Veeam Oxford Style Debate - Episode 1

I am challenging ​@HunterLAFR :) 

challenge accepted"
dificulty level up! AGAINST!!
Change my mind!
 

Good stuff! But we need more in here 😁

Comment with:

• FOR or AGAINST
• A short explanation based on your real-world experience
• Tag one person you want to challenge or hear a counter-perspective from 

AGAINST because security cannot be handled by a single aspect.

Immutable backups can be one effective defense against ransomware… but as a part of a bigger plan

I challening ​@falkob that has wrotten a good article about immutability.

“Immutable backups are the only effective defense against ransomware.”

AGAINST!

Why? Backups are just one piece of a layered approach to security. And, immutability, also one piece of a layered secure approach to Backups. For additional defense against ransomware, imo one also have to have an offsite and/or air-gapped copy of their Backup data. And even those 2 parts of layered Backups security together may not even be enough. Why? What if the ransomware file(s) are within the data itself?? No amount of immutability, or even air-gapped/offsite copy can save you from malicious intent then.

And that leads to a 3rd point → longevity; i.e. GFS retention points. If the 1st two layers aren’t enough to cover you in the event of a ransomware outage, then hopefully you have Backup retention far enough out which doesn’t have malware inside the data. I think the last statistic on this I read about a few yrs ago was data was infiltrated on average back 3mos to 6mos. Older data can be stale of course, but at least you’d have a foundational copy from which to keep business running. 👍🏻

Let’s see ​what @Scott ‘s take is...😊

BTW..this is good ​@Madi.Cristil ! 😊

Thank you, ​@coolsport00 ! Glad you enjoy it! So far everyone seems to be against , I guess next time I have to find some more intriguing statement 😁

Hi there

Now I can write down a few words to explain my point.

Immutable backups are ok, is good stuff, for from data perspective, 
But we need to cover all angles, data protection, physical protection, and access / readable data protection.

For me Immutability is a piece of a bigger puzze we need to solve, 
Good start point if you got nothing, but take into count:

• Data Immutability
• Data Access
• Data Encryption
• Physical Security
• Plan B,C,D...Z

Even if your data is Immutable, but they distroy the Physical device were it resides, you are ****

​@jos.maliepaard , can you please give your point of view??

😁 challenged!!!

Against. Why, immutable backups prevent deletion, encryption and insider sabotage to name a few. It doesn’t protect against ransomware from spreading, validate application consistency, and backup infrastructure compromise elsewhere. In addition, you should have air-gapped or isolated copies, this is where 3-2-1-1-0 rule matters. Also, backup infrastructure hardening (MFA, segmented networks, separate admin accounts, etc), recovery testing, threat detection and monitoring (CrowdStrike, Sentinel One, etc), and clean recovery workflows.

Immutability protects your backup files and recovery readiness protects your business

Against.

Immutable backups are extremely important, but saying they are the only effective defense against ransomware gives many companies a false sense of security.

In real environments, I’ve seen immutable repositories configured correctly, but basic security practices were still missing: excessive privileges, exposed access, no segmentation, and restore procedures never tested until the incident actually happened.

Even immutability itself still depends on protecting administrative access and following proper hardening practices.

Immutability is a very strong layer of protection, but resilience depends on much more than a single feature.

That’s the difference between “having immutable backups” and actually being prepared for a real attack.

Curious to hear the counter-perspective from ​@wesmrt ​

AGAINST

I agree with ​@coolsport00 analysis: the backup history is absolutely crucial.

I recall a case last year involving a client where we had to go back to a monthly backup from 4 months earlier to find a clean image free of C&C software.

It was an on-machine server for a production chain that had been included in the backup plan because the software was obsolete. 

AGAINST

Immutable backups are a critical part of ransomware recovery, but they are not the only effective defense. In practice, the strongest posture is layered: prevent initial compromise, detect attacker movement early, and keep isolated backups as the recovery safety net.  Offsite backups need to be considered here along with immutability and to follow the 3-2-1-1-0 rule.

Ransomware often succeeds before backup protection even matters. In the real-world, attackers commonly try to disable or delete backups first, which is precisely why backups alone are not enough.  Immutable backups help ensure you still have a clean restore point after encryption or deletion attempts, which makes them one of the best recovery controls available. They are especially valuable when production, admin credentials, or even the backup server itself are compromised. But they only help if the backups are tested, retained appropriately, and actually restorable under pressure.

A more accurate statement is: “Immutable backups are one of the most effective defenses against ransomware recovery failure, but they must be combined with other backup methods to ensure recovery is always possible.”  Again, meeting the 3-2-1-1-0 rule means at least one offsite copy.

Coming from the Managed Service Provider world, it has been seen too many times when a customer does not have the right setup or architecture to recover from a ransomware event or attack.  This is why when designing the Veeam infrastructure, I ensure any design allows for recovery regardless of using immutable backups and ensure we test those backups for recoverability.

What are your thoughts ​@eblack 

Thanks :)

Against obviously. 

Immutable backups are great, but not complete.   It’s like saying “If you can hit a home run, are you a  great baseball player?”   What about throwing, catching, running, understanding the sport, and everything else it takes to be “great”. 

If you are using an Immutable Repo on a SAN and leave SSH enabled there is another layer of security that could be compromised. What if I can walk into your Datacenter and physically unplug your disks, steal your tapes etc. Is encryption at rest enabled, but also, is there physical security to prevent me from accessing everything. Do you have MFA and 4 eyes auth as well or do i have the ability to stop your backups? What about your windows servers? Do you have cert based auth using physical devices/cards?

Security is everyone's job these days, including the Backup and Server Admins.

