Platform
- Data Security Cloud
  Data Security Cloud
  Fully managed data security across enterprise, cloud, SaaS, and end user.
- Data Protection
  Data Protection
  Modernize data protection to reduce costs and complexity
- Cyber Response & Recovery
  Cyber Response & Recovery
  Bounce back from cyber attacks with data that is always safe and ready.
- eDiscovery & Compliance
  eDiscovery & Compliance
  Secure, protect, and streamline data governance.
- Meet Dru - Your Copilot for Data Security
Solutions
- Use Cases
  Use Cases
  Learn how Druva helps you accelerate key business initiatives
- Key Technologies
  - Public Cloud
    Public Cloud
    Protect native AWS and Azure deployments with secure backups without the cost and complexity
    
    AWS
    
    Azure
  - Hybrid Workloads
    Hybrid Workloads
    Transform data center backup and disaster recovery for virtual environments
    
    VMware
    
    Hyper-V
    
    Nutanix
    
    Oracle
    
    MS SQL
    
    SAP HANA
    
    NAS/files
  - Endpoint and SaaS Apps
    Endpoint and SaaS Apps
    Enterprise Cloud Backup and data management across edge, on-premises and cloud workloads
    
    End User Protection
    
    Microsoft 365
    
    Salesforce
    
    Google Workspace
    
    Microsoft Entra ID
- Free Trial
Customers
- Explore All Customer Stories
  We are trusted by the world's leading organizations to protect their data. Explore customer success stories to see how your peers are using Druva.
- Ransomware recovery ready
  Learn why Medallia chose Druva
  
  SaaS data protection across the enterprise
  See why Regeneron partnered with Druva
Resources
- Druva vs. Veeam TCO Calculator
  Find the hidden costs of legacy backup
  
  Data Resiliency for Dummies
  Get your guide to data resiliency
Partners
- Programs
  Programs
  Learn how you can profit with Druva and a cloud-first SaaS selling motion. Explore partner programs, access resources, and discover the benefits of partnering with Druva.
- Strategic Partners
  Strategic Partners
  Learn about Druva's strategic capabilities across platform, OEM, and other partnerships. Find out how Druva accelerates and protects customers' cloud journeys.
  - Dell Technologies
  - AWS
  - VMware
  - Nutanix
- Become a Partner
Company
- - Company
  - Leadership
  - Investors
  - Careers
  - Contact Us
  - Newsroom
  - Awards
  - Events
  - Diversity, Equity & Inclusion
  - Blog
- Get in touch with us
  Contact Us
  
  News, product innovations, and more
  Blog
Get Started
Support
Login
Language
- English
- Deutsch

Product

Druva Managed Data Detection and Response: Protecting Your Data 24x7x365

July 02, 2024 Badri Raghunathan, Sr. Director, Product Management

Your Data is Under Constant Threat

Cyber attacks are a continuous risk and can cost your business anything from loss of critical data to downtime and reputation. As the only 100% SaaS data resiliency solution with a global customer footprint, Druva typically identifies and prevents 1-2 attacks every week across our diverse customer base. Often, bad actors will target the backup environment in an attempt to take out the ability to recover and force payment of a ransom to get your data back.

In fact, MITRE Corporation, which maintains a knowledge base (ATT&CK) of tactics, techniques, and procedures used by bad actors in cyberattacks, has recently introduced a new “technique” called “Inhibit System Recovery” to account for recent trends that focus on compromising backups. Security vendors typically use these ATT&CK frameworks to develop and test detection, prevention, and mitigation against specific techniques outlined. The attack surface for backups can range from attempting to delete backups, to changing retention policies or trying to exfiltrate data using restore APIs. Druva takes a three-pronged approach to help customers with this problem:

High-fidelity threat signals — This would include signals that require immediate action and investigation, like a large volume of backup deletion attempts and the mass encryption of backup data.
Threat signals requiring complex correlation and investigation — These include signals like a new login location for a backup admin. These would require investigation and correlation before determining the need for action. For Druva, these also involve correlating telemetry and attack patterns across customers by our internal cloud operations teams.
Response actions to respond and recover from attacks — Lastly, upon verification of a threat signal and confirmation of an incident, prompt action needs to be taken to safeguard customer data. Examples include locking down infected backups and rolling back backup deletion attempts.

Druva provides capabilities across the three above categories via the UI and APIs. Customers need to first integrate these into their regular IT and security operations.

Security teams typically monitor the security posture of their primary environment via a number of tools like EDR, SIEM, XDR, and more, and in some cases also partner with security service providers who provide managed services like MSSP and MDR. The industry and customers at large, are at various stages of the maturity spectrum in integrating backups into their security operations. Unfortunately, this can’t wait as backup compromise is the #1 tactic of bad actors in ransomware attacks. Backup monitoring at large is typically limited to ensuring completion SLAs are met… this is no longer “good enough” to keep your data safe.

