for sandbox inspection and response. This approach helps them to quickly and effectively respond to cyber threats and ensure the clean recoverability of its data.
Conclusion
By implementing Elastio’s AWS Backup integration for new and existing AWS Backup recovery points, customers can increase confidence in data recovery clean backup recovery points.
Customers can also limit risk posture and spending, improve recovery time objectives (RTO) and better meet compliance and regulatory requirements.
Learn more about Elastio in AWS Marketplace.
Elastio – AWS Partner Spotlight
Elastio is an AWS Partner that integrates with AWS Backup to scan backups for threats, recovery tests them to ensure a successful restoration, and quickly identifies the last clean recovery point.