Holidays are a dangerous time for backups

W. Curtis Preston, Chief Technology Evangelist

This episode of No Hardware Required focuses on the risk that holidays like Memorial Day pose from a cybersecurity perspective, especially for your backups. Stephen Manley (Druva’s CTO) and W. Curtis Preston (Mr. Backup) delve into this topic, discussing why this is the case, and what can be done about it. The episode gives advice to both Druva customers and to those who haven’t made that decision (yet). Learn what to do to secure your backups prior to this upcoming holiday weekend.

[00:00:00] W. Curtis Preston: This week on no hardware required. We’re talking about cyber attacks over the holidays, I My guest this week this week is Stephen Manley. Our CTO. Thanks for joining.

Hi and welcome to Druva’s no hardware required. Podcast, I’m your host, W. Curtis Preston AKA Mr. Backup and have with me, our ransomware specialist, Stephen Manley. How’s it going, Stephen.

[00:00:30] Stephen Manley: I’m doing pretty well. I I’ve, I’ve certainly increased my rate of ransomware attacks by, oh wait. No, that’s not what you mean. No. Okay.

[00:00:39] W. Curtis Preston: Yeah. You know, this is one of those things where we’re, we’re starting to see it almost so much in the news that you almost start to ignore them. Would you agree? I mean, at least it seems.

[00:00:54] Stephen Manley: I think, yeah, I think, I think there’s, it is that sort of thing where it’s, it’s become so ubiquitous and people just, yeah, every day it feels like there’s another attack and it does seem to customer. Yeah, this is a, this is just the new normal, right? It’s like, it’s like driving in California and hitting potholes.

Yeah. At one point you thought maybe the roads, maybe the road should actually be smooth, but then you realize, no, that’s just the way it is.

[00:01:24] W. Curtis Preston: Well, you know, just for the record, I’ve driven down in Mexico and there they have pot Hills where occasionally you get some road, it’s a very different experience, uh, experience. But this is the, I, I, I do think that we need to address that a little bit in that. If the ransomware attacks are so frequent that we, we become desensitized to them and we stop worrying about them.

I definitely don’t think that we should be doing that. If anything, there is this current, I don’t know if you’ve heard there’s this, uh, war going on over there in Europe, Eastern Europe, specifically Ukraine specifically. And there is a lot of talk in the cyber security community that. At some point we could and should expect a massive retaliatory attack.

And the cybersecurity folks on this side are preparing for that attack. They’re also preparing for a essentially, uh, you know, it’s like the global thermonuclear war, right? The only winning move is not to play. We kind of hope that they never actually do this because we have to wreak havoc if they do. But meanwhile, if you’re just a, an organization on this side and you just have stuff to protect, you can’t be concerned with that.

There’s nothing you can do to affect change there. You, you simply have to be prepared, uh, to respond.

[00:02:57] Stephen Manley: And I think what are they interesting things for me is, is, you know, using the analogy. You know, I don’t have to be faster than the bear. I just have to be faster than you. One of the things that we try to work with customers on is, is there, is that sort of sense of both? Gosh, it’s just, it’s going to be so hard for me to, to, to create protected backups, air gapped offsite.

Plus, I’ve got to figure out how I’m going to monitor and I’m going to have to operationalize all this. And then if the bad thing happens, I’ve got to figure out how to recover. And there’s almost that feeling of. I don’t know where to start. And, and, and it’s so hard. I’m just going to put my head in the sand.

And one of the things we try to tell them is, you know, Almost everybody else we meet feels just like you do. And, and, and, and, and if you put yourself in the mind of the attacker, who am I going to go after the one that’s at least got some defenses in place, some, some semblance of control or the one that has done nothing.

So you don’t necessarily have to be the best. You just have to be good enough that you’re not as easy of a target. And, and then once you get started, you can just keep ratcheting up. But, but, but so often I meet people who just go, well, you know, we, we, we, we’ve got a 27,000 point plan and it’s really hard to get funding, to get everything done.

You’re like, well, then don’t do all of it at once.

[00:04:20] W. Curtis Preston: Yeah. I, you know, it’s, it’s interesting. I haven’t thought about it this way before, but you’re right. That probably a lot of companies, they need to do a lot of things. They need to secure their backup environment. They also need to secure their primary environment. And I I’ve never really thought about it this way.