What is Managed DDR?

The concept of managed services for security has long been offered by many security providers as a comprehensive service combining features like real-time threat detection, incident response, and continuous monitoring to enhance an organization's overall security posture. Third-party security providers actively monitor an organization's network, analyze security events, and provide timely incident response to the organization, helping identify and mitigate potential security breaches. As a result, the organization minimizes the impact of cyberthreats via proactive threat hunting, rapid detection, and effective response capabilities, ultimately helping them enhance their resilience against evolving cyberthreats. At its simplest — earlier detection equates to earlier response and less impact on the organization.

Managed DDR — Proactive Data Detection and Response for Backups

Given the proliferation of customer attacks, Druva has been laying the groundwork for a limited managed service for backups focused on a few high-fidelity threat indicators. This allows for monitoring the health of your backup environment, proactively taking action to protect your data, and alerting the IT and security teams when there is a need to investigate and respond to detected threats. This service has successfully detected real-world threats, alerted customers, and helped with speedy incident response to enable a full, clean recovery. Druva's cloud operations teams monitor a real-time detection pipeline that analyzes customer backup telemetry, generating alerts for potential threats. Additionally, our system correlates these alerts with intelligence from other customers, enhancing our ability to identify common threats, such as attacks originating from the same malicious IP address.

Our team of analysts serves as an extra set of eyes on your data, thoroughly examining these alerts, and conducting a detailed analysis to verify their validity and rule out false positives. Druva support then communicates with customers, alerting them of the identified threats. Once verified by the customer, Druva takes proactive measures to secure and, if necessary, roll back compromised data.

Real-World Customer Example

How does Druva’s Managed DDR solution play out in the wild? The following is a real-world scenario that took place with one of our customers.

U.S. holiday weekend, 1:00 AM — The threat actor secured a footprint in the customer network, compromised the active directory, and secured a footprint on customer assets. It then compromised SSO servers, secured SSO credentials, and navigated to various SSO-connected SaaS services including backup systems. The threat actor leveraged administrative credentials and attempted to compromise backups by deploying ransomware and initiating mass encryption, taking advantage of the upcoming holiday in the hopes of delayed detection.

2:00 AM — Within an hour, Druva’s cloud operations center (CoC) detected the backup data anomalies in the customer environment, investigated the activity, and verified the incident after reaching out to the customer. Druva initiated its rapid incident response playbook to help the customer. The Druva support team then locked down access to the customer tenant and took steps to secure key data. It reviewed security access posture and increased security controls including login timeouts, geo-IP fencing, and other measures. Druva’s support team then leveraged its advanced cyber recovery capabilities — including Curated Snapshots and quarantining — to lock down infected backups and initiate clean restores by filtering out malware during the restore process. At this point, 40% of the customer’s data was subject to compromise attempts, and Druva successfully restored and made available terabytes of data to the customer in less than 24 hours.

2:00 PM, following day — Customer’s security team then took over and initiated verification of the restored data and began to recover applications. Thanks to Druva's cloud operations team detecting the threat within the first hour of the attack, it enabled the customer to quickly limit the scope of the impact to their data. Rather than starting their response hours or days later, the early warning enabled them to mitigate the cyber threat and restore their data within the same day.

Key Takeaways

Druva’s Managed DDR capabilities have been tested and proven with our many early adopter customers and we're excited to now offer this unique security capability to all Druva customers as part of their license at no additional cost. We appreciate the trust customers place in Druva to safeguard their valuable data and remain committed to innovation in countering the ever-evolving threat landscape.

While Druva provides a limited set of backup-focused managed security service capabilities focused on high-fidelity anomalies, customers seeking more comprehensive monitoring of their backups should consider third-party security service providers. There is a larger need for the security ecosystem to integrate with the rich backup telemetry Druva provides to deliver full 24x7x365 coverage against threats targeting backups. We welcome partnership requests from leading security service vendors to develop out-of-the-box integrations into leading DDR, MDR, SIEM, and XDR systems.

Inquiries are welcome, reach out to the Druva Security Team.

Druva Managed Data Detection and Response: Protecting Your Data 24x7x365

Your Data is Under Constant Threat

What is Managed DDR?

Managed DDR — Proactive Data Detection and Response for Backups

Real-World Customer Example

Key Takeaways

Blog

Druva Data Security Cloud

The Druva Platform

Data Protection

Cyber Response & Recovery

eDiscovery & Compliance

Use Cases

Key Technologies

Customers

Resources

Partners

Company