ABSTRACT: This theCUBE Research Whitepaper delves into how Broadcom’s VMware Cloud Foundation recovery solutions empower customers to establish ransomware resilience by providing a comprehensive range of capabilities to meet the most exacting recovery service levels. Against a backdrop of increasing threats and global domino effect outages, traditional disaster recovery capabilities and processes must be reinforced to confront the new disruptive threats impacting IT infrastructure. That’s where VMware Live Recovery and its Cyber Recovery component are critical to protect VMware environments natively.
Market Landscape
Outages And Recovery Woes
Recent cyber outages are still fresh in everyone’s memory due to the widespread business interruptions they caused. Faulty software configuration impacted approximately 8.5 million Windows devices. The aviation and healthcare industries were particularly hard hit, resulting in thousands of flight cancellations and delays, and the postponement of elective medical procedures or appointments.
Although cybercrime was not the cause in this instance, it still impacted over 96% of organizations polled, according to recent research from our partner ETR. For 46% of affected organizations, the impact was very significant or highly significant. These numbers are alarming and should not be acceptable to the global IT community. This underscores the importance of having advanced recovery capabilities readily available (see chart)1.
Figure 1 – Impact of CrowdStrike outages (Source: ETR, n=96, July 2024)
Cyber Threats and Ransomware are Pervasive
A recent report from the US Government2 highlights several key trends contributing to widespread cyber risk affecting organizations beyond the United States. The ongoing advancement of artificial intelligence (AI) presents opportunities and challenges for comprehensive cyber risk management. The magnitude and multifaceted nature of the problem is crucial for IT leaders to grasp, even if some aspects may appear daunting to address.
There are significant and evolving risks to critical infrastructure, with nation-state adversaries increasingly willing to use cyber capabilities to compromise and pose risks to critical infrastructure systems and assets. There are also combined risks associated with complex and interconnected supply chains for software and other information technology, potentially compromising targets on a large scale. Additionally, commercial spyware continues to pose a data risk by monitoring and extracting organizations’ content and manipulating their components without users’ knowledge or consent. Not surprisingly, ransomware continues to be a formidable threat to national security, public safety, and economic well-being, with ransomware groups continually devising sophisticated strategies to elude or bypass defensive and disruptive measures aimed at impeding their operations. Obtaining comprehensive data on the full extent of this threat is challenging. Following a temporary decrease in 2022, the Federal Bureau of Investigation (FBI) Internet Crime Complaint
Center (IC3) received a 22% increase in reported ransomware incidents from American victims. Reports to the IC3 also revealed a 74% increase in the cost of ransomware incidents in 2023 compared to 20223.
According to research conducted by VMware partner SOPHOS4, 59% of organizations were hit by ransomware last year with ransomware attackers showing that they are “equal opportunity” offenders as ransomware attacks were broadly consistent across the different sectors of the economy, with between 60 and 68% of organizations hit in 11 of the 15 industries that were surveyed.
Cyber-spending On The Rise
Organizations have identified that cyber spending is necessary, explicitly placing ransomware at the forefront of investments, with 50% of 321 respondents indicating their spending will increase to combat this rampant issue. Beyond ransomware, security-related budgets are also expected to increase in areas of infrastructure such as multi-cloud and hybrid security, as well as in compliance, which we consider an “accelerant” to many initiatives in IT beyond just cybersecurity5. This, in turn, presents both opportunities and challenges to IT Leaders across all sectors: On the one hand, investing in heightened cyber-resilience is an opportunity to de-risk the organization. On the other hand, it may add complexity to the IT infrastructure, with the risk of poor integrations and operational inefficiencies. This places the focus on picking the right vendor partners and solutions to alleviate these potential problems.
Figure 2 – Cyber-spending areas Intentions (Source: ETR, n=321, March 2024)
Traditional Disaster Recovery vs. Cyber Recovery
The recovery process for data center disasters has historically been challenging for IT operations, with many facets to consider across the physical and logical infrastructure. Traditional strategies focused on restoring business functionality after planned maintenance or unplanned events like power outages or natural disasters. Recently, ransomware attacks have introduced new challenges to IT recovery processes and service levels.
