Continuous Data Protection is as ineffective as backup in a ransomware scenario

Kevin Bailey • 16 April 2026
Here is another of my posts about real cyber [data] resilience capabilities for those in charge of data protection to think about.

Continuous Data Protection (CDP) is just another name for a backup. It is excellent in its ability to automatically save a copy of every data change in real time (similar to Microsoft VSS), allowing for recovery to any previous point in time.

Providers of CDP profess its unlike scheduled backups as CDP minimizes data loss (near-zero RPO) and protects against ransomware, corruption, and accidental deletion by creating a continuous journal of data modifications. 

Here are some key aspects of CDP and why Synergy Six Degrees (SSD) believe it does not deliver on its promises during a cyber malware attack. !! 
Make a strong mental note that CDP vendors talk heavily about RPO but never RTO, a key measure when returning your business to operations and halting revenue bleed:

Benefits:

Data Resiliency: Drastically reduces data loss by continuously recording changes.

SSD Opinion - Nice, but when an attacker compromises your live data you have lost all production data - not just the last change. 

Ransomware Protection: Allows rolling back systems to a "known-good" state just before an infection occurred.

SSD Opinion - Rolling back assumes that the malware didn't compromise your CDP copies. This is a common strategy against backups. So, you should assume any CDP copy on a network during the attack will be compromised. Also you don;t just roll back the last change, you have to roll back the entire data set.

Simplified Management: Eliminates the need to manage complex, scheduled backup jobs.

SSD Opinion - We are talking about a cyber attack roll back not going back 1 week, 1 month or 6 months. All data copy products must have a level of scheduling to ensure you keep what you need and dispose of that not wanted.

Tracking data changes: (deltas) and sending them to a separate storage location, either locally or in the cloud. 

SSD Opinion - Excellent strategy as you are now following a variation of the industry 3-2-1 policy. Keep in mind when a cyber attack hits, one of the first things you do is - TAKE DOWN YOUR NETWORKS - protecting you business and supply chain. Any CDP copies that are offsite, are now inaccessible. No worries you have other CDP copies onsite, but these have already been compromised.

Storage: - data should be stored on high-speed, local network disks for rapid recovery. 

SSD Opinion - High speed networks like 10GbE are excellent to record/copy the changes to its target storage location. When executing your Incident Response strategy you naturally become risk-averse, so only limited networks are opened, probably starting at 1 channel or 100mbps to restrict the ability for you to suffer from double extortion attacks or stop existing malware not cleaned as yet from moving laterally. 

Remember, as mentioned previosuly, even though you have captured the data changes for every record. When you need to recover it'll be for the entire data set, not just the changes.

On-Site Target Storage (Fast Recovery): A local disk in the same network as the source, allowing immediate recovery of data.

SSD Opinion - LAN's as well as WAN's get taken down during a cyber attack. If the local disk is not immutable media (costly to store everything onsite on immutable) you cannot guarantee it'll be accessible. It could be encrypted or deleted.

Off-Site/Disaster Recovery Sites: Remote data centers or secondary locations that protect against total site failure.

SSD Opinion - A cyber incident isn't an act of god (earthquake, flood, or hurricane, etc.) or a scheduled DR test, so this is mute. Plus, in a cyber incident if you have no WANs it means you cannot get to this data. If the remote data is not immutable you cannot guarantee it'll be accessible. It could be encrypted or deleted.

Cloud-Based Storage: Utilized for hybrid or multi-cloud scenarios to provide scalable storage and simplified, automatic backups. 

SSD Opinion - Same as above.

Encryption: When selecting storage, ensure it offers high encryption capabilities for security (e.g., AES-256) and adequate capacity for continuous change logs. 

SSD Opinion - Love this one. Encryption is excellent technology to stop cyber criminals or anyone from reading / accessing / stealing your data without your private key. Unfortunately encrypted CDP data is not normally immutable, which means the attacker will either delete or encrypt (over your encryption) to compromise your operations.

Resolution

You know my answer to addressing these short comings: NeuShield Data Sentinel
  • Reality - Ransomware/Malware executing Data Deletion, Encryption and Exfiltration are wasted when NeuShield is installed.
  • Reality - Every piece of data on a protected device is guaranteed to be protected 24/7 without being moved or copied off device(s).
  • Reality - The OS/Apps and device settings can be restored if compromised without a backup or gold image. All from the same device no data transfer.
  • Reality - Data Reverts (not rebuilds) happens simultaneously across all your devices in secs/mins, not days/months.
  • Reality - This is NeuShield patented IP, not backup, snapshots or shadow copies and no need for networks to be operational.


LinkedIn message or and check out my web page for more information:

Share our content on your social media sites