It by using a company like Druva to secure your backup environment. Right. It’s easy peasy, right? I mean, You know, I know I say it a little time. I know I work for Druva, but you compare what it’s like to secure your backups with Druva to what it’s like to security backups with any on-prem provider Ours is a PO. There’s is a series of steps and purchases and, and, and specialists to figure that sort of thing out.

It’s hard to find. Backup specialists that understand that, that understand both backups and understand cybersecurity. It’s hard to find backup specialists, right. Um, you know, I’m not available anymore. So, so, uh, you know, I’m only one person, but, but it is, I would think a lot easier to find cybersecurity specialists.

So perhaps you do need to do all these things. I would suggest that. Hand us the backend problem, hand us the backups and the restores and the data resilience. And then go do the. Perhaps, I don’t want to say more important. I, this is like 50, 50. You’ve got to have both, but ours is, you know, our side is a lot harder to do on yourself than the front end side, because the front end side, again, it’s a lot of common sense stuff that maybe you should have been doing already.

Well, I should probably take that word maybe out. And there are, you know, scores of specialists that will help you figure out what those things are.

[00:06:23] Stephen Manley: I think in, and, and I think you’ve hit on the right thing, which is for so many people, you know, that skill gap is, is one of the big things. And, and there are frankly, more people, more services, more things you can tap into on that production side, on that network security side. It’s. It’s been around longer, it’s bigger.

Uh you’re right. The number of backup people that truly get security and the number of security people that truly get or care about backup, that’s a much, much smaller Venn diagram. And so,

[00:06:55] W. Curtis Preston: group of people.

[00:06:56] Stephen Manley: so, so yeah, so, so why not focus on the problems you can, you can solve and offload the ones you can’t and, and, and, and.

Just every little bit you do just, just, you know, again, uh, I think of someone with ransomware attack, they come in and they find that they can’t touch your backups. Well, immediately you’re a lower interests, a lower interest target for them. If I know I can go wipe out your backups, I know I can ratchet up the ransom.

I know that you’re a lot more exposed. If I see very quickly, I can’t get your backups, maybe I’ll still attack. But you’re going to be a lower priority target for me. That’s just logical.

[00:07:35] W. Curtis Preston: Well, we know that the, the number one ransomware group, which is Conti. We know what their, uh, method is. Right. They specifically target the backup server. They actually exfiltrate the backups and then delete them. So I like w I like what you’re, you know, where your head is there?

The. They can’t find a backup server, which they’re not in the case of, uh, Druva customers then, uh, they’re they’re saying, well, Hey, our MO is busted here. Let’s go look somewhere else. I, I do like that. The, and I, you know, going back to your Venn diagram comment, finding a group of people that understand both cyber security and perhaps system administration.

It’s, it’s certainly not a, quite, quite a circle. But it’s, it’s a whole lot, you know, in the case of security, cyber security and backups, it’s, it’s just two circles sitting next to each other. Right. Uh, that’s not a Venn diagram at all. It’s just sadness. But, um, I mean, first and the backup circle is really small.

Right. There’s

[00:08:32] Stephen Manley: Right.

[00:08:33] W. Curtis Preston: like

[00:08:34] Stephen Manley: Getting smaller every day. It feels like,

[00:08:36] W. Curtis Preston: Right, Absolutely. Um, so what I wanted to talk about here is this concern about. Holiday weekends. Right? We, we, we, we just had one. Um, and the, uh, but, but the, the ones that are, but Easter is not a national holiday. Right. So we don’t, we don’t take it off.

What I’m talking about are things like Memorial day where you, you get a third day in the weekend. And then there’s like, I I’d say the worst possibly is Thanksgiving because many companies unofficially take off Friday. So you get four whole days where no, one’s really looking at the, the data center.

And it’s, I think that we need to think about, so, you know, what happens when they do the, the, uh, The state of the union address, right.

[00:09:37] Stephen Manley: I mean vaguely right.

Half the claps.. And the other half, half of the room looks very angry.

[00:09:44] W. Curtis Preston: Well yeah, that’s a different problem, but basically you have the, you, you, you have the entire government in one room, so you have a massive risk situation. So there is the designated survivor. There is some, you know, he’s like the under secretary of transportation and he. Has to go sit very far from that, right?

