It's alarming to note that over the past few years, the speed at which ransomware attacks are executed has plummeted by a staggering 94%. Criminals now take an average of just 3.85 days to deploy a ransomware attack, a significant decrease that should raise serious concerns. Once triggered, the encryption process is lightning-fast, further underscoring the situation's urgency.
According to a real test scenario conducted by Surge/Splunk, it takes about 5:50 minutes to encrypt 98.561 files placed in 100 directories of a Windows Server 2019 host. The LockBit is the fastest variant because it only encrypts 4KB of each file, rendering it unusable.
Even more concerning is the potential for triple extortion in these attacks. Suppose the initial ransom for recovering the encrypted and exfiltrated production and backup data is not paid. In that case, criminals can escalate the situation by launching a distributed denial of service (DDoS) attack against the organization’s services. This adds another layer of urgency to the need for robust data protection measures.
Since ransomware attacks specifically target backup environments, the importance of immutable backup repositories cannot be overstated. They have evolved from a mere security feature to a critical component of any data protection architecture, serving as a robust defense against the evolving threat landscape.
Backup immutability is a critical feature that safeguards your backup files from many threats. It prevents overwriting, accidental deletion, and even malicious insider actions, ensuring the integrity and availability of your data. This is why it's crucial to any comprehensive data protection strategy.
For more information about ransomware attacks and how Veeam can help organizations, refer to these posts from my blog:
- NIST Cybersecurity Framework 2.0 and how Veeam can help your organization
- Demo: Simulation of Ransomware remediation with Veeam ONE
https://cloudnroll.com/2024/01/20/demo-of-ransomware-remediation-simulation-with-veeam-one/
- Ransomware Detection: Entropy with Machine Learning and AI
https://cloudnroll.com/2023/10/08/ransomware-detection-entropy-with-machine-learning-and-ai/
- How does Veeam Hardened / Immutable Repository work?
https://cloudnroll.com/2023/10/01/how-does-veeam-hardened-immutable-repository-work/
- Demo: Deploying and using a Yara rule with Veeam
https://cloudnroll.com/2024/01/18/demo-deploying-and-using-a-yara-rule-with-veeam/
In this demonstration, I will guide you through the straightforward process of configuring and seamlessly integrating Object First's solution with Veeam Backup and Replication, empowering you to enhance your data protection strategy.
First, let's understand a little about the solution´s architecture.
Object First Basics
Ootbi, which stands for out-of-the-box immutability, is an S3-compatible object storage solution from Object First designed to ensure the immutability of your backups.
But not just that.
Object First´s Ootbi also helps you extend the principles and best practices of CISA's Zero Trust Maturity Model to the backup and recovery architecture, enabling the implementation of a Zero Trust Data Resilience (ZTDR) architecture.
Backup infrastructure inherently has a large attack surface. With Ootbi, the backup software and backup storage communication is done by S3 protocol over HTTPS to minimize the risk of penetration into the backup storage component—no more SSH protocol.
Furthermore, no user has root rights to the backup storage, and IPMI's local access to the appliance can be restricted.
All of this enables a minimal attack surface for backup storage.
Ootbi can be implemented as a standalone Veeam Backup and replication repository or as a Scale-out Backup Repository (SOBR) architecture component.
In this example, an Ootbi appliance is deployed in the Performance Tier on the primary data center and as a Capacity Tier in the secondary data center, with immutability enabled in both tiers.
Deploying S3 public cloud services with immutability enabled in the Capacity Tier is also possible.
Object First's Ootbi integration with VBR through the Veeam Smart Object Storage API further enhances performance and user experience.
The Smart Object Storage API (SOSAPI) was released on VBR v12 and, as presented in this picture, brings the “Smart Entity” feature. This capability helps direct the placement of data and load balance concurrent streams across multiple network interfaces.
The following information about Smart Entities comes from Object First´s blog:
Data Communication: Veeam Backup & Replication v12 + communicates with the SOS-accelerated repository, sharing data and client details (VM name, server name, share name, etc.)
Node Allocation: The repository guides Veeam on which node to send each Smart Entity.
