Link Menu Expand (external link) Document Search Copy Copied
Veeam

Threat detection

Being able to detect an attack before it takes place or when it takes place can considerably mitigate the impact.

Visibility

To know when you are under attack or have been breached it is vital to have visibility in the whole data flow path. You should be able to know what a ‘normal behaviour’ is and what is NOT. Monitor your accounts and Veeam infrastructure for suspicious activity. Place virtual trip-wires, like e.g. creating a non-used admin account with alarms tied to it. When any activity on that account is observed, it will trigger a red alert instantly. There are several systems out there that can help you by alerting suspicious behaviour so you get aware that someone is snooping around and is trying to gain access to your infrastructure. Visibility is Key!

It is important to get alerts as soon as possible while defending against other attacks like viruses, malware and ransomware. The biggest fear of these attacks is that they may propagate to other systems fast. Having visibility into for e.g. potential ransomware activity is a big deal.

Veeam ONE Monitoring

Consider the use of Veeam ONE to monitor the Veeam Backup infrastructure and the protected virtual infrastructure.

Veeam ONE, integrated with Veeam Backup & Replication, provides the Veeam Threat Center dashboard, which displays the Veeam infrastructure security state and helps to assess the overal security and compliance of your infrastructure.

Veeam ONE Alarms

Veeam ONE also offers the possibility to monitor possible ransomware activity through a set of predefined alarms such as “immutability state”, “possible ransomware activity”,Immutability change tracking”..

It is also possible to integrate Veeam ONE with ServiceNow for enhanced visibility and faster alerts triggered directly as ServiceNow incidents.

Malware detection

Malware detection should be considered as a foundamental part of the Cyber Resilience strategy, including Malware detection methods in every Data Protection operation.

Veeam Backup & Replication allows for built-in or third party methods for Malware detection. Consider enabling one or more of the methods available, for backup and recovery operations.

  • Inline Scan: Used by Veeam to scan blocks in a data stream using inline entropy analysis.
  • Guest Indexing Data Scan: Used by Veeam to scan guest indexing data using file system activity analysis.
  • Scan Backup: Available to scan the backups for potential malware either using Veeam Threat Hunter, Yara rules, or Third-party antivirus software.
  • Secure Restore: Feature that allows to check the restore points for malware activity before restoring the machine back to Production environment. This feature uses the same methods for Malware detections as Scan Backup.

For more information you can check the Malware Detection section in the Help Center documentation.

IMPORTANT: Make sure you tests your backups for malware periodically, so you can be sure you will have a clean copy of your data in case of a disaster.

Malware Detection should also be part of the Disaster Recovery Plan, either this is run manually or fully automated with solutions like Veeam Recovery Orchestrator. VRO enables the use of multiple Malware Detection methods when recovering from a disaster, to make sure you always recover from a clean copy of your data.

Veeam Incident API

Starting with V12.1 Veeam Backup & Replication also includes a Veeam Incident API, which makes it easy for external CyberSecurity and Analytics tools (including XDR/NDR/MDR/EDR) to notify the Veeam Backup Server of infections at earlier attack stages, ensuring all restore points created AFTER the corresponding moment in time for the given machine are marked as infected.

Honeypot servers

Honeypot servers with authentication monitoring will help detecting attacks that target your Veeam Infrastructure. These honeypots shall be visible, and their DNS entries shall be very understandable, like for example “vbrsrv01” or “vbrrepo” so they are easy targets.

A proper honeypot could include a fake repository, on which backup file changes will be closely monitored.

Honeypot users

Honeypot users with authentication monitoring will help detecting attacks that target your Veeam Infrastructure. These honeypots shall be visible, and their names shall be very understandable, like for example “VBRAdmin” or “BackupAdmin” so they are easy targets.

Of course these users shall be useless by nature so their compromission has no effect on the security of the infrastructure.

VMware visibility

VMware by Broadcom might also help create visibility using below examples.

VMware Cloud Foundation Operations for Networks can take VMs, objects, groupings and their physical elements and easily fingerprint the application and determine the internal and external flows, the client connections, etc. this way you get an analysis of what is ‘normal’ behavior and what is not.

VMware vCenter with alerts that are triggered on virtual trip-wires.

Back to top

Copyright © 2019 - 2025 Solutions Architects, Veeam Software.
Please note that information provided in this guide is not produced or verified by Veeam R&D but is a result of community effort based on the field observations.