27:17 Webinar
How to Build a Resiliency Architecture
Ransomware attacks continue to be top of mind for business and IT leaders—and for good reason; they compromise access to an organisation’s lifeblood—data.
This webinar first aired on 19 August 2022
The first 5 minute(s) of our recorded Webinars are open; however, if you are enjoying them, we’ll ask for a little information to finish watching.
Click to View Transcript
Nearly four and five organizations have been targeted by ransomware within the past 12 months. But what separates companies who are most prepared from ransomware threats from those who are at greater risk. Thanks for joining us today. Our webinar on how to build resiliency architecture using the recent results of ES Gs, ransomware preparing a survey.
Our panel will provide a view of the state of the market and some best practices that can be incorporated at every stage of an incident. Let me introduce you to your panel As practice director for Es. G. Christoph covers research around data protection, data management and analytics with more than 30 years of experience and data storage systems. Christoph is a well known voice in the field.
Next we have pure storage Chief technology Officer Andy Stone as an accomplished I. T. Executive and he has a proven ability to deliver cost effective innovative data storage data storage solutions. Andy's focus is delivering next generation data storage and protection solutions. Guys welcome glad to be here.
Thanks for having us, Jason. Sure. So Christoph, I'd like to hand things off to you first. Can you tell us a little bit about the E. S. G. Survey that was conducted? Yes, thank you Jason. There's quite a bit to cover so I'm only going to give you some of the highlights but needless to say we decided to title this
research the long road ahead to rent somewhere preparedness. So I think you're getting a general sense that there is going to be some work. What we did is we went out and talked to over 600 I. T. And cyber professionals in north America and western europe. We did that at the end of last year and we got
some fantastic results. The one thing we did is beyond the traditional survey questions we asked. We also wanted to understand well what is the state of the market? How prepared are these organizations? So we decided to essentially score the answers we were getting um and also leveraged the next model or loosely leveraged it to be able to measure
against multiple dimensions what the market looks like. Now of course the respondents didn't know they were getting scored, they didn't know who did the scoring and I don't know who they are. So um we kept that obviously very confidential. This being said, it gave us the ability to understand where the market is.
And we ended up with four groups based on our methodology and expertise. And I partnered with my cybersecurity practice experts here at E. S. G. We decided to create a score by dimension group organizations in the level of preparedness based on their score. So we have four groups. We had a group of essentially beginners or
novices who didn't score that. Well that's 21, of the sample. So I want to be clear statistically the sample of 600 respondents slash organizations. That's very very significant from a statistical standpoint. So you can really take this to the bank, it is what the market looks like. So about 29%.
We we believe at es gr fall in that category of really beginners or novice is not well prepared. Then we have people who are aspiring to get better. That's another 33%. And then people who are getting closer they are essentially another 23% but only 1515 15% are what we would consider leaders.
Again, that's based on this course. Now you may say okay, that's interesting. But how does that relate to the various stages of preparedness when it comes to cyber resiliency? How does it relate to business continuity or data protection or storage? Well let's talk about that.
So first of all we again I mentioned we scored everyone. Then I decided to create a bit of a night chart here which is you know, the the the usual sort of radar um graph that shows you how you score and that shape sort of tells you kind of where you're good and when you're not. So if you're on the perimeter, your you have a better score.
So as you can see here, we scored people from 0 to 100% against multiple dimensions. The first one was readiness. The second one was prevention. The third one was response. The fourth one was recovery and the fifth one that says B. C. Is for business continuity.
So again loosely aligned to the nicest model. And then we looked at how every group did and what the average market looks like. And the first thing we see, we see obviously here, by the way, the color codes are important. The green, the leaders, they're doing okay in readiness. Not a great score,
but a very very good score in prevention and response. Uh that's important to know they're not doing well though when it comes to recovery. So this is where you start scratching your head. Well, hang on. If you're so good at prevention and response, why is it that you can't recover? And of course that also affects a certain extent business continuity.
