Once the city detected the scope of the attack, the IT team moved to shut down all inbound and outbound communications and isolate the various systems in the network.
“We shut down our entire data center. We shut down telephones. We shut down anything that was in any way connected to our network. We detached our entire environment from the internet and then detached the various parts of our environment from each other to isolate the attack,” Bill Healy, director of operations for the city of New Orleans IT and Innovation, said at Pure Storage’s Accelerate Digital 2021 event. “Then we began addressing the recovery process in a segmented fashion with both the datacenter and infrastructure.”
For the recovery process to work as planned, the city’s IT team estimated it needed twice as much storage than was available at the time, and it had to be secure. According to Healy, the city needed to leverage multiple versions of data and application servers while they scrubbed and brought back the compromised data. To accomplish this, the city needed a fast, agile, and scalable platform.
Before the ransomware incident, moving from a multiple different disk storage platform to a single flash platform seemed financially unfeasible. But the cyberattack presented an opportunity, Healy said. Once the city acquired the new system, Healy and his team isolated the data for analysis, looking for any signs of the attack, and once cleaned, moved it to its new production environment.
The city now replicates all its data by leveraging the capabilities of Pure Storage’s FlashBlade system and performs daily backups locally and at the disaster relief site. And because of the new duplication and compression features, the city can host nearly the entire environment on the single system.
Additionally, Healy emphasizes the need for the right partnerships and relationships when recovering from a cyberattack. With Pure Storage, the city has expanded its disaster relief capabilities, producing a more robust environment and a better presence for disaster recovery.
Healy and his team also expressed that state and local governments that have suffered from similar cyberattacks would benefit from exploring an all-flash platform. When data must be analyzed for specific signatures, an all-flash platform makes processing that data more manageable.
Healy and his team found that it was often necessary to have two or three versions of each server and data set that was currently being recovered. “You can never have too much storage when you’re trying to recover from something like this”, Healy added.