Enhancing Your Veeam Security: Key Features to Activate

Veeam Software’s R&D department has been busy the past year. It has introduced three minor feature releases (V12.1, 12.2, and 12.3), including crucial new security features and updates. If you have just installed V12 or are still on V11 and are planning an upgrade to the latest V12 release (V12.3), you may be overwhelmed by figuring out an “order of importance” for activating features.

I suggest to customers moving to V12.3, or are using V12.3 but haven’t implemented any security features yet to turn on the new features in this order: Veeam Hardened repository, MFA, 4-Eyes authorization, Entropy and Indicators of Compromise scanning, and Veeam Threat Hunter. 

First: Veeam Hardened repository

The security of your backup infrastructure should start with and center around Immutable storage.  For Veeam, this is the Veeam Hardened Repository (VHR). 

The Veeam Hardened Repository is delivered as a bootable ISO. It allows you to create a highly secure and immutable backup repository. The ISO installs Rocky Linux, securely sets up the OS, configures immutability, and adds the required Veeam services.

The installation process is straightforward: 

• Download the ISO
• Create a bootable USB stick.
• Plug the USB stick containing the ISO into a physical server.
• Follow the installation wizard. Key steps include configuring your network settings, setting a static IP address, and specifying a hostname. 

Veeam fully supports installing and configuring the Veeam Hardened Repository from the ISO.  The operating system is also supported by Veeam Support.

The ISO can be downloaded at https://www.veeam.com/download_add_packs/vmware-esx-backup/hardened-repository/.  The Installation procedure can also be found in the User Guide - https://helpcenter.veeam.com/docs/backup/vsphere/hardened_iso_installing.html?ver=120.

Second: Multi-Factor Authentication (MFA) and Four-Eyes Authorization

Multi-factor authentication (MFA) adds an extra layer of security by requiring users to verify their identity through multiple methods before accessing the system. This significantly reduces the risk of unauthorized access. 

The Veeam deployment of MFA supports TOTP mobile-based applications, such as OKTA, Microsoft Authenticator, Google Authenticator, and Last Pass Authenticator.  

It must also be noted that MFA can only be applied to individual users and not groups and that an auto time-out setting can also apply to each user.

Additionally, Veeam's Four-Eyes Authorization feature requires another administrator user's approval for critical operations, such as deleting backup files or modifying user roles. This dual-approval mechanism helps prevent accidental or malicious actions that could compromise your backup data. 

When enabled, four-eyes authorization is required to perform the following operations:

• Delete backup files or snapshots from the disk or configuration database.
• Delete information about unavailable backups from the configuration database.
• Remove backup repositories and storage from the backup infrastructure.
• Add, update, and delete users or user groups.
• Enable and disable multi-factor authentication (MFA) for all users and user groups.
• Reset MFA for a specific user.
• Enable, update, and disable automatic logoffs for all users and user groups.

MFA and 4-eyes are enabled from the General options menu under user and roles. 

More information about MFA and 4-eyes authorization can be found at - https://helpcenter.veeam.com/docs/backup/vsphere/four_eyes_authorization.html?ver=120.

Third: Entropy and Indicators of Compromise (IoC) Scanning

Veeam's latest security update includes advanced malware detection capabilities through Entropy and IoC scanning. The Entropy scan analyzes the randomness of data to detect potential malware. IoC scanning identifies known non-malware programs that can contain a security risk, as suggested by the MITRE ATT&CK Matrix. 

The program and TTPs monitored can be adjusted.

The entropy scan is performed inline on the backup stream during a backup. The IoC scan is performed against the guest file file index. The current and subsequent backup files are marked as suspicious if a threat is found. Marking the files as suspicious can help speed up recoveries by determining where an infection may have started.

Forth: Veeam Threat Hunter

Veeam Threat Hunter is an advanced feature built directly into the Veeam Data Platform. It offers highly optimized, accelerated signature-based backup content scans for malware. 

This feature helps detect dormant threats in your backups, facilitating the rapid implementation of essential security measures to ensure business continuity. By running a Veeam Threat Hunter scan, you can find the last clean restore point from which you can safely recover. The Veeam Threat Hunter scans can be run when performing a restore and can be run from a scheduled scan-only Surebackup Job (Surebackup Lite).

More information about Veeam Threat Hunter can be found here - https://helpcenter.veeam.com/docs/backup/vsphere/scan_backup_veeam_threat_hunter_hiw.html?ver=120.

Conclusion

By activating these features, you can significantly enhance the security of your Veeam backup infrastructure. The Veeam Hardened Repository from the ISO provides a tamper-proof environment for your backup data, while MFA and Four-Eyes Authorization add layers of protection against unauthorized access and actions. Entropy, IoC scanning, and Veeam Threat Hunter offer advanced malware detection to keep your data safe from evolving threats. Stay proactive and keep your data protected