What is Druva’s Cyberattack Readiness Launch?

W. Curtis Preston, Chief Technology Evangelist

Druva has released a suite of new security features, collectively called the Druva Cyberattack Readiness Launch. This episode of No Hardware Required explores these new features and why Druva feels they have become essential in today’s backup environment. Druva already has air-gapped, encrypted backups that protected against any ransomware attack on your environment. But we wanted to do better, to protect your backups against other types of attacks, and even human error. That’s what the cyberattack readiness launch is all about: improving your security posture, providing the ability to roll back mistakes and attacks from rogue admins, and even the ability to disallow any kind of deletions to the environment. We never stop making your backups more secure; check out this exciting episode to see how!

[00:00:00] W. Curtis Preston: This week on No Hardware Required we’re talking about Druva’s Cyber Attack Readiness launch. With me as always is my cohost Stephen Manley. Thanks for joining. Hi and welcome to Druva’s No Hardware Required podcast.

I’m your host. W. Curtis Preston, AKA Mr. Backup and I have with me my cybersecurity readiness consultant. Stephen Manley. How’s it going, Stephen.

[00:00:26] Stephen Manley: It’s good to be here. I came straight from cyber Tron. So,

[00:00:30] W. Curtis Preston: Did you

[00:00:30] Stephen Manley: you know, nobody, nobody gets that. They’re like, uh, the Michael bay movies threw people off Transformers so much like, uh, we don’t like Transformers.

[00:00:41] W. Curtis Preston: yeah, no. We have talked about security features on the podcast quite a bit. Why do you think it is that we spend so much time talking about security. I know of at least one of our competitors is trying to bill theirselves as a security company. We are a data resilience company. So why is it that we talk so much about security?

[00:01:05] Stephen Manley: I think what everybody in the market sees is. The security problems are the new ones. We’ve always had the traditional problems. The things that you and I have spent our careers on. People make mistakes and technology fails, hardware fails, software fails, natural disasters happen. These are all normal things.

This notion of security attacks, especially going after data and then especially going after backups. That’s new. And, and so I think it’s, it’s, it’s almost incumbent on everybody to just go. Whoa. All right. I need to take a new look at this. And so I think you see a lot of people trying to figure out how they fit in. Now, now from our point of view, because we’re resiliency, we have to be resilient to everything. So security threats. That’s a pretty important one to be resilient to these days.

[00:01:52] W. Curtis Preston: You mentioned that it’s a new problem and it really is a new problem. I’ve been going at this for coming up on three decades.

Ransomware itself is a relatively new problem, starting about from my memory about 2014 was when it first started taking off. I think what happened was a lot of the ransomware companies started to eventually run into companies that actually had a decent backup and DR and a ransomware response.

And so they were losing out on money. So then they said, well, then we need to change tack and we’re going to go directly after the backups. And that really has only happened in the last year or two I’d say. And we do see it, especially with some of our competitors where they’re going directly against the backups, exfiltrating the backups, and then deleting them.

We already had a pretty solid response to that type of attack because our backups aren’t sitting there, on-prem waiting to be attacked, but there are still many other areas that we need to be resilient from. Because they, they have tried to attack backups in other ways. Right?

So they’ve, they have tried to get, uh, control of a username and password. And in our world, username and password is a pretty big deal. They’ve even tried to figure out ways to get around MFA, right. Multifactor authentication. That’s the kinds of things you mean when you say that we’ve had to continue to add new features to work around these new types of attacks.

I believe there are five parts of this upcoming release. Uh, let’s talk about the, the security command center and security posture.

[00:03:36] Stephen Manley: For me, you know, kind of the interesting thing here is, you know, people need to understand what’s going on. It’s it’s, it’s always, it’s not surprising to me, but, but it is interesting that when I go in and talk to a lot of our customers, um, where their brains start is. Oh, tell me about your, your, your ransomware detection.

Because, because that’s almost what they’ve been trained by some of the competitors to look at, and, and the answer is always look. Ransomware detection is important. And certainly we’ll talk about how we can be part of your overall approach to detecting ransomware, cuz you shouldn’t just take your backup application’s opinion on it, but you need to take a broader look at just do you understand what’s happening across your environment?

Do you understand where your risks are? Because you know, if you’re hoping to catch that ransomware attack and stop it and that’s your plan. That’s a really scary plan. And so the, the, the command center, a lot of that is, is saying, look, you wanna be able to look across your environment and you wanna see all the potential risks that, that, that, that affect you.

And that ties in with the posture, right, is, is when prevention is, is better than recovery. We’ll talk about recovery and how we have to do recovery, but having a good posture, having good observability helps you prevent or, or limit the attack. Uh, in a way that’s better than just hoping that you detect it’s happening right as it starts.

[00:05:05] W. Curtis Preston: And also my understanding is that it also includes things other than ransomware. Right? So, uh, because I know, uh, UDA unusual data activity would spot stuff like that. There’s also. Um, unusual activity detection, right? So excessive deletions, uh, which wouldn’t necessarily be a ransomware attack. It could be, but it could be a malicious sysadmin.

