IBM Cloud Docs
Cyber recovery with Predatar

Cyber recovery with Predatar

A VMware Cloud Foundation for Classic - Automated instance can host Predatar® Cyber Recovery Orchestration and a Predatar CleanRoom™.

Predatar Cyber Recovery Orchestration automates and orchestrates the recovery and malware scanning of backups into a Predatar CleanRoom. This process allows organizations to understand which of their virtual machines (VMs) fail to meet their required objectives and might jeopardize a quick recovery from a cyberattack. For more information, see Protect your data against ransomware attacks.

This architecture is suitable for clients who are using either or both of the following in the source environment:

  • IBM Spectrum Protect with IBM Spectrum Protect for Virtual Environments.
  • IBM Spectrum Protect Plus.

The following IBM Cloud® products can be used to host the Predatar Cyber Recovery Orchestration and Predatar CleanRoom:

  • An IBM Cloud vCenter Server instance is ordered with the following add-on services:
    • Edge Gateway – The edge gateway hosts the firewall appliances.
    • A firewall – Juniper®, Fortigate®, or Bring Your Own Firewall is supported.
  • One or more Red Hat Enterprise Linux (RHEL) IBM Cloud bare metal servers are ordered and used as either:
    • IBM Spectrum Protect with IBM Spectrum Protect for Virtual Environments.
    • IBM Spectrum Protect Plus vSnap servers.

If you are completing an instant mount from object storage, then the vSnap is used for caching read and holding writes, so that a VM hosted on the vCenter Server instance can be used.

Cyber recovery with Predatar overview

The following diagram shows the high-level architecture:

Overview of Predatar on VMware Solutions
Overview of Predatar on VMware Solutions

  1. VMs with VMware Tools including the Thin Agent (also known as Guest Introspection) installed, are backed up to the source backup servers.
  2. Backup data is replicated from the source backup servers to the IBM Cloud hosted tertiary backup servers.
  3. Metadata is collected from the source backup servers and the tertiary backup servers by the Predatar Agents and sent to the Predatar Cloud.
  4. Predatar Cyber Recovery Orchestration is used to automate the recovery and testing of the VMs and provides reports and notifications.
  5. In the CleanRoom, recovery tests use the instant mount restore type from the vSnap server to stream the backup files to the ESXi hosts to quickly restore the VM. Recovery tests can be performed with or without orchestrating a malware scan. If you are using IBM Spectrum Protect with IBM Spectrum Protect for Virtual Environments, recoveries are from the VMware datastore.
  6. If a recovery test includes a malware scan, agentless End-point Detection Response (EDR) tools are used to scan and cleanse recovered workloads. The EDR tools are selected from the Gartner leading EDR platforms and use a combination of file signature scanning, machine learning, in-memory analysis (for the identification of fileless malware), variant protection, behavioral analysis and monitoring for scripts, injection, and ransomware to check for any active or dormant threats in the recovered workload.
  7. The EDR components are continuously updated and correlated for automatic protection.
  8. At the completion of the recovery test, metrics for that VM are saved and become available for reporting.

Cyber recovery with Predatar architecture

The following diagram shows more details of the vCenter Server instance architecture:

Architecture of Predatar on VMware Solutions
Architecture of Predatar on VMware Solutions

Primary or secondary data center:

  • Source VMs – The client VMs that need to be protected by the Predatar service. The VMs require VMware Tools thin agents that are part of VMware Endpoint Protection, also known as Guest Introspection, which are installed on them so that when they are recovered into the CleanRoom they can be scanned. For more information, see Endpoint Protection.
  • Thin agent – The Thin agent, also known as File Introspection driver, is the file introspection agent that is running inside the VM, which is part of VMware Tools. It is a generic and lightweight agent that facilitates offloading files and processes for scanning.
  • Source backup servers – These servers are part of the client’s IBM Spectrum Protect with IBM Spectrum Protect for Virtual Environments or IBM Spectrum Protect Plus environment and are configured to replicate backups to the tertiary backup server.
  • Predatar Virtual Appliance – Consists of:
    • VM – A customer-provided Microsoft Windows 2012 or later VM that is used to host the Predatar Agent.
    • Predatar Agent - a small-footprint client that is hosted on the customer’s VM and sends queries to one, or more, IBM Spectrum Protect/Spectrum Protect Plus servers and sends the queries to the Predatar Cloud.

