Offline backup is the only sure way to protect agents malware. Backup data should also be read only once created to block things like cryptolocker.
Correct, you need behavior blockers to block malware that is able to bypass AV's. Of course, BB's are also not bulletproof.