Immutable backups are fantastic, and a requirement, but so is network segmentation, physical security, multiple locations, Air Gapped copies, MFA, 4 Eyes, and the ability to retrieve config backups. Together they provide a single solution. 

AGAINST, I agree with ​@Chris.Childerhose.

Immutable backups are 100% necessary but treating them as the entire strategy is where orgs will find themselves in trouble. Ransomware groups don't just encryption lock, they exfiltrate also. Immutability does not stop initial compromise, lateral movement, credential theft or infrastructure abuse. It also doesn’t prevent the groups from publishing private data. Immutably is great part of an overall strategy that includes segmentation, hardened infrastructure, regularly reviewed RBAC controls, MFA and so on. 

You can have immutable backups and still not know you're compromised for months. (I’ve seen this first hand) Immutability can create false confidence in some cases and lead to not prioritizing end point hardening because “immutable”. 

From someone who stages and builds cleanrooms, here is what I recommend as a base starting point. 

1. Immutable, air-gapped, or offsite backups (yes, still critical)
2. Tested recovery (Validated RTO/RPO)
3. Privileged access management and MFA everywhere, including the backup stack.
4. Network segmentation.
5. Endpoint detection/response with behavioral analysis.
6. DLP and egress monitoring for exfiltration before encryption.
7. Incident response planning before an event. 

I will drop an argument for! But I want to read/see further engagements. 

Ooook then! Can't wait for that one 🙌

Christian gonna play devils advocate here, huh?? 😂 Looking forward to his response… 😏

It will interest you to know that I also factored this statement into my response that will be dropped very soon “Even if your data is Immutable, but they distroy the Physical device were it resides, you are”.
 

… this is another form of attack and does not answer the question at hand!

​@Madi.Cristil I think this statement is very hard to argue FOR (although I am very curious to see what ​@Iams3le will say). If you change it from “Immutable backups are the only effective defense against ransomware” to “Immutable backups are an effective defense against ransomware” we may have more of a debate. Definitely more arguing FOR. But some of the points raised already would still fall on the AGAINST side. Let’s debate the word “effective”. What are we trying to achieve? Is cost a factor? How effective is enough?

Based on this statement “Immutable backups are the only effective defense against ransomware.”

... borrowing some lines from your statement ​@Madi.Cristil. Immutable backups are the only effective defenses against ransomware because they prevent backup data from being modified, encrypted, or deleted during the retention period. In this day and age with modern backup architectures, immutability ensures that even privileged administrators cannot tamper with protected recovery points. This makes it extremely difficult for attackers to destroy the last line of recovery once immutability has been properly enforced.

This is exactly why Object First stands out in the market today. Their bold website promise states: "Object First delivers on-premises backup storage that’s absolutely immutable, ensuring your data can’t be altered or deleted under any circumstances.". Please see the following link for more information: https://try.objectfirst.com/make-your-veeam-backups-ransomware-proof

Their core business motivation aligns perfectly with this: "At Object First, we believe no business should ever have to pay a ransom to recover its data. That's why we created Ootbi (Out-of-the-Box Immutability), which delivers secure, simple, and powerful on-premises backup storage for Veeam customers."

Looking at the question asked, I emphatically reaffirm my stance that immutable backups are the definitive defense against ransomware. Of course, there is no single right or wrong answer; this is simply my core argument.

However, strong security requires multiple layers of protection. Immutability addresses one major attack vector, "backup tampering", but it does not eliminate every possible risk. This is where and why we already have numerous against instead of "for" for this discussion.

Therefore, organizations must consider threats such as credential compromise, infrastructure attack (physical atatcks) as one of our reputable members argued (mentioned) already, insider attak (reason for four eyes athentication and security admin), network breaches, misconfiguration, and data exfiltration which Securiti AI can help identify. As you can see, Immutability does not cover these and they need to be addressed with the right controls in place. 

This is why foundational practices like MFA, network segmentation, continuous monitoring, offsite replication, and standard frameworks continue to exist alongside immutable storage. For instance, the 3-2-1-1-0 rule remains vital, and ​@Nico Losschaert is even suggesting a new evolution of this framework in his insightful article: https://community.veeam.com/blogs-and-podcasts-57/from-backup-to-cyber-resilience-13061

The existence of layered security does not mean, immutable backup are not a show stopper for ransomeware. In a nutshell (in conclusion), Immutability remains the strongest ransomware recovery controls available today because it protects the integrity of backup data when other controls fail. A layered strategy simply acknowledges that no single technology should carry the entire burden of cyber resilience on its own.

This position is open to critique, as alternative interpretations and counterarguments are expected (welcomed) in a technical discussion.

​@Geoff Burke,  ​@JonahMay and ​@mkevenaar I am challenging these Aces to this argument “Immutable backups are the only effective defense against ransomware.”!

In additon to the above, here is a statement to further streghten my motion “No ransomware backup strategy is complete without hardening the very systems attackers now target first—your backups.” Here is a fantastic peice from @Przemyslaw Szanowski and ​@Geoff Burke: https://objectfirst.com/guides/ransomware/ransomware-backup-protection/ 

​@Iams3le but I am not an Ace 🤣. Joking aside I don’t really think there is much of a debate here. Immutable backups are your life insurance, whereas if we are talking defense then there is a whole range of measures and procedures that need to be taken into account, from user education, zero trust to SIEM setup etc. I think a topic that would create potentially a real debate would be Wan Acceleration 😁 or should it be named Wan Cache 😱

Brilliant addition here ​@Geoff Burke! I am sure the team will come up with more controversial topics in the future.

Ha! I like that angle , Hin! 😉

I like how thorough this piece of information is! Good job in here! You are at the intersection of FOR and AGAINST though , which is fair.