Yeah. I think he actually sits in the white house and in a bunker. And that way, if some catastrophic event took out all, you know, everything, you’ve got this guy that, that, that, that is somewhere else. There’s an entire TV show called designated survivor. Right. Where I think it was, was it,

[00:10:25] Stephen Manley: Kiefer Sutherland. I saw someone. I was I was I was, I was on my way to a customer site and I was sitting next to a guy that’s watching this. And I was like, wow. Keifer Sutherland then went from Jack Bauer guy who is, you know, to now he’s like the president, you know, where’s David Palmer.

[00:10:45] W. Curtis Preston: absolutely. Yeah, yeah. Yeah. So, so what happens in there? He’s a designated survivor. They blow up the Capitol and he becomes president and it has to form the government. W w what’s my point here? What I’m saying is there needs to be somewhat. Sadly, who needs to be told, not only do you not get to take this holiday, you need to be, you need to be looking at all of the things that you’re.

These are all of the things that we need to be looking for over the holiday weekend. And I don’t, I mean, I remember. When I was in IT, which for awhile was a while ago when I was actively in an it department at a, you know, not, not a consulting phase, but I don’t remember us doing that. Right. I don’t remember us saying, Hey, Curtis, you know, whoever you don’t get to go on vacation this weekend at somebody else, uh, everybody else gets to go and you need to be looking at that.

But I definitely think that’s a good idea.

[00:11:39] Stephen Manley: Yeah. W I mean, we, we used to, to the thing you still have to be careful with because everywhere I’ve worked, I, you know, we’ve, we’ve definitely done that. I will point out it’s often the most junior of the staff that gets left behind, uh, often, often for reasons that are not bad, Right.

They sometimes the volunteer, I don’t have, I don’t have family.

I, you know, Say I want to, I’d rather go off, off time on my vacation, because if you don’t have kids, you can go whenever you want. And so you can, you can get better, all that kind of stuff. But, but what it means is that when bad things happen, you don’t have your most experienced, steady hands at the, at the till.

And then you’ve got this junior person who say, Again, almost, this is my shot to show that I can, that I know what I’m doing. A lot of times they will try to muscle through it. Um,

now let me go to stack overflow. Maybe there’s an answer there and it just gets worse before finally they, they throw their hands up.

I need help. And, and by then it might be too late. So, so, so I have seen companies do better at having, you know, having that designated survivor, but it is very rarely in the event of a catastrophe, the person that you really want. There it is the undersecretary of transportation.

[00:12:53] W. Curtis Preston: Yeah, it definitely is the, that’s a really good point because I would add to my recommendation that, cause you’re certainly not recommending don’t do it. You’re just saying, you know, you need to address that aspect. I, I agree. And, and I, you know, I would, I don’t know. I would think about. Some sort of lottery rather than just let’s pick Steve because we just hired him and Steve doesn’t know anything.

Uh, but he’s, you know, what’s he going to do? We just hired him. Right. Um, there also, I think there needs to be an acknowledgement that, you know, you’re in a you’re in production. It probably, everything will be fine, statistically speaking, but if we get hit, you’re coming in. Right. And, and, and there needs to be an escalation process or needs to be, uh, Uh, like a phone tree situation nowadays, it’s a lot easier because when I was in it, we didn’t have, you know, everybody didn’t have cell phones.

Right. Um, now any, any of the young folks listening are like, holy crap, Curtis is old. Yeah. Get over it. Uh, but, but there are some real examples, many, many examples of ransomware attacks over the holidays. I think about the, uh, was it J JBS or JSB the, uh, the

[00:14:12] Stephen Manley: Oh, this is the meat, the meat, the. meat Packers, uh, based in Brazil with JBS. Yeah, I remember that.

[00:14:17] W. Curtis Preston: they, they were attacked over the Memorial day weekend.

Um, and which is interesting because I’m not even sure they did, they celebrate Memorial day over there, but

[00:14:28] Stephen Manley: Well, so, so, so, so they’re anchored in Brazil, but, but they’re it, a lot of their, it was actually based in, in, in north America. So U S Canada, Australia. So yeah, so, so, so what got hit wasn’t necessarily their core packing facility in Brazil. It was all the mechanics and the, and the supply chain stuff that happens, uh,

[00:14:48] W. Curtis Preston: Uh, the supply chain once again. Uh, and then

[00:14:52] Stephen Manley: chain.