Let’s be clear: “traditional” outages, human-made disasters, and natural disasters will continue and are not going away. The recent global outages demonstrate that not everything is cyber or ransomware-related.
The main differences can be found in the following categories:
The Cause
A ransomware or cyber event is typically unpredictable and can take many different shapes, making the root cause and time of data or system corruption hard to pinpoint. This contrasts sharply with a weather-related event that may be predictable (even a few hours before) or a human error causing data destruction that can be identified with a time stamp. In other words, the nature of the problem is vastly different. This, in turn, influences what can be recovered when, where, at which point, and in how much time.
Recovery Runbook or Workflow
Adhering to a well-defined and tested set of task steps is crucial for restoring business services in the face of unexpected disasters. The response will vary and be modulated because of the event’s root cause or outage. Traditional Disaster recovery workflows in data centers typically follow a linear, grouped, and programmatic approach based on a defined runbook that matches the scale of the disaster and the affected systems. In addition, after a ransomware attack, it is nearly impossible to ensure that backups are not infected without explicit validation. In many cases, the most recent backup data is likely compromised.
In contrast, ransomware recovery workflows are more iterative and focused. They involve a cross-section of teams from
various organizations in IT and security with one critical objective: running analysis to identify the nature of the problem/ransomware, contain its spread, remove it, if possible, determine the optimal recovery points, and implement necessary changes. This iterative process should be carried out in a controlled environment using available backups as swiftly as possible.
Service Levels
Traditional service levels for data recovery are traditionally measured in recovery time and recovery point objectives, or RTOs and RPOs. Every application and associated data should be assigned a business-driven set of RPOs and RTOs to reflect mission-criticality. Best practices recommend regular testing to validate that such objectives can be met. The issue with ransomware, for example, is that it is often hard to pinpoint what a “good state” of data recovery point is – it takes forensic work to figure out what got infected or corrupted and when. So, while the RPOs and RTOs are probably still valid as such – meaning that they are well-thought-out objectives – the ability to deliver actuals or test with traditional methods consistently and predictably becomes very challenging. This, in turn, creates a significant business risk
Changing Team Roles and Responsibilities
One of the most exciting findings from recent research on the organizational aspects of cyber security teams is that traditional roles and responsibilities are fundamentally evolving to take on IT operations or data management-related functions, including backup. In a survey recently conducted in the context of a significant industry event, research shows that outside of core security-related practices, security organizations also manage backup, data management, and business continuity planning, most notably6. The times of stove-piped IT organizations with separate teams for each function are fading away. In our opinion, it is a good thing as cyber resilience is a team sport requiring proficiency in many disciplines due to its complexity and broad scope.
Figure 3 – Security Teams Responsibilities (Source: ETR, n=321, March 2024)
VMware Live Recovery (VLR) to the Rescue
VLR provides a single solution that provides a platform to address VMware’s critical recovery use cases: site disaster recovery and ransomware recovery. As IT and cyber protection become increasingly complex, having a single recovery solution that allows for central protection and management of site and ransomware recovery solutions in one place is critical and a source of operational efficiencies.
Figure 4 – VMware Live Recovery (Source: VMware by Broadcom)
VMware Live Recovery (VLR) is a comprehensive solution that provides robust cyber and data resiliency for VMware cloud. It encompasses ransomware and disaster recovery capabilities for both on-premises and public cloud, offering a seamless and unified service experience. Users can access a full spectrum of cyber and disaster recovery use cases with a single subscription, ensuring confident and rapid recovery from ransomware and other disasters.
The solution encompasses “traditional disaster recovery,” which includes weather-related events, physical data center or building issues, equipment failures, and more advanced and complex ransomware attacks. In both scenarios, VLR is designed to enable users to recover promptly from these challenges.
