How Elastio Protects Your Data In Streaming Architectures
Author
Naj Husain
Date Published
Amazon Managed Streaming for Apache Kafka (MSK) is a popular distributed event store and stream-processing platform many companies use to process data.
To ensure fault tolerance, replication, and mirroring are used, but these technologies don’t protect against data loss caused by processing errors or application failures. These cases may severely impact a company’s operation and result in unrecoverable data.
What makes streaming data difficult is the ability to persist data along the processing path (e.g., checkpoints) and the ability to rewind the processing of past data. You hope these checkpoints are never needed, but a company won’t know if they are needed until a failure happens.
A few examples where data loss may occur:
Leader-follower:
When high replication is put in place in our messaging queue platform, the leader broker may fail during the process to make the followers consistent with the leader.
No replication:
On the other side of the spectrum, companies may have replication disabled completely. A failure of the master broker will result in data loss.
All brokers failed:
In this extreme situation or with poor replication design, all brokers may fail at the same time (e.g. a zone is down and all the replicas are in the same zone).
Deletion of a topic:
A topic may be accidentally deleted and that may prevent the producer from sending the data to the queue for consumption.
Incorrect transformation/processing:
Developers may run incorrect code to transform data during consumption. This may give wrong results or drop important information.
Elastio and its data protection capabilities can help with solving all the pain points mentioned above to provide Kafka business continuity and protect from data loss and downtime.
How we use Elastio to protect our customers from kafka outages and application failures
At Elastio, the events stored in Amazon MSK are crucial for our platform. Kafka directly influences the reliability and data consistency of our customer Tenants. Because of this, we need to protect these events to isolate our customers from Kafka outages and downtime.
The Elastio Tenant is built on the AWS cloud and uses Elastic Kubernetes Services (EKS), RDS, ElastiCache, and MSK.
The Tenant is built on a microservice architecture, and each of our services is bounded by the domain context. Our services communicate synchronously, with internal API calls and asynchronously, passing messages over the AWS Managed Streaming for Apache Kafka (MSK). The Tenant also synchronously communicates with every customer’s Cloud Connector by calling a Cloud Connector Lambda function and asynchronously polling and putting SQS messages from/into a Cloud Connector.
Here is a diagram of how the Tenant works:
As a result, we generate a lot of external and internal asynchronous communication that relies on Kafka. All event messages polled from the customers’ Cloud Connectors are sent to a specific Kafka topic. Event messages from Cloud Connectors can include more detailed information, such as backup metadata, and security report details. The Tenant processes, stores, and visualizes that data for our customers. Our team investigated the market to find a solution to backing up Kafka and was surprised that no product or service is available for Amazon MSK.
Introducing Elastio. The Elastio CLI offers advanced backup options. The stream backup capability became the key to solving the Kafka backup issue. We built a script around the Elastio CLI that creates a Kafka consumer with a unique consumer group id and streams a Kafka topic to the Elastio vault. The data is encrypted, deduped, and cataloged as a recovery point for future use.
The script works as follows:
- It captures the first message offset in the stream and the last one and stores these offsets as recovery point tags.
- It is agnostic to the message structure and captures the RAW message from the topic.
- On the next backup of the same topic in the MSK cluster, it gets the last message offset from the previous backup from recovery point tags and starts a new message stream from that offset. In this way, it ensures that there is no duplicated Kafka message backed up. This is crucial when discussing the restoration of the topic messages in case of any Kafka outage. It can take the specified recovery point of the topic in the MSK cluster and produce the messages collected in that recovery point into the topic in the same order initially stored in the cluster. The code for the consumer and producer is here.
Next we wanted to embed Elastio into the CloudOps workflow to protect Kafka. We include the Elastio service and cloud connector in our Tenant infrastructure. Then we wrapped the script into a Docker image and served the image to an ECS cluster to schedule regular Kafka topics’ backups.
Here is how that works in the Tenant now:
About Elastio
Elastio detects and precisely identifies ransomware in your data and assures rapid post-attack recovery. Our data resilience platform protects against cyber attacks when traditional cloud security measures fail.