It could be someone who has directly gained access to the, the Druva console. And they managed to get a username and password that they weren’t supposed to have, managed to get around MFA. And now they’re deleting backups. It would notice something like that as well, not just a direct, uh, ransomware attack. Can you think of anything else that it would detect?

[00:05:52] Stephen Manley: well, yeah. So, and I think, I think that’s a, another good point though, that I wanna, I wanna double down on is, is again, so many of the customers I talked to immediately hone in on, I’m trying to stop ransomware and, and that’s a, again, important, not trying to understate that at all, but to your point, there are other security risks. And there are other internal risks that they have to worry about, including not just administrators, doing bad things, but users, uh, getting compromised and restoring data that they’ve never accessed before to locations that they’ve never been to all those sorts of things. You’ve, you’ve gotta have visibility across that because if you go into your board of directors and say, well, the good news is we weren’t hit by ransomware.

The bad news is we got hit by three other security attacks and an internal bad actor, and we still lost all our data. Turns out you still lose your job. So, so you really need sort of a broader security assessment if you’re gonna look at that. And, and I think when, when you do that, you know, to your point, internal bad actors, uh, but, but a really key one that, that we’re seeing more and more of is, is that notion. If one of my users has been compromised, cause let’s face it. That’s that’s, who’s likely to get compromised more than anything is some user clicking on some phishing email. Uh, and that user starts acting, uh, oddly. Now that may not be in the short term as damaging as an administrator getting compromised, but you could still lose a lot of critical data that way if you’re not careful.

[00:07:23] W. Curtis Preston: I think we started talking also into the, the third part, which is the data observability part. Uh there’s also, I I’m, I’m seeing. That things like policy changes when, because we can also notice that for some reason, for example, you, someone has deactivated all of your backups, right. Which is another, uh, another thing that somebody would do

[00:07:45] Stephen Manley: Or they could change the retention period, or you could change the backup frequency, you know, the, it, it, it, it’s striking to me the number of, of, again, customers, I meet that say, well, I need to make sure my backups aren’t compromised and you are right.

You don’t want have your backups encrypted or deleted. But if, if, if I get control of your environment and I change your backup schedule from four times daily, or once nightly to once every month. That’s basically the same effect 29 days from now as I deleted the last 29 days of your backup. And so, so too often we’re only looking at are the backups safe?

Are the, is the backup data, you know, immutable. Yeah. You really need to look at the entire end to end process, right? This is not just about validating the last step. It’s the whole thing along the way.


[00:08:34] W. Curtis Preston: And I, I wanna make it clear, you know, sometimes when people say, well, you know, you, you need to look at this, but you also need to look at that. Sometimes they’re deflecting from the fact that they, that they don’t do the first thing. We do the first thing, right. We already had immutable backups. We already had ransomware detection. We even have the ability to handle particular types of ransomware attacks that none of our competitors can handle.

Right. This idea of a ransomware attack that, that, that encrypts data over time, we have really strong ransomware protection. And that’s why we’ve been able to say, look, let’s look at the other ways that people could attack your backups. And so. I, I like all of those ways that we can notice bad things that have happened.

So let’s talk about the two, I think really important things that we’ve put in. If. Once that happens. How can we undo the damage? Because that’s something else that I don’t see in a lot of competitive tools. And the first thing I’d like to talk to about is, uh, it’s called the rollback critical changes. You wanna talk about that?

[00:09:45] Stephen Manley: Yeah. So, so this is, this is kind of that case you were talking about before it, you know, you set up all the smart things. You can, you know, MFA and, and you’re making sure that no one can get access to your administrative privileges. And again, the one rule in security is short short of, you know, sort of turning everything off and burying it in the dirt and casing it in concrete,

it’s possible it’s gonna get compromised. And so Druva also says, well, yeah, so we’ve made that, that window as small as possible, but if something horrible happens and you get compromised and you know, someone in that compromised position says, go delete a bunch of backups. You know, what we’re gonna do is we’re gonna be able to roll that back.

We’re gonna roll that change back, make sure that your backups are not in fact permanently deleted so that when it comes time to recovery, they’re there for you. So, you know, we’re doing everything we can to help you notice unusual activity in your environment. As, as Curtis said, we’re doing everything we can, you know, to recover your production environment, but we’re also making sure that those backups are going to be there for you even if the worst of worst things happens to you.

[00:10:53] W. Curtis Preston: So do you know how big that window is? Our ability to roll back? And then I,

[00:10:57] Stephen Manley: It’s a seven day window by default. Within that seven day window, uh, again, and we’ve had, you know, we we’ve had this with some of our customers, we’ll notice the unusual activity, we’ll contact that customer and that, and that gives you plenty of time to make sure that, uh, that, that rollback happens before it’s too late.

[00:11:14] W. Curtis Preston: There is another new feature that we’re going to talk about. That is, it does require some, a decision on your part and it’s, uh, it does provide more protection, but it is a little bit more of a commitment on your part. Do you wanna talk about that?