In preparation for disaster recovery, users can employ VLR to replicate data from their production site to a dedicated disaster recovery (DR) site, streamlining the recovery process during a disaster. In the context of advanced cyber-attacks, the perpetual challenge lies in identifying and isolating the uncontaminated data. VLR facilitates data replication from the production site to a cloud-based clean room, an Isolated Recovery Engine (IRE). In a cyber-attack, users can utilize the IRE and VLR’s orchestrated recovery process to cleanse the data in the cloud and restore it to production, ensuring seamless business continuity.
VMware Live Recovery Key Cyber Recovery Components Cloud file system: to support quick VM recovery without requiring data rehydration. Orchestrator: A cloud component presenting a user interface to automate disaster recovery. Protection groups: to create regularly scheduled snapshots of VMs, which are replicated to the cloud file system Cyber Recovery connector: a virtual appliance installed in the VMware vSphere environment to protect VMs using snapshot replication from protection groups. Recovery plan: orchestrates the steps required to recover VMs from snapshots in the cloud file system to a recovery SDDC or from a ransomware attack. |
Focus on Ransomware Recovery with VMware Live Recovery (VLR)
The VLR solution offers customers a unified management experience, providing visibility, simplified licensing, health status monitoring, and guided installation and deployment options. One of the two key components of VLR, cyber recovery, presents advanced features to counter ransomware attacks and guided recovery from ransomware incidents, leveraging embedded behavioral analysis and integrated IRE (Isolated Recovery Engine).
The solution enables backup to a secure cloud filesystem with an RPO of at least 15 minutes, effectively reducing potential data loss in the event of an attack. In case of an attack, the system facilitates recovery to a just-in-time recovery site in VMware Cloud on AWS, establishing a secure and isolated environment for restoring operations.
Additionally, VMware Live Recovery employs SaaS-based recovery automation to streamline the process of restoring systems and data after a ransomware attack.
Figure 5 – VMware Live Recovery’s cyber recovery process (Source: VMware by Broadcom)
Our Perspective
VMware Live Recovery offers real-time data protection, limits downtime for VMs during recovery, seamless integration with VMware environments, user-friendly interfaces, granular recovery options, scalability, comprehensive monitoring and reporting, and enhanced testing capabilities. More importantly, it is a proven solution with thousands of customers achieving their data protection SLAs daily. It integrates additional capabilities to combat ransomware with a unified solution, which is essential considering the expanded complexity of fighting cybercrime. These features make it a powerful tool for organizations looking to enhance their disaster recovery, cyber resilience, and business continuity strategies, because it is about de-risking the business! It was designed natively by VMware by Broadcom to protect virtual environments at scale, with stringent recovery service levels in mind. This makes it a unique solution in the market that VMware end-users should put at the top of their list when considering how traditional disaster recovery must now be significantly augmented to handle the new world and challenges of cyber-resilience.
- Source: ETR Report, CrowdStrike Outage July 2024, July 2024. ↩︎
- Source: 2024 Report on The Cybersecurity Posture of The United States, May 2024, Executive Office of The President ↩︎
- Ibid ↩︎
- Source: SOPHOS, The State Of Ransomware 2024, April 2024 ↩︎
- Source: ETR Report, CrowdStrike Outage July 2024, July 2024. ↩︎
- Source: ETR, RSA March 2024 Report, March 2024 ↩︎
All trademark names are the property of their respective companies. Information contained in this publication has been obtained by sources theCUBE Research, a SiliconANGLE Media company, considers to be reliable but is not warranted by theCUBE Research. This publication may contain opinions of theCUBE Research, which are subject to change. This publication is copyrighted by theCUBE Research, a SiliconANGLE Media company. Any reproduction or redistribution of this publication, in whole or in part, whether in hard-copy format, electronically, or otherwise, to persons not authorized to receive it without the express consent of theCUBE Research, a SiliconANGLE Media company, is in violation of U.S. copyright law and will be subject to an action for civil damages and, if applicable, criminal prosecution.