Elastio’s agentless deep file inspection continuously monitors business-critical data to identify threats and enable quick response to compromises and infected files. Elastio provides best-in-class application protection and recovery and delivers immediate time-to-value.
Recover With Certainty
See how Elastio validates every backup across clouds and platforms to recover faster, cut downtime by 90%, and achieve 25x ROI.
Related Articles
The False Security of Checked BoxesIn the high-stakes world of cyber-recovery, there is a dangerous assumption that "detection" is a binary state, either you have it or you don’t. Most backup vendors have checked the box by offering anomaly and entropy-based monitoring. But as a CISO who has spent over a decade in regulated industries, I’ve learned that a check-box control is often worse than no control at all. It creates a false sense of security while delivering a signal so noisy and inaccurate that it’s practically unusable. The Inaccuracy Problem: Inference Is Not Evidence The core issue with the ransomware detection provided by backup vendors isn’t just where it happens; it’s how it happens. These tools rely on statistical inference rather than data evidence: Anomaly Detection: Monitors for “unusual” behavior, like a sudden spike in changed blocks or a deviation in backup window duration.Entropy Detection: Measures data randomness to infer encryption. In a modern enterprise, data is naturally “noisy.” Compressed database logs, encrypted video files, and standard application updates all register as anomalies or high-entropy events. Because these tools cannot distinguish between a legitimate .zip file and a ransomware-encrypted .docx, they produce a constant stream of false positives. Figure 1: Modern ransomware (red) operates below the statistical noise floor while legitimate enterprise data generates constant false-positive noise. Elastio detects threats through structural content inspection, independent of entropy. For a SOC team, this noise is toxic. When a tool is consistently inaccurate, the human response is predictable: the alerts are muted, tuned down, or ignored. If your “last line of defense” relies on a signal that your team doesn’t trust, you don’t actually have a defense. Beyond the “Big Bang”: The Rise of Evasive Encryption Current anomaly and entropy tools were designed for the "Big Bang" encryption events of years past. As of 2026, threat actors have evolved well beyond this model, with variants including LockFile specifically engineered to stay below the statistical noise floor using intermittent encryption. Intermittent Encryption: Encrypting every other 4KB block so the overall entropy change remains negligible.Low-Entropy Encryption: Using specialized schemes that mimic the statistical signature of benign, compressed data.Selective Corruption: Attacking only file headers or metadata while leaving the bulk of the file statistically “normal.” Against these techniques, a statistical guess is useless. You need a Data Integrity Control that performs deep content inspection to validate the actual structure of the data, not just its randomness. Mapping Integrity to the Resilience Lifecycle A high-fidelity integrity engine, like Elastio, provides the same level of accuracy regardless of where it is deployed. However, for a CISO, the location of that check is a strategic decision based on the Resilience Lifecycle: The Backup Layer: Validating integrity here is non-negotiable. It ensures that when you hit “restore,” you aren’t re-injecting corrupted data into your environment and extending downtime.The Production Layer (VMs, Buckets, Filers): For mission-critical data, waiting for the backup cycle to run is a luxury we can’t afford. Detecting corruption at the source, in your production VMs, S3 buckets, or filers, is about minimizing the blast radius. Data integrity validation serves different purposes depending on where it is applied in the resilience lifecycle. Scanning production data across VMs, filers, and object stores is the most effective way to minimize blast radius and prevent spread, because it detects corruption before it propagates downstream. When production data cannot be scanned due to security boundaries, operational constraints, or tenancy limitations, snapshots and replicas become the practical control point for achieving the same outcome. In this model, snapshot integrity analysis is not additive to production scanning; it is a substitute. Both serve the same objective: early detection and containment before corruption reaches backups or immutable storage. The CISO’s Bottom Line: Proving vs. Guessing Resilience is measured by the speed and certainty of recovery. Anomaly and entropy-based detection fail on both counts: they are too inaccurate to provide certainty and too late to provide speed. True resilience requires moving from statistical inference to data integrity validation. Whether validating backups to prove recoverability or monitoring production data to prevent spread, the objective is the same: replace guessing with proof. In regulated environments, “recovery is safe” is the only defensible statement a CISO can make to the board. The ability to detect these advanced threats early is the difference between being able to ensure fast recovery versus a ransomware event that results in devastating downtime, data loss, and financial impact.