So there's a lot more than meets the eye and that's why I think we're gonna have a great conversation today with Andy on the topic. I also want to point out that the organizations that are in stage two, you can see they are in that sort of green, that blue color. If I look at the average of the market. So where the market is, it is right there at that level two of preparedness.
So out of four levels of readiness or preparedness right? With only 15% 15 senior leaders, most of the market is in that second stage. So that's not very good candidly, a lot of work needs to happen here. So again, different organizations will fare differently. But I thought it was important to just provide this view of the market and sort of how it maps
out again as you can see over all the market is in Stage two and everybody is doing really poorly recovery, even the leaders. So let's talk about additional data points that we we uncovered. Uh one of the things that we care about a lot is of course how much business is affected by ransomware and you can lose hours of business very easily here.
We we have a majority of people losing between 1 to 12 hours. Um And the truth is is that these are different from other research I've done on the topic of real world sls or ability to recover data or ability or how much data you lose. So our T. S. And R. P. O. S. And typically those sls are a lot more stringent.
So what I'm seeing really pretty directly here is that rent somewhere is actually elongating the ability for organizations to get back in business. Secondly, there is this idea that well look, I'm going to pay the ransom if I get ransom because after all it's the cost of doing business. Like there are other things that happened, it's sort of a tax.
So I'm just gonna pay. And it turns out that paying the ransom does not guarantee uh data recovery if you pay the ransom. Uh Out of all the people we talked to for those who answered and admitted to paying a ransom and it was a pretty significant number of organizations here, Only 14% 14 recovered 100% of their data so you can
see that it's not a viable option at all. Uh It turns out that the leaders, the organizations that are better prepared actually were better at recovering the data after a ransom event. And there are some reasons for that. I'm not going to go into all of the possibilities but if you've been ransomed ones and you've tried to recover data or decrypt data for example,
there are a number of things you want to do to be able to process things faster etcetera the next time around. And that's I think unfortunately experience here uh is something that helps those organizations do better. It's not a good thing though. You should clearly not expect to get your data back if you pay the ransom.
So uh if you think about the ransomware targets that we normally see, we see that, you know, uh cloud and storage systems are targets. That's why it's important to have a number of advanced capabilities in the technology to prove event those attacks. What I've seen two from the research is that sensitive infrastructure, configuration data stands out as a pretty important type of data
that gets targeted. It's not just the regulated data, the personal information. Of course we know that's valuable or the intellectual property. Yes, that's valuable. The cybercriminals also go after configuration, infrastructure type of data or systems or operating systems. So clearly here's something to think about as
you look at your strategy as you pick, the technology vendors are going to work with and you think about the processes you put in place, so skills skill sets are an issue, there's no doubt about this, uh people are not trained enough. Um There are many gaps that exist now. The leaders in the space, those that are leaders in our research um and better prepared actually have more
skill sets available to them. So there's definitely a correlation there and something that um I think needs to be pointed out. So technology people and processes and of course skill sets are going to be pretty, pretty important. So there's plenty more data but if I think about what would be a high level RFP from a ransomware recovery standpoint and I'm jumping
to the recovery dimension here because clearly that's the area where we know even the best are doing poorly, uh encryption ability to protect endpoint devices, ability to be flexible in your recovery, integrating with your data protection mechanisms with the platform, with the storage and sometimes with cloud services as well, uh the ability to get mutability in place so people can go after the backups or can go after
the data. All of these mechanisms should be in the RFP list, it's a long list from our research, we have at least 15 things that you need to consider and all of these will break down into more capabilities as you look at how to implement these. But the point I want to make is that this is a team sport, right? Uh this is a new animal.
This is different, the market needs help. Uh and I think there's a lot to do so with this in mind. What I'd like to do is uh Andy asked you what your thoughts are, you've seen the research and even more data on the topic. So what what's your your reaction to this? And I think it's really great christophe. I think that the research really shows what we're seeing in the field today.
