Over the past few months, I’ve been working on a website data migration to a new hosting provider. It’s been tough to avoid posting any content but I wanted to shop out a few new homes for my 600+ posts and also do some content scrubbing without the added distraction of trying to merge new data. Hopefully the site will load snappy and peppy for you!

In this post, I wanted to pontificate a bit on ransomware. Before coming to work for Rubrik in 2015, I don’t think the topic of ransomware was top of mind for most of our technical community. I had heard of various phishing attempts while consulting and dealt with them while working as a virtualization engineer at a big corporate gig. That was about it.

Over time, ransomware designers got more strategic in their efforts by going after the soft underbelly of the data center – backups. Because backups touch everything and many administrators have a mutable (read-write) repository for backup data and/or the catalog database, a ripe target presented itself.

Attack Strategies Have Evolved

Two common strategies have emerged:

1. Encrypt all of the critical files and applications and cripple the Operations team by deleting backups and related backup software. Demand cryptocurrency payment.
2. Encrypt all of the critical files and applications knowing that there’s no realistic way for the Operations team to recover from backups due to slow restore times. Demand cryptocurrency payment.

Both of these strategies are dirty, but they work enough of the time to become a viable business model. I’ve literally talked to engineers who were in dismay that their multi-million dollar backup system required days to recover critical applications. That’s a huge bummer, and it’s part of the problem with traditional backup: it focused almost entirely on the ingest speeds and feeds instead of restoring applications and data in a manner that is consumable to the users and offers performance.

The root issue in both strategies is downtime – the killer of any organization. This why a $50,000 USD attack on the folks working for the City of Atlanta “ended up paying about $3.1 million after a ransomware attack, because they had all the incident response, plus insurance claims, privacy monitoring, and contractual hits for missed services.” Of note, the article shares that “defense is not an easy thing.”

Agreed. It’s not easy. And I’ve been writing about this particular issue for a while now.

Providing Instant Recovery from Ransomware

I’m of the opinion that Rubrik’s Cloud Data Management (RCDM) software has done a stellar job at making sure both strategies have a minimal impact for a number of reasons:

• Backup data is immutable (cannot be changed).
• The RCDM application is hardened against access.
• We are fastidious about encryption and certificates.
• Instant Recovery makes short work of restores.

As Bipul states below, I think we enable folks to deal with the mitigation aspect of recovery with a grace and simplicity that is not typically found in the data center. The next steps on our journey are to empower administrators to also enjoy that same user experience across the detection vector: to know when a breach has occurred and to understand the scope of the damage.

The three steps of enterprise data security: Prevention (P) -> Detection (D) -> Mitigation (M). Rubrik’s focus on immutable backup and instant recovery delivers M. Now with Radar, Rubrik has taken a significant step in D’s direction. #ArtificialIntelligence #MachineLearning

— Bipul Sinha (@bipulsinha) July 26, 2018

Meet Machine Learning-Powered Radar

Snazzy headline alert! The amount of mutations seen across ransomware variants is impressive. Rather than digging through the haystack to find a needle, we decided to bring a magnet in the form of Radar, our 2nd data management application hosted on the Rubrik Polaris SaaS platform.

By leveraging machine learning (ML) and feeding it a countless quantity of data points that are generated from backup metadata, we can construct a logical map of your environment to begin trending what “normal” looks like. When the data points begin to showcase an anomalous behavior, Radar can dig deeper to understand the impact while alerting an administrator.

This is all done as a turnkey SaaS application – there’s no need to set up infrastructure and build out the algorithms on your own. Just point your Rubrik clusters towards Polaris and the backup metadata will be securely transmitted and regularly analyzed.

The administrator – plus anyone from the security team – can review the threat analysis and start making decisions. These are the critical moments in which speed matters. Being able to see the impact analysis, most recent unaffected versions of data, and destinations available for recovery is clutch.

When I first saw Radar months ago, I was extremely excited because it gives Operations teams a fighting chance to be proactive in the detection and removal of the evils of ransomware!

Once the threat has been assessed and security measures against further spread are in place, Radar can begin restoring the environment by leveraging Rubrik’s Instant Recovery feature. This can be done anywhere – on-premises using a physical Rubrik Cluster, in the public cloud with Rubrik Cloud Cluster, or even at the edge with Rubrik Edge and Rubrik Air. The code is the same.

Thoughts

As someone who spent a solid decade as a systems administrator and technical engineer, I know how frustrating and powerless it feels to be attacked by an outside force. My job was to safeguard the applications and data held within my company, and any threat to that was something I took to heart. Being able to turn backup data – which often just sits in a tape silo somewhere – and use it to detect, analize, and recover from ransomware is a huge win in my book!

If you’d like to read more on Polaris Radar, check out this blog post by Arushi Jain, this Technical Overview by Leah Schoeb, or even this take from my NZ friend Ben Kepes entitled Rubrik’s Radar Reveals serious startup scope.