How to protect backups from ransomware and other malicious corruption/deletion?

I have heard multiple times about companies being unable to recover from ransomware attacks despite having backups configured because the attackers were able to get into the backup infrastructure and corrupt the or delete backups. Often, attackers will specifically attack the backups so that the victim can’t simply restore files to avoid paying the ransom  

What are the best practices for setting up the Avamar backup infrastructure and security policies in a way to prevent backups from being tampered with by malicious actors either directly or through malware traversing through the network?

Are there any options for using MFA to access Avamar backups or to change settings so that environments are less vulnerable to attacks using stolen administrator account credentials?