Cloud ransomware incidents rarely begin with visible disruption. More often, they unfold quietly, long before an alert is triggered or a system fails. By the time incident response teams are engaged, organizations have usually already taken decisive action. Workloads are isolated. Instances are terminated. Cloud dashboards show unusual activity. Executives, legal counsel, and communications teams are already involved. And very quickly, one question dominates every discussion. What can we restore that we actually trust? That question exposes a critical gap in many cloud-native resilience strategies. Most organizations have backups. Many have immutable storage, cross-region replication, and locked vaults. These controls are aligned with cloud provider best practices and availability frameworks. Yet during ransomware recovery, those same organizations often cannot confidently determine which recovery point is clean. Cloud doesn’t remove ransomware risk — it relocates it This is not a failure of effort. It is a consequence of how cloud architectures shift risk. Cloud-native environments have dramatically improved the security posture of compute. Infrastructure is ephemeral. Servers are no longer repaired; they are replaced. Containers and instances are designed to be disposable. From a defensive standpoint, this reduces persistence at the infrastructure layer and limits traditional malware dwell time. However, cloud migration does not remove ransomware risk. It relocates it. Persistent storage remains long-lived, highly automated, and deeply trusted. Object stores, block snapshots, backups, and replicas are designed to survive everything else. Modern ransomware campaigns increasingly target this persistence layer, not the compute that accesses it. Attackers don’t need malware — they need credentials Industry investigations consistently support this pattern. Mandiant, Verizon DBIR, and other threat intelligence sources report that credential compromise and identity abuse are now among the most common initial access vectors in cloud incidents. Once attackers obtain valid credentials, they can operate entirely through native cloud APIs, often without deploying custom malware or triggering endpoint-based detections. From an operational standpoint, these actions appear legitimate. Data is written, versions are created, snapshots are taken, and replication occurs as designed. The cloud platform faithfully records and preserves state, regardless of whether that state is healthy or compromised. This is where many organizations encounter an uncomfortable reality during incident response. Immutability is not integrity Immutability ensures that data cannot be deleted or altered after it is written. It does not validate whether the data was already encrypted, corrupted, or poisoned at the time it was captured. Cloud-native durability and availability controls were never designed to answer the question incident responders care about most: whether stored data can be trusted for recovery. In ransomware cases, incident response teams repeatedly observe the same failure mode. Attackers encrypt or corrupt production data, often gradually, using authorized access. Automated backup systems snapshot that corrupted state. Replication propagates it to secondary regions. Vault locks seal it permanently. The organization has not lost its backups. It has preserved the compromised data exactly as designed. Backup isolation alone is not enough This dynamic is particularly dangerous in cloud environments because it can occur without malware, without infrastructure compromise, and without violating immutability controls. CISA and NIST have both explicitly warned that backup isolation and retention alone are insufficient if integrity is not verified. Availability testing does not guarantee recoverability. Replication can accelerate the blast radius Replication further amplifies the impact. Cross-region architectures prioritize recovery point objectives and automation speed. When data changes in a primary region, those changes are immediately propagated to disaster recovery environments. If the change is ransomware-induced corruption, replication accelerates the blast radius rather than containing it. From the incident response perspective, this creates a critical bottleneck that is often misunderstood. The hardest part of recovery is deciding what to restore The hardest part of recovery is not rebuilding infrastructure. Cloud platforms make redeployment fast and repeatable. Entire environments can be recreated in hours. The hardest part is deciding what to restore. Without integrity validation, teams are forced into manual forensic processes under extreme pressure. Snapshots are mounted one by one. Logs are reviewed. Timelines are debated. Restore attempts become experiments. Every decision carries risk, and every delay compounds business impact. This is why ransomware recovery frequently takes days or weeks even when backups exist. Boards don’t ask “Do