I think it it truly highlights a lot of the the challenges that that our customers are facing and even, you know, the non customers and prospects that I talked to that they're facing as well. So, um I think that you're probably spot on with a lot of what you're seeing in terms of the actual survey results uh and piecing together kind of the the overall view that you presented here in the research.
Yes, it's it's really a complex topic and I think, you know, what one of the conclusions amongst the many conclusions from the research is that there is a need for really having the right type of strategy in place. You can't just piecemeal things you need to think through this. So obviously you've you've been in the business and you've looked at this very closely for many
years and now in your in your position with pure you have this very unique perspective, what would you say are the right steps or the right approaches to building the infrastructure of the resiliency strategy from a cyber or ransomware preparedness perspective. Yeah, I really think you you need to take kind of a three step sort of view, right, look at before an attack, during an attack and after an attack and really start to
segment your planning into those three buckets that way you can start to apply the right controls from a security and resiliency perspective to each. So, you know, a good example before an attack, something that you really probably want to focus in on is logging, you know, log all your systems so that you can get visibility because of course you can't defend what you can't see um during an attack.
One of the things that we'll often talk about with our customers that's very unique to pure, frankly, is our safe mode feature which allows us to protect from a ransomware attack and it prevents an attacker from being able to delete the data on a pure array even if they have administrative credentials and then after an attack, I'll talk a lot about speed of recovery and how we we build a recovery or resiliency architecture such that we can recover very,
very fast after an attack occurs. Yeah, so it's it's interesting because you're literally followed at a high level the various dimensions, we looked at this model here and um when I think about the infrastructure point I made earlier, because I think that's one of the areas that, you know, I would have bet money in the research that the first point of entry would be
fishing or email and while we ask that question and ensure it here, but the point is it was not even that it was software related, essentially, it was miS configurations, it was infrastructure related type of attacks that were the original point of entry in many cases. So what happens when infrastructure gets compromised, what would you consider the best practice here?
And what do people have to do to really get to this notion of of a highly secured infrastructure? Sure. So, I mean, I I think, you know, the the key is when you start to think about infrastructure is this concept that I call tier zero infrastructure and that includes three primary things active directory DNS and time service without those three things in your environment,
nothing works right. So, you know, if a D goes away, you generally can't authenticate because almost everything ties into a D from an integrated authentication perspective nowadays, you know, time, if time is a way doesn't work, of course, your systems don't work in sync and you're gonna have all kinds of problems. Um and then D N s if you can't resolve host names, of course nothing is going to work as
well. So, you know, this concept of Tier zero infrastructure becomes really important because it's a it's a series of components that people don't often think about in terms of planning, they're very focused on their core applications as a business, but they forget that if an attacker goes and hits one of those three areas, they're completely blown out of the water. So you really have to spend the time to to
think about those three things as a dependency chain upon which all of your other applications will be built. Now, what I'll generally say and and of course it's somewhat self serving, but it it's important is where you can run any or all of those capabilities on pure, you should uh if for no other reason because you can protect them with safe mode so you can get back up and running very very quickly when an event occurs
so near instantaneously. Uh and you make it so those Attackers can't fully delete those capabilities. So, you know, focus in on Tier zero infrastructure first, really make sure that you understand how you're going to recover those things because again that they're absolutely critical to everything else in terms of dependency chain and then you make sure that you can secure them in a way
that they can't be fully deleted or corrupted because if that happens a manual rebuild of any or all of them is going to take a significant amount of time. Exactly, it brings up all sorts of other questions around how you also build in technologies around high availability and failing over certain components, um, all of the complexities associated with managing people and access controls.
I mean the list goes on and on and I mean I think it's a great example you gave here and and if I were to sort of simplify it, it's it's you know, there are two things you can break here, you can break the car, you can break the road and when they break the road, your car is going nowhere just the same as when your data is encrypted, you're not going to do much with it.
