Monitor Hardened Repository with Veeam ONE v11a

Monitor Hardened Repository with Veeam ONE v11a

In times of ransomware, data protection is more important than ever before. Therefore, all current environments should use some type of immutable backup storage. One of my favorite is the Veeam Hardened Repository that comes with Backup&Recovery v11. With it an attacker can not immediately delete or change backup files. But with more time the attacker can do some damage. So it is important to keep a regular eye on it. A efficient way is to monitor Hardened Repository with Veeam ONE v11a. In this version some enhancements have been added which we will now take a look at.

It is essential to monitor the following parameters:

Monitoring immutability enabled

When Veeam hardened repository is setup correctly, immutability is enabled and a appropriate number of days is chosen. When an attacker has access to the backup server, he could try to disable immutability. After some time all backups would be free to delete or modify. Therefore it is important to keep it enabled.

In Veeam ONE v11a there is a new alarm for checking the state of immutability: Immutability state. Alarm is assigned by default to whole Backup Infrastructure.

When Immutability state becomes disabled, alarm will trigger. Use this to be notified by mail.

If you prefer reports for notification, Backup Objects Change Tracking and Backup Infrastructure Audit are available for this. The first one shows more details.

Monitoring days of immutability

In the last section we saw how to monitor state of immutability. Which is great, but a hacker could do make life difficult for us just by reducing the number of days of immutability. The minimum is 7 by the way. Fortunately there is also a alarm for this in v11a: Immutability change tracking. See here predefined rules:

As you can see, alarm can be configured to be triggered by increase and/or decrease of days. When a warning is generated, the change can be directly seen there.

Of course, you can also also use Backup Objects Change Tracking and Backup Infrastructure Audit reports.

Note

If this alarm does not trigger but alarm Immutability state does, check these requirements:

Monitoring backup encryption

Here I am talking about backup encryption, which is performed by Veeam. Not by a hacker. It is a good idea to enable this feature.

You can change it in job configuration: Storage –> Advanced Settings –> Storage tab

Why to monitor this? A attacker could enable backup encryption or change existing encryption key without being noticed. If so, backup jobs continue to run without any problem. But you are not able to use them for restore because you simple cannot decrypt them! Clearly, this monitoring is also important for backup files that are not on hardened repositories.

For monitoring encryption password changes reports Backup Objects Change Tracking and Backup Infrastructure Audit can be used. With this reports you see when encryption password was created or modified.

To control if somebody selected another encryption password from the list, use the report Job Configuration Change Tracking.

Conclusion

A modern data protection strategy should include immutable backup data. Because attacker are able to spend a lot of time before they strike, they will try to disable immutability in advance. It is therefore essential to recognize such attempts as soon as possible. The new alarms and improved reports of Veeam ONE v11a helps a lot here. Use them to increase availability of your backup data!

Notes

4 responses to “Monitor Hardened Repository with Veeam ONE v11a”

  1. Aaron Murphy says:

    I love the content – clear, concise and educational especially for folks who haven’t thought about attacker lateral movement and how monitoring alerts can be used.

Leave a Reply

Your email address will not be published. Required fields are marked *