Link Search Menu Expand Document
Veeam

Threat detection

Being able to detect an attack before it takes place or when it takes place can considerably mitigate the impact.

Visibility

To know when you are under attack or have been breached it is vital to have visibility in the whole data flow path. You should be able to know what a ‘normal behaviour’ is and what is NOT. Monitor your accounts and Veeam infrastructure for suspicious activity. Place virtual trip-wires, like e.g. creating a non-used admin account with alarms tied to it (see “Honeypot Users” below). When any activity on that account is observed, it will trigger a red alert instantly. There are several systems out there that can help you by alerting suspicious behaviour so you get aware that someone is snooping around and is trying to gain access to your infrastructure. Visibility is Key!

It is important to get alerts as soon as possible while defending against other attacks like viruses, malware and ransomware. The biggest fear of these attacks is that they may propagate to other systems fast. Having visibility into for e.g. potential ransomware activity is a big deal.

Honeypot servers

Honeypot servers with authentication monitoring will help detecting attacks that target your Veeam Infrastructure. These honeypots shall be visible, and their DNS entries shall be very understandable, like for example “vbrsrv01” or “vbrrepo” so they are easy targets.

A proper honeypot could include a fake repository, on which backup file changes will be closely monitored.

Honeypot users

Honeypot users with authentication monitoring will help detecting attacks that target your Veeam Infrastructure. These honeypots shall be visible, and their names shall be very understandable, like for example “VBRAdmin” or “BackupAdmin” so they are easy targets.

Of course these users shall be useless by nature so their compromission has no effect on the security of the infrastructure.

Veeam One alarms

Veeam One offers the possibility to monitor possible ransomware activity through a set of predefined alarms such as “immutability state”, “possible ransomware activity”,Immutability change tracking”. These alarms should be enabled on both production server and honeypot.

VMware visibility

VMware might also help create visibility using below examples.

VMware vRealize Network Insight can take VMs, objects, groupings and their physical elements and easily fingerprint the application and determine the internal and external flows, the client connections, etc. this way you get an analysis of what is ‘normal’ behavior and what is not.

VMware vCenter with alerts that are triggered on virtual trip-wires.

Back to top

Copyright © 2023 Solutions Architects, Veeam Software.