we have backups?” Boards do not ask whether backups are available. They ask which recovery point is the last known clean state. Without objective integrity assurance, that question cannot be answered deterministically. This uncertainty is not incidental. It is central to how modern ransomware creates leverage. Attackers understand that corrupting trust in recovery systems can be as effective as destroying systems outright. What incident response teams wish you had is certainty What incident response teams consistently wish organizations had before an incident is not more backups, but more certainty. The ability to prove, not assume, that recovery data is clean. Evidence that restoration decisions are based on validated integrity rather than best guesses made under pressure. Integrity assurance is the missing control This is where integrity assurance becomes the missing control in many cloud strategies. NIST CSF explicitly calls for verification of backup integrity as part of the Recover function. Yet most cloud-native architectures stop at durability and immutability. When integrity validation is in place, recovery changes fundamentally. Organizations can identify the last known clean recovery point ahead of time. Recovery decisions become faster, safer, and defensible. Executive and regulatory confidence improves because actions are supported by evidence. From an incident response standpoint, the difference is stark. One scenario is prolonged uncertainty and escalating risk. The other is controlled, confident recovery. Resilience is proving trust, not storing data Cloud-native architecture is powerful, but ransomware has adapted to it. In today’s threat landscape, resilience is no longer defined by whether data exists somewhere in the cloud. It is defined by whether an organization can prove that the data it restores is trustworthy. That is what incident response teams see after cloud ransomware. Not missing backups, but missing certainty. Certainty is the foundation of recovery And in modern cloud environments, certainty is the foundation of recovery.
Closing the Data Integrity Control Gap In 2025, the cybersecurity narrative shifted from protection to provable resilience. The reason? A staggering 333% surge in "Hunter-Killer" malware threats designed not just to evade your security stack, but to systematically dismantle it. For CISOs and CTOs in regulated industries, this isn't just a technical hurdle; it is a Material Risk that traditional recovery frameworks are failing to address. The Hunter-Killer Era: Blinding the Frontline The Picus Red Report 2024 identified that one out of every four malware samples now includes "Hunter-Killer" functionality. These tools, like EDRKillShifter, target the kernel-level "callbacks" that EDR and Antivirus rely on to monitor your environment. The Result: Your dashboard shows a "Green" status, while the adversary is silently corrupting your production data. This creates a Recovery Blind Spot that traditional, agent-based controls cannot see. The Material Impact: Unquantifiable Downtime When your primary defense is blinded, the "dwell time", the period an attacker sits in your network, balloons to a median of 11–26 days. In a regulated environment, this dwell time is a liability engine: The Poisoned Backup: Ransomware dwells long enough to be replicated into your "immutable" vaults.The Forensic Gridlock: Organizations spend an average of 24 days in downtime manually hunting for a "clean" recovery point.The Disclosure Clock: Under current SEC mandates, you have four days to determine the materiality of an incident. If you can’t prove your data integrity, you can’t accurately disclose your risk. Agentless Sovereignty: The Missing Control Elastio addresses the Data Integrity Gap by sitting outside the line of fire. By moving the validation layer from the compromised OS to the storage layer, we provide the only independent source of truth. The Control GapThe Elastio OutcomeAgent FragilityAgentless Sovereignty: Sitting out-of-band, Elastio is invisible to kernel-level "Hunter-Killer" malware.Trust BlindnessIndependent Truth: We validate data integrity directly from storage, ensuring recovery points are clean before you restore.Forensic LagMean Time to Clean Recovery (MTCR): Pinpoint the exact second of integrity loss to slash downtime from weeks to minutes. References & Sources GuidePoint Security GRIT 2026 Report: 58% year-over-year increase in ransomware victims.Picus Security Red Report 2024: 333% surge in Hunter-Killer malware targeting defensive systems.ESET Research - EDRKillShifter Analysis: Technical deep-dive into RansomHub’s custom EDR killer and BYOVD tactics.Mandiant M-Trends 2025: Median dwell time increases to 11 days; 57% of breaches notified by external sources.Pure Storage/Halcyon/RansomwareHelp: Average ransomware downtime recorded at 24 days across multiple industries in 2025.Cybereason True Cost to Business: 80% of organizations who pay a ransom are hit a second time.