[00:14:53] W. Curtis Preston: I ha I really hesitate bringing this one up because we have to mention the. Let’s see, uh, what, what the author did with this story. Ransomware attack creates cheese shortages and Netherlands, and it was over the Easter and the subject or the, the, the, I don’t know, what, what would you call this?

The main heading there? It says it was, yeah, it was not a gouda situation. And I

[00:15:18] Stephen Manley: Yeah.

[00:15:19] W. Curtis Preston: just, you know,

[00:15:21] Stephen Manley: Yeah,

[00:15:21] W. Curtis Preston: nothing like nothing like a good pun,

[00:15:24] Stephen Manley: I had, that was nothing like a good pun.

[00:15:29] W. Curtis Preston: But that’s another one where basically they had a ransomware attack over a holiday weekend and, uh, you know, it took out everything. There are many, many examples of these where when, uh, you know, when a holiday comes up, that you could be subject to a ransomware attack. When, when we, I will say that again, this is another.

Benefit of having a service-based data protection company is that, you know, we’re going to be working, you know, there’s going to be more than one person looking out after the, the, the Druva infrastructure. So at least your backups are protected during this, uh, outage or, you know, during an attack or anything that you have, you don’t have to worry about that.

You just have to worry about securing your, your primary environment.

[00:16:24] Stephen Manley: Yeah.

Yeah And I think, I think the other thing to look at is as, as you go through any of these things and into your point of a plan, a plan is critical because. We, we work with a lot of really, really big companies. We also work with a lot of smaller companies and, and, and the smaller companies, especially smaller companies, government schools, school districts, all those, all those sorts of things.

You usually have one or two, you know, sort of more experienced generalists. You can’t keep them on call 24, 7 forever. And burnout is real. And so you’ve got to figure out the sorts of things you can offload. You’ve got to figure out how you can survive to give them downtime. And, um, and, and, and these, these, these, these, this holiday weekends are key for people.

And so, so it puts a target on your back. Yeah.

And we get that right? Because again, putting, putting my, my bad guy, hacker hat on. Yeah. I’m absolutely going to try to expose the periods of time where I think you’re de staffed and I have more time to, to create havoc. Uh, But at the same time, you’ve got to set up and, and, and so this, this to me is always why it comes back to, if you can offload the job to somebody else, especially if you’re a smaller company, it’s the right thing to do.

Uh, there’s just, there’s, there’s too much work to, to keep trying to do it all by yourself.

[00:17:50] W. Curtis Preston: Absolutely. And you do need, uh, you need both a DR plan and you need a ransomware recovery plan, which starts with a DR plan, right. It starts with the ability to recover everything. And then you need to talk about what would happen in the event of a ransomware attack. And, you know, back when I was. Working with companies one-on-one helping them to do DR plans. I remember being very critical of, of companies that would, they hired. Like, um, I remember that he would hire like Deloitte right to come in and build a DR plan and none of, no one in this company, building a DR plan, would ever talk to the person responsible for the backup system that was going to actually do the recovery.

And so I was always, you know, the backups have to work right for, right. So, and I’ll just say that, that at least you have that part of it handled. You do need a DR system on top of that, and we can provide that, right. We can provide Dr as a service. And then on top of that, you do need to build a and how do we respond if a. Ransom, you know, if we are attacked by ransomware and we can help you with that as well. So, um, yeah, so I think we’re in violent agreement here that this is something we should be concerned about that as we come up to the Memorial day weekend, something that you might want to think about, get a designated survivor and please don’t just make it be Steve. Poor steve, you know, just, just got hired. He doesn’t know anything.

[00:19:17] Stephen Manley: Three days into the job, I guess I’m working this weekend and I can’t even have cheese now because it’s all gone.

[00:19:25] W. Curtis Preston: Absolutely. That’s not Gouda. No, no, no. That didn’t, that wasn’t any better the second time. All right. Well, uh, thanks for, thanks for chatting with me about this.

[00:19:35] Stephen Manley: Uh, everybody be safe out there and enjoy your holiday weekend.

[00:19:39] W. Curtis Preston: Absolutely. And remember to subscribe to the podcast. So you don’t miss an episode and remember here at Druva there’s no hardware required.