i had some discussion on the matter of retention times in context of protection against ransomware/insider attacks. Setting up a hardened repository and making data immutable for a certain amount of time is great stuff to implement. But how long is long enough?
I can remember some research or reports stating there is an "average" discovery time of ransomware / encrypted data , but i cant seem to find the articles anymore.
What would people here recommend for setting retention times for specifically protecting against these attacks?
I'm thinking about something arround 14 - 31 days of immutable daily backups at minimum. Any shorter has higher chance of matching an attackers' maximum amount of patience for example, to just let data expire on the repo before taking action perhaps.
Or are you seeing pretty short detection times in your experience and the most recent backup was used most of the time to recover?
I'm crossposting from the R&D forum. Perhaps it is better to dicuss this here. Had a great repsonse on the R&D forum, but maybe some others would like to add.