Your Data Deserves Better Than Veeam - Part 5: Legacy vs. SaaS Microsoft 365 Recovery Capabilities Comparison

Neil Rawlins, Senior Sales Engineer

Walking a Tightrope with Veeam’s Legacy Protection for Microsoft 365? Druva’s SaaS is Your Fast Recovery Safety Net

According to a 2024 Sophos report, 94% of organizations hit by ransomware in the past year said that the cybercriminals attempted to compromise their backups during the attack.  Ransomware attacks are increasingly targeting backups, but a fast and easy recovery minimizes downtime and gets you back to business quickly. Recovering clean data quickly after a ransomware attack is problematic and challenging for most organizations. The difficulties multiply if you’re using a legacy data protection vendor like Veeam.

Here, we’ll explain how two key features of Druva’s ransomware recovery capabilities make your recovery process seamless and stress-free — alerting you of potential attacks and accelerating your recovery process after an attack, and how they directly compare to Veeam’s recovery capabilities. Let’s dive in.

Shortfalls of a legacy data protection platform protecting Microsoft 365 data

Scenario: Let's go through the steps that you would have taken to ensure your NAS or File server is protected and secure:

  • Who has access to each of the shared drives?

  • Is the file server backed up?

  • Do we have AV installed?

  • What do we do for users who keep the files on their main computer?

  • How do we control versions?

These are all still true today, even for your 365 environments. However, the added freedom and advancements of Microsoft 365 have their weaknesses too. It can be the common: “I don’t need backup, Microsoft protects me…” scenario. Or: “It’s not on-premises so it doesn’t fall under the purview of my team…” scenario.

When looking at a zero-day threat that’s been ingested into your Microsoft 365 environment, Microsoft has several stages around recovery. 

For example, a simple vulnerability can consist of the following recovery steps: 

  1. Backup Validation — Validate if your backup is good as the backup is created before you restore.

  2. Recovery Identifying — Identify a safe point-in-time backup image that you know is not infected.

  3. Data Checks — To prevent future attacks, scan backups for ransomware or malware before restoring.

Traditional backup platforms like Veeam simply can’t meet several of the industry standard requirements for data restoration. Legacy solutions only back up what is available. They can't find the difference between normal user-initiated data deletion and data deleted by ransomware. 

When recovering from a ransomware attack, legacy platforms can’t help you identify the last clean version of a file. They put the onus on you to hunt for the cleanest version and manually restore.

Let's understand how Druva helps your protection model and delivers ransomware recovery when you need it. Regardless if you’re looking at Mitre or Killchain, a key requirement is to know what's been affected and how you can recover.

Druva has multiple capabilities to help you protect and recover your business data, but we’re going to focus on two key features:

Unusual Data Activity — Detects suspicious data modification activity on resources that are being backed up by Druva.

Curated recovery — Looks back at several backup snapshots to find the last clean version of the data without having to manually find, select, and recover from multiple backup points.

Unusual Data Activity (UDA)

Talking about backups, we know that most backup solutions will back up what’s available. But, what about analyzing the data that’s within that backup? With legacy data protection solutions, they just back up the file and keep adding any new and incremental changes to that file.  

The problem is that, today, it’s not enough to back up what’s available and end the process there. With threats becoming more advanced and sophisticated, we have to go beyond the check box and dive deeper. We need to know what has changed when compared to the last backup. Has the data trend changed or has anything substantial and unexpected been removed?

With Druva’s anomaly detection, also referred to as Unusual Data Activity (UDA), we actively monitor the ingested data to alert you when something unexpected has happened to your data. There are several possibilities, including: 

  • Large change rates

  • Deleted items

  • Encryption 

Here’s a snapshot of Druva’s UDA in action:

Druva UDA feature

As we can see in the image above, without being aware of changes made to the site and OneDrive baseline, Druva has detected both modified and encrypted files. From here, the IT or the security team can quarantine the resource and decide how to proceed with the recovery process.

With legacy backup vendors like Veeam, we would have been completely unaware of the silent modifications to the file.

Now, let’s move to the next stage of our problem: recovering a clean copy of our data.

Curated Recovery

Recovering from a clean copy of our data poses a few challenges:

  • Do you recover to a clean server? With Microsoft 365 you don’t have one, so what should we do? 

  • Should we recover back into our now clean Microsoft 365 environment?

  • What if we download all of the data to a server or machine to check and then re-upload (with the potential to restore the ransomware)? 

These questions plague legacy solutions and it’s a key reason why Druva went to great lengths to develop curated snapshots.

Curated recovery works across multiple backups over a defined time period to recover the most recent clean version of the file.

For example, if ransomware was triggered on Friday the 10th, you would set a window of Monday the 6th up until Friday the 10th. Now, Druva will look at every clean file from the 10th going all the way back to the 6th.

Druva curated recovery feature

By doing the above, we managed to recover the latest version of every file before the infection. Additionally, the infected files were removed. 

The next image explains the process if we wanted to achieve the same results using a legacy data protection solution.

Legacy recovery problem

This shows that the legacy data protection solution does not have an automatic process to find the cleanest version of the files. You would have to manually go to each restore point and hunt for the cleanest version of each file. However, even then there are multiple risks to legacy restores. 

  • No ability to scan files before recovery.

  • No ability to scan files after recovery.

  • If you go back to a known good backup you lose any recent clean files. This has the potential to lose hundreds if not thousands of files and even more in financial losses.


Druva’s accelerated ransomware recovery and in-depth security are paired with workflow orchestration and recovery automation tools to improve response time, prevent reinfection, and reduce data loss. Plus, Druva’s SaaS solution delivers 24×7 fully managed security operations.

Druva's got your back when it comes to keeping your data safe and sound. Say goodbye to the headaches of handling your own backups like with Veeam. Our 100% SaaS approach means everything you need for data protection is good to go right from the start — storage, computing, software, and security, all bundled up neatly in a single-pane-of-glass solution.

To learn more about how simple Druva is to deploy, use, and back up your data than Veeam, visit our Druva vs. Veeam competitive page. Read our in-depth comparison of Druva vs. Veeam on ease-of-use for Microsoft 365. See how Druva cuts out the complexity so you can rest assured your data is always safe, secured, and recoverable. 

Ready to try Druva? Your data deserves better than Veeam — switch to Druva and get up to 6 months of 100% SaaS data protection FREE.