If you use Veeam and aren't taking advantage of Veeam ONE's breadth of capabilities, you are missing out. Veeam ONE is part of Veeam Availability Suite (VAS), which is a combination of Veeam Backup & Replication (VBR) and Veeam ONE (VONE). I discover in most my end-user conversations that either owners of Veeam ONE vastly underutilize it, or they didn't spring for VAS and are in need of many VONE capabilities.
Today, I want to focus on VONE's 10 best alarms to enable as part of a ransomware defense strategy. This will just be a fraction of what VONE can do as there are over 350 reports and 150 alarms. The possibilities are endless as VONE ingests data from vSphere, vCD, VBR, AWS, Azure and GCP and has API integration for those who want to showoff.
1. Possible Ransomware Activity
Possible Ransomware Activity analyzes on a per-VM basis anomaly like behavior. For example, spikes in CPU or datastore usage rates, both of which can be signs of encryption.
The key to this alarm is the historical view though. Understandably, the first thing a business wants to do in a ransomware attack is recover data, but from what day do you recover from? How can you be sure you haven't been backing up encrypted data for days or even weeks?
The historical view enables users to pinpoint the day ransomware potentially took foothold in the environment. The above shows spike in CPU and the below shows spikes in datastore usage rates.
2. Attempted Backup Deletion
There are two scenarios an attacker will attempt to delete backup data. The first is the hacker will gain access to the backup console and start deleting backups. The second is the hacker will try to access the backup target itself and remove files from there. We will cover both , but let's focus on the first.
This alarm will notify users if a bad actor has gained access to the console and is trying to delete backups and which account they've compromised. Deleting backups is a custom alarm that can be enabled by creating the below rule as shown.
3. Suspicious Backup File Size
VONE analyzes previous backup sizes and alerts the user if backup sizes look out of the ordinary. Larger backup files can mean there is a lot of natural changed data, but it can also mean encrypted files are being backed up.
4. Unusual Job Duration
Along the same lines a job that runs an unusual amount of time can be a sign of protecting encrypted files as there would be much more changed blocks to backup.
5. Job Modification Audit
Sticking with scenario one where a bad actor gains access to the backup server, they might start editing or deleting jobs. This report will inform you who's account is making changes and when they made them. Knowing exactly when the ransomware attack started can be powerful knowledge in a recovery scenario so cycles aren't wasted recovering invalid data.
6. Immutability Retention Modified
Immutable backups are for the second scenario where the hacker attempts to gain access to the backup target itself. By leveraging Veeam's immutable repository this becomes nearly impossible as Veeam doesn't store the credentials to that server. Furthermore, SSH can be disabled on the box, so now the hacker would need both physical access and credentials from somewhere outside Veeam.
7. State of Immutability
The best bet by a hacker at that point is to gain access to the backup server and reduce the amount of immutable copies going forward or turnoff immutability altogether. In both scenarios users would be alerted.
8. Disabled Jobs
It might sound basic but setting alerts on disabled jobs can be a great way to notify the business something is afoot. It is not uncommon in a ransomware attack for a hacker who gained access to the backup server to disable backup jobs. The rule for the alarm can be set down to 1 minute, so you are notified nearly instantly.
9. Failed vCenter Logon Attempt
Who isn't guilty of a fat finger? I sure am. Certainly this will create some false positives, but you can set the alarm to only notify if x amount of failed logon attempts have taken place. Albeit a hail marry, this could still potentially alert you of a bad actor in the network.
10. vSphere Modifications
As was first mentioned, VONE is a powerful tool capable of many things. Ingesting vSphere data is one of those. Users can receive a report on modifications made within vCenter. This can be great for real-time monitoring, but also for trying to pinpoint which account was compromised and when.
With Veeam ONE the possibilities are endless. This post was a peak behind the curtain into what VONE can do. There are hundreds of additional reports and alarms and many additional use-cases users have accomplished through API and/or PowerShell integration.
For those who want to keep digging into the power Veeam ONE offers below are my 5 favorite blog posts from the Veeam community.