[00:11:33] Stephen Manley: Yeah. So this one, this one’s big. And I know Curtis, you and I have talked many times on many podcasts about the number of people who throw around the word immutability and, and, and again, that old Princess Bride line of, I don’t think the word means what they think it means. Uh, where it’s like, well, I, I, I try really hard to make sure it’s not deletable, or it’s not modifiable unless you get root access or, you know, nothing bad could happen unless you get on, on the disk array where it’s stored and delete everything.

But other than that, it’s fine. Now Druva’s always, uh, had, had, had its backup, such that, you know, it, it’s stored remotely, automatically air gapped automatically in a separate account. Automatically kept away from your ransomware. Um, but, but for, for those people who say now, I really, really want to be sure that nothing can happen even with the rollback, even with everything you’ve got, I wanna make sure this backup is here for the next seven years.

And, and, and one of the things that we looked at is we said, you know, so many of the vendors are now talking about, well, sure. I’ll, I’ll put the actual backup data on immutable storage. I’ll I’ll lock that down. But all the stuff that I need to interpret that backup, all the metadata, all the catalog information.

Well, it’s still like on a windows server. So it’ll end up with a bunch of locked bits that you don’t know what to do with at Druva we said, that’s not useful, right? What we want is we want the end to end backup locked. We want the metadata locked. We want the data locked so that when it comes time to get to your, your data, when it’s time to recover your backup, it’s there.

There’s nothing that you have to stitch together. There’s nothing you have to rebuild. It’s just there. And so the immutability we built in is at the backup and the system level. So that it’s your metadata, it’s your data. It’s the whole thing. And again, that commitment you’re saying, I want this for seven years.

Wouldn’t you say that if you pick seven years as an example, nobody not, not Druva. Not, not anybody can get rid of that backup for seven years. So all I’d caution you is. When we say it’s immutable, we mean it. So just before you click that button, make sure you know what your retention period needs to be.

[00:13:43] W. Curtis Preston: And I, I wanna put on top of your comment there, you know, we’re, we’re often referring to this, yet again, as immutability, I thought you said you were already immutable and I’ve written about this, that immutability is a spectrum, right?

There is no such thing as, um, you know, I’m just gonna say this. There’s no such thing as a hundred percent immutability, even if you had a, a DVD rom that cannot be changed. That’s what immutability means by the way, is cannot be changed. Um, give me a hammer. I’ll change it right there.

so there, there, there is no such thing as a hundred percent immutability. And so when we said we had immutable, we, we, we kept saying how, how much more immutable can we make it? Right. Which is, I think what a. A lot of this security release is about is how many more ways can we protect our customer’s data that we weren’t already doing.

And I think this final one, this idea of the data lock feature that you can optionally specify when you create the backups that even you can’t change them. I, I think that, you know, um, again, does things that our competitors can’t do because a lot of them are. All of them are based on some server. That’s sitting on some, you know, it’s, it’s some box in some data center and that box has root and that box has a USB port and, and, and there are a dozen ways to easily attack and, and take out that server. We don’t have any of those abilities, because our data isn’t stored like that. And so on top of that, we say, well, how, what else can we protect? And we’re going to protect even against yourself, accidentally, uh, deleting it because you told us you weren’t ever going to do that.

And so we just won’t let you delete your own backups. At your option, right? That , this is an optional feature. But if you tell us to do that, that’s what we’ll do.

[00:15:41] Stephen Manley: I can’t overemphasize the importance that we’re locking down your metadata too, because again, we all have stories. Uh, I remember a story. I was in the UK with a, uh, a large grocery, uh, chain and, you know, they came in and they said, the good news is.

We have all the tapes we need to restore these servers from 10 years ago, the bad news is we lost the backup catalog. So all we have are tapes and we have no idea what we’re going to do with them. And, and that is, that is the situation you need to really ask yourself. Somebody tells you well, yes, our backups are object locked in AWS.

That’s awesome. If you lose your catalog. What do you have? You have a bucket of bits. So really think about everything you’re looking at here. And this is, this is why, what Curtis said is so important. We’re not just looking at how do we keep your bits safe or how do we keep our part of the chain safe?

It’s how do we give you visibility? How do we give you observability? How do we roll back when bad things happen and how do we keep the entire, the entire flow immutable? Because that’s the difference between a SaaS solution and a piece of software and a piece of hardware.

[00:16:54] W. Curtis Preston: And I, yeah, I, I think that’s a really, a really big point. And, and, and I’ll say that, you know, for some of our competitors, there are ways to read some of those backups or even all of those backups back in and create a new catalog, but it is a. Non trivially this is not coming out

[00:17:12] Stephen Manley: It hurts really bad.

[00:17:14] W. Curtis Preston: It, it is a non-trivial amount of time to be able to do that.

Uh, I have done that with other backup products, uh, re rebuilding your backup catalog from scratch is something that is, does not take five minutes. And when you’re in the midst of a ransomware attack is not something that is you should be doing. So we said, well, let’s just, let’s protect all of the data.

Thanks again to our listeners. Remember to subscribe. So you never miss an episode and remember here at Druva there’s no hardware required.