Druva Managed Detection and Response: Protecting Your Data 24x7x365

Badri Raghunathan, Sr. Director, Product Management

Your Data is Under Constant Threat

Cyber attacks are a continuous risk and can cost your business anything from loss of critical data to downtime and reputation. As the only 100% SaaS data resiliency solution with a global customer footprint, Druva typically identifies and prevents 1-2 attacks every week across our diverse customer base. Often, bad actors will target the backup environment in an attempt to take out the ability to recover and force payment of a ransom to get your data back.

In fact, MITRE Corporation, which maintains a knowledgebase (ATT&CK) of tactics, techniques, and procedures used by bad actors in cyberattacks, has recently introduced a new “technique” called “Inhibit System Recovery” to account for recent trends that focus on compromising backups. Security vendors typically use these ATT&CK frameworks to develop and test detection, prevention, and mitigation against specific techniques outlined. The attack surface for backups can range from attempting to delete backups, to changing retention policies or trying to exfiltrate data using restore APIs. Druva takes a three-pronged approach to help customers with this problem:

  1. High-fidelity threat signals — This would include signals that require immediate action and investigation, like a large volume of backup deletion attempts and the mass encryption of backup data. 

  2. Threat signals requiring complex correlation and investigation — These include signals like a new login location for a backup admin. These would require investigation and correlation before determining the need for action. For Druva, these also involve correlating telemetry and attack patterns across customers by our internal cloud operations teams.

  3. Response actions to respond and recover from attacks — Lastly, upon verification of a threat signal and confirmation of an incident, prompt action needs to be taken to safeguard customer data. Examples include locking down infected backups and rolling back backup deletion attempts.

Druva provides capabilities across the three above categories via the UI and APIs. Customers need to first integrate these into their regular IT and security operations. 

Security teams typically monitor the security posture of their primary environment via a number of tools like EDR, SIEM, XDR, and more, and in some cases also partner with security service providers who provide managed services like MSSP and MDR. The industry and customers at large, are at various stages of the maturity spectrum in integrating backups into their security operations. Unfortunately, this can’t wait as backup compromise is the #1 tactic of bad actors in ransomware attacks. Backup monitoring at large is typically limited to ensuring completion SLAs are met… this is no longer “good enough” to keep your data safe. 

What is MDR?

The concept of MDR, or Managed Detection and Response, has long been offered by many security providers as a comprehensive service combining features like real-time threat detection, incident response, and continuous monitoring to enhance an organization's overall security posture. Third-party security providers actively monitor an organization's network, analyze security events, and provide timely incident response to the organization, helping identify and mitigate potential security breaches. As a result, the organization minimizes the impact of cyberthreats via proactive threat hunting, rapid detection, and effective response capabilities, ultimately helping them enhance their resilience against evolving cyberthreats. At its simplest — earlier detection = earlier response and less impact on the organization.

Druva Managed Detection and Response — Proactive Monitoring, Detection, and Response for Backups 

Given the proliferation of customer attacks, Druva has been testing a limited MDR service for backups focused on a few high-fidelity threat indicators. This essentially is your backup vendor monitoring the health of your backup environment, proactively taking action to protect your data, and alerting the IT and security teams when there is a need to investigate and respond to detected threats. This service has successfully detected real-world threats, alerted customers, and helped with speedy incident response to enable a full, clean recovery. Druva's cloud operations teams monitor a real-time detection pipeline that analyzes customer backup telemetry, generating alerts for potential threats. Additionally, our system correlates these alerts with intelligence from other customers, enhancing our ability to identify common threats, such as attacks originating from the same malicious IP address. 

Our team of analysts serves as an extra set of eyes on your data, thoroughly examining these alerts, and conducting a detailed analysis to verify their validity and rule out false positives. Druva support then communicates with customers, alerting them of the identified threats. Once verified by the customer, Druva takes proactive measures to secure and, if necessary, roll back compromised data.

Real-World Customer Example

How does the Druva Managed Detection and Response solution play out in the wild? The following is a real-world scenario that took place with one of our customers.

  • U.S. holiday weekend, 1:00 AM — The threat actor secured a footprint in the customer network, compromised the active directory, and secured a footprint on customer assets. It then compromised SSO servers, secured SSO credentials, and navigated to various SSO-connected SaaS services including backup systems. The threat actor leveraged administrative credentials and attempted to compromise backups by deploying ransomware and initiating mass encryption, taking advantage of the upcoming holiday in the hopes of delayed detection. 

  • 2:00 AM — Within an hour, Druva’s cloud operations center (CoC) detected the backup data anomalies in the customer environment, investigated the activity, and verified the incident after reaching out to the customer. Druva initiated its rapid incident response playbook to help the customer. The Druva support team then locked down access to the customer tenant and took steps to secure key data. It reviewed security access posture and increased security controls including login timeouts, geo-IP fencing, and other measures. Druva’s support team then leveraged its advanced cyber recovery capabilities — including Curated Snapshots and quarantining — to lock down infected backups and initiate clean restores by filtering out malware during the restore process. At this point, 40% of the customer’s data was subject to compromise attempts, and Druva successfully restored and made available terabytes of data to the customer in less than 24 hours. 

  • 2:00 PM, following day — Customer’s security team then took over and initiated verification of the restored data and began to recover applications. Thanks to Druva's cloud operations team detecting the threat within the first hour of the attack, it enabled the customer to quickly limit the scope of the impact to their data. Rather than starting their response hours or days later, the early warning enabled them to mitigate the cyber threat and restore their data within the same day.

Key Takeaways

The Druva Managed Detection and Response capabilities have been tested and proven with our many early adopter customers and we're excited to now offer this unique security capability to all Druva customers as part of their license at no additional cost. We appreciate the trust customers place in Druva to safeguard their valuable data and remain committed to innovation in countering the ever-evolving threat landscape. 

While Druva provides a limited set of MDR capabilities focused on high-fidelity anomalies, customers should consider more comprehensive monitoring of their backups with third-party security service providers. Hence, we see a larger need for the security ecosystem to integrate with the rich backup telemetry Druva provides to fully deliver 24x7x365 coverage to threats on your backups. We welcome partnership requests from leading security service vendors to develop out-of-the-box integrations into leading MDR, SIEM, and XDR systems. Reach out to the Druva security team and we look forward to speaking with you.