Predatar Cloud:

  • Predatar Cloud - Predatar is a SaaS cloud solution that is hosted in the Predatar Cloud. Predatar currently has clouds in Dallas, London, and Frankfurt. They are all provided by IBM Cloud and are used to hold customers’ IBM Spectrum Protect and Protect Plus metadata.
  • Metadata - Predatar stores an unlimited amount of metadata history in its multitenant data lake. This data is used by Predatar to power the platform’s analytics and machine learning capabilities.
  • Client access - Role-based access controls (RBAC) are used to govern access to data and can be configured at a granular level for customers.

IBM Cloud account:

  • vCenter Server instance - used for cyber-recovery tasks only, deployed in an IBM Cloud account restricted to cyber-recovery activities. For more information about vCenter Server instances, see Overview of VMware Solutions.

The vCenter Server instance:

  • Can use VMware vSAN or NFS data stores. For more information, see Physical storage design.

  • Does not host production or disaster recovery workloads, but would temporarily be used to recover an infected machine and then clean it in the CleanRoom.

  • Includes an edge cluster to host your choice of one of the following to protect vCenter Server instance networks:

    • Juniper vSRX appliances.
    • FortiGate Security Appliance.
    • FortiGate Virtual Appliance.
    • Bring your own gateway appliance.

  • Can include any of the vCenter Server options, such as Caveonix, Entrust, and VMware vRealize Operations.

  • Optionally, you can use encryption with Hyper Protect Crypto Services, Key Protect, and the VMware KMIP service. For more information, see KMIP for VMware overview.

  • Tertiary backup servers – One or more hardened Red Hat Enterprise Linux IBM Cloud Bare Metal Servers to host the following components:

  • Predatar Virtual Appliance – Consists of:

    • VM – A customer provided Microsoft Windows 2012 or later VM that is used to host the Predatar Agent.
    • Predatar Agent - a small-footprint client that is hosted on the customer’s VM and sends queries to one or more IBM Spectrum Protect/Spectrum Protect Plus servers and sends the queries to the Predatar Cloud.

  • Predatar CleanRoom - The Predatar CleanRoom is a patented concept that brings together virtualized compute, storage, and networking to form a recovery target that supports both automated recovery testing and orchestrated malware scanning. The vCenter server instance with VMware vSphere and NSX-T provides the virtualized compute, storage, and networking.

How to use Cyber recovery with Predatar

You can use a separate IBM Cloud account to deploy your Predatar CleanRoom instance into. This process promotes separation of duties between ownership of any other production or disaster recovery solution that you might host in IBM Cloud.

The minimum number of hosts in a consolidated cluster is three, and the minimum host configuration is 128 GB RAM and 20 cores at 2.2 GHz giving a total of 384 GB RAM and 132 GHz in the cluster for both management and customer workloads. The number of clusters, the number of hosts in the cluster and the cores and RAM in the hosts can be scaled. See CPU Model and RAM.

The smallest IBM Cloud Classic Bare metal server for the IBM Spectrum Protect Plus vSnap server is 4 x 1 TB disks, which gives 2 TB in RAID 6. The largest single server is 34 x 12 TB disks, which gives 384 TB in RAID 6.

For more information about small, medium, and large configurations with direct-to-cloud or disk-to-cloud tiering models, see IBM Spectrum Protect Cloud Blueprint for IBM Cloud.

To create your Predatar CleanRoom based on a VCF for Classic - Automated instance, follow the procedure to order a VCF for Classic - Automated instance:

  1. In Step 4, select Primary.
  2. In Step 6, order Private Networks.
  3. In Step 7, order an edge gateway cluster with your preferred firewall option:

After your vCenter Server instance is provisioned:

  1. Configure your firewalls by using the vendor’s documentation as a guide and the following information:

  2. Deploy A Windows VM.

  3. Deploy the Predatar Agent.

To order IBM Cloud Classic Bare Metal servers, see Building a custom bare metal server.

  1. For the operating system vendor, select Red Hat and for version select 8.x (64 bit).
  2. Select the required server profile.
  3. Select the required number and size of disks.
  4. Ensure that you select the same Private VLAN that the vCenter Server instance is deployed on to.