So I think having both the car on the road are absolutely critical. So you brought up some interesting points around what pure does from a technology standpoint, um could you maybe summarize at a high level the various technology investments that you've made and capabilities, capabilities that you've provided in the platform? Uh and how have you seen organizations use
these? Sure. And and thanks for that question. Again, a bit self serving with Pure but you know, the the fact is pure as a storage provider, it's kind of an elephant in the room. You know, what, why would you talk to a pure storage about security? Right. And the fact is that we have a lot of great
security capabilities frankly that will help a customer protect from these types of events and it all goes along the lines of this before during and after sort of story, if you look at our flash array and flash blade security platforms, we provide a tremendous amount of capability out of the box from those platforms. Things like zero R P O R T O fail over capability with a feature we call active
cluster a near zero capability with a feature that we call active. D are safe mode, which again protects from ransomware style of attacks or insider threats by eliminating the ability for even someone or some process with administrative access to delete your data without invoking pure support in the process. You know, we offer the fastest recovery solutions on the market today with some of the
integrations we built with partners like cohesively and calm vault, so we get into the, you know, hundreds of terabytes of recovery ability per hour with those solutions or even the petabytes of recovery a day like this is the case with Cohee city. So, you know, Pure is extremely focused on this space so that we can provide the right outcomes for our customers.
And of course we're looking at broader integrations in the security space as well like everyone and building additional feature sets, leveraging the machine learning capabilities on our arrays. So we're even going to get even better over time, you know, and and so, you know, when you think of pure, I would say don't think of us just as a storage solution were a phenomenal storage solution.
Don't get me wrong, but we provide greatness in terms of being a security platform for your data as well. Will help you protect. It will help you ensure that you can get it back when one of these attacks occurs and we'll make sure that it happens very quickly when that's the case. So we have a couple of questions that are coming in,
maybe now's a good time to take some uh so Andy I know that you talked a little bit about safe mode. This question is asking if you can just sort of elaborate on how safe mode protects data. Sure. I'll give kind of a fly by here and again, happy to go into much more detail with anybody watching that might be interested, you know, reach out to us please pure storage dot com.
Find the link, you know, to to get in contact but you know with safe mode specifically what we do is build out of band multifactor authenticated snapshots. So what it means is this you can have some number of named individuals in your environment who have a unique pen number registered with your support. If you need to fully delete data from a pure storage array.
Two of those named individuals have to call into support. They get validated via their pens. We then bring the account team online in a zoom session to validate that those are employees in good standing at that company. Once that validation is done, they can then open a an RdP session, a remote session for our support to remote in and help delete the files that need to be
deleted. So the idea is that no administrator or number of administrators on his or her own, their own could go in and actually delete the data from a puree without invoking the pure support process. So takes it completely out of band. Ultimately what that means is that safe mode becomes a safety net on the arrays? I often think of it as the airbags on the car. You know,
it's not the only security control you're gonna use to protect your data, like in a car, you gonna use seatbelts, you're still gonna use brakes, but the airbags might just make it so you can walk away from a really bad event unscathed and that's the whole purpose of safe mode. Nice, good analogy, I like that. Perfect. Um good.
So we have a couple of questions that are coming in around sim so I guess if I can consolidate those questions, what is pure doing to integrate sim. So again, you know, with the flash rain? Flash blade security platforms were highly focused on integration partners like elastic and Splunk to help make those solutions faster. So with pure leveraging our envy and me architecture were able to allow your search
queries from your sim platforms, your correlations to run much faster and you know that's really important because when you're using a sim you're doing two things kind of concurrently. The first is you're ingesting a lot of data and the second is you're trying to look at that data that you're ingesting kind of in real time via these correlation tools that you probably have on top of that data so that you can find
anomalies in your environment and we pure make it such that you can perform both of those operations concurrently without storage becoming a bottleneck. In most cases the storage subsