If your backup should be an accurate copy of your dataset, what should your backup system do in case malware such as ransomware sneaks into your primary dataset? If the malware is backed up, you have malware in your backup; if malware is detected and excluded, your backup is no longer accurate.
Different backup systems choose different approaches. Before we get back to what Keepit does, we need to take a step back and look at the actual problem.
Ransomware, viruses, worms, and other such instruments, known broadly as "malware," are really small bits of data that exploit a weakness in the current configuration of your IT systems.
In order for malware to be effective, it has to be new enough that your systems have not been updated with fixes that make the malware ineffective. Once a new piece of malware surfaces, the software vendors will quickly release updates and patches to make that malware ineffective.
Because of the way this works, there are two main takeaways from this:
1. Malware only works until your systems are patched. Once patched, the malware is harmless.
2. We don't know the next malware – and therefore we can't look for it. If we knew about future malware, your systems would be patched already.
No amount of technology can change the fundamentals of how this works, and no vendor can reasonably claim to offer a universal solution to detecting the exploits of the future; we very simply do not know what tomorrow's exploits will look like.
Therefore, if we wish to attempt to detect the malware of the future, we will have to resort to estimating, guessing really, whether a certain piece of data is malware or not. This opens up for the risk of false positives – excluding good data from backup because by current estimates the data looks like it might possibly be tomorrow's exploit.
Protection from Malware
Only effective malware can harm your systems. That is, malware that is so fresh that updates have not yet been deployed for this. Older malware is simply just data – it can no longer harm your systems, it has become ineffective.
Backup is a very good protection against many types of malware, especially ransomware, which will seek to hold your data for ransom. If your primary dataset is held hostage, an effective backup is your protection and your way back to business as usual, as soon as your systems have been patched to make the malware ineffective.
You would always patch your systems before attempting to continue business after a malware attack. When your systems are patched, the malware is harmless and therefore restoring your most recent backup that still contained your data before it got encrypted is perfectly reasonable.
No malware can harm the history of your backups. Malware cannot spread inside your backups. Therefore, any copy of your primary data is a good copy that you can use for restore should the need arise.
Detecting yesterday's malware is both trivial, because we know it, and pointless, because it's ineffective.
Detecting tomorrow's malware is intractable. To even attempt this, one would have to accept potential false positives, but more importantly one has to accept that there are no guarantees. Predicting and detecting the exact morphology of tomorrow's attacks is very simply not possible unless you are the one creating them.
With Keepit you know your backup is an accurate copy of your primary data. Should you suffer a malware attack, your most recent backup before your data got corrupted will be available for restore.