It’s a snap: Nebulon’s four-minute TimeJump restore | #malware | #ransomware


Nebulon TimeJump can restore a compromised server’s operating environment and data in less than four minutes – because it uses snapshot technology instead of backups and is outside the server’s security domain.

But snapshots are not backups, exactly. That is what gives Nebulon its advantage. We’re talking about servers equipped with a Nebulon Services Processing Unit (SPU) card and formed into an nPod cluster of up to 32 nodes. The SPU functions as a RAID or storage controller and all of a host server’s direct-attached storage drives are accessed through it, with their contents, including boot files, encrypted.

All the servers in the cluster can access their own and the other clustered server members’ direct-attached storage (DAS). Whenever data is updated, it is stored in the NVRAM on the server’s SPU card and then written to the owning server’s DAS. The SPUs can take a timestamped snapshot of the clusters’ data and store that in a partition on the drives. Snapshotting is policy-driven and, since snapshots consist of pointers to actual drive blocks containing data rather than the data itself, snapshots take up very little space.

Nebulon SPU

Nebulon’s Martin Cooper, VP of Customer Experience, said that the SPU knows where the data blocks are because it manages their placement. It manages how data is laid out on physical drive media when the host writes to logical drives through the SPU, much like an external storage array when a host writes to a LUN. The snapshot metadata is spread over all SSD’s in the server. 

When a server- or system-compromising event such as a ransomware attack occurs, the snapshot taken just before the attack can be located and then restored – in effect reinstantiating the servers to a pristine state with the SPU’s metadata pointing to clean data. This can take four minutes or less, and the entire nPod is restored in this way.

David Scott.

To the statement that snapshots are not backups, Nebulon executive chairman David Scott told me: “There may be some ambiguity around the terms ‘backup’ and ‘restore’ that is responsible for this contradiction.”

In his view, “Both terms can be used at two levels: a higher level that refers to all approaches of creating copies of primary data that can be used for recovery and ‘restored’, and then at a second level that is used specifically in the context of data protection backup software.”

Nebulon’s snapshotting is backup in the first sense but not in the second sense, since it does not rely on data protection backup software, like Veritas or Veeam or Acronis. Backup processes in the first sense include online snapshots, online (disk/SSD) or offline (tape) backup copies using data protection software and remote copies using replication technology.

According to Scott: “The Nebulon EULA is using the term ‘Backup’ associated with full copies of data volumes via data protection software – i.e. the second level (our contribution to the ambiguity).”

Scott says: “Primary online data volumes can be recovered from any of these approaches through some form of ‘restore’ process.” In the case of snapshots the “restore” process is by promoting a previous snapshot. With backup through data protection software, restore is by using that software’s restore function which, generally speaking, is slower than using a snapshot.

Scott points out: “Snapshot promotion offers the fastest speed of recovery in comparison with a traditional restore from a backup copy using data protection software. … Snapshot promotion also is likely to represent the most recent coherent data set possible (backups are usually taken once a day whereas snapshots can be taken much more frequently).”

He then identifies a specific vulnerability which Nebulon’s technology protects: “Unfortunately, in today’s ransomware attacks the customer’s operating system and management software have often also been compromised and are therefore not in a state to allow snapshot ‘promotion’ to occur.”

But Nebulon’s technology restores pristine copes of the customer’s operating system and management software as well as data volumes. The process involves reinstalling the system software and then altering data volume metadata structures to point to clean data blocks – a comparatively quick process compared to restoring the full data volumes from backed up copies of data. This is how Nebulon does its four minutes or less restore.



Original Source link

Leave a Reply

Your email address will not be published.

4 + two =