Network Optimization: Lastly, it provides specific network interface IP addresses, allowing direct access for data streams to spread across all NICs, boosting throughput and speed.
Another feature resulting from the integration with the SOSAPI API is the provision of “Capacity Insights.” We have this visibility in the Veeam Backup & Replication dashboard, which details the capacity, used space, and free space of the S3 object storage-based backup repository.
This figure shows how Ootbi delivers information to the VBR console when consulting the backup repository properties and configuring or editing backup jobs.
Furthermore, the performance of backup jobs is greatly accelerated with the “Cache-Control” functionality. Ootbi appliances are natively equipped with 1.6TB NVMe drives acting as a write cache, allowing a high transfer rate between the proxies/gateways and the repository. After the data is written in this cache, it is committed to the underlying storage.
The appliances are offered in two models, each with a net and usable volume: 64TB or 128TB.
Furthermore, it is possible to implement a cluster with up to four appliances and in any model combination. For example, implementing a cluster with four 128TB appliances will achieve a total usable volume of 0.5PB.
We can now discuss another SOSAPI integration: Storage Access Control functionality. In the communication process with VBR components, distinct IP addresses are relayed by each appliance and interface, enabling precise routing of each intelligent entity to its unique network interface.
When this functionality is applied to an Ootbi cluster, direct communication with each appliance can be established without needing a controller or controller node, eliminating additional network hops.
Finally, there is the question of maximum performance. Object First states that each appliance can perform up to 1GB/s, and a cluster with four appliances can provide up to 4GB/s.
I had the opportunity to follow a Proof of Concept (PoC) with an Ootbi appliance and can testify that 1GB/s performance was easily achieved.
Unpacking the Ootbi appliance
When I received the appliance, I published a post on the Veeam Community with photos of the packaging and accessories that came with the equipment.
https://community.veeam.com/discussion-boards-66/unpacking-object-first-ootbi-6823
All components required for rack installation are delivered, such as rails, screws, and other accessories. Installation is effortless and only takes a few minutes.
To prove that installing and configuring Ootbi is extremely simple, Object First sends a flyer with step-by-step installation and configuration instructions, including the Veeam Backup and Replication repository presentation. Object First reports that the solution can be racked, stacked, and energized in 15 minutes.
In other words, you don't need a specialized professional to carry out these operations; follow the simple instructions.
Demo: Configuring and Integrating Object First with Veeam VBR 12.1
Finally, after this preliminary information, I prepared this demonstration with the procedures I follow for configuring and using Object First's Ootbi.
I present the initial configuration of the appliance using the text user interface (local console) to the configuration of the S3-keys and the S3-bucket in the web interface and end with the configuration and use of the solution in VBR and its presentation to Veeam ONE.
Web Management Monitoring views
Let's quickly see the monitoring views that the solution delivers. First, the Dashboard view contains important information on the available storage capacity, alerts, network throughput, S3 operations, and overall system IO. The Performance widget is a graphic representation of the workload, and the resolution can be changed from live to monthly.
The Monitoring view provides information on S3 API Throughput, network throughput, disk I/O, CPU and RAM usage, the number of S3 API requests, and latencies. This view also provides cluster-wide metrics and allows for scaling each of the metrics to an individual node.
In the graph below, we can see two backup transfers: one on Friday and related to one backup job and the other on Monday, related to five backup jobs.
As we had more jobs, the throughput of APIs, network, and disk I/O increased on Monday. If we look at the graph, CPU usage remained practically the same as on Friday, which is an excellent initial impression!
There are other aspects to be explored in the Web Management console, such as additional security settings, but this is a topic for another post or it can be consulted by you in the solution´s manual.
Likewise, I haven't yet had the opportunity to perform broader stress testing. But I intend to make them and publish it soon!
Below are some essential references, and I hope this information and this demo are helpful to anyone interested in this solution!
References
https://objectfirst.com/help/object-first-web-management-console/
https://helpcenter.veeam.com/docs/backup/vsphere/sosapi.html?ver=120
https://helpcenter.veeam.com/docs/backup/vsphere/object_storage_repository.html?ver=120
https://www.veeam.com/veeam_backup_12_0_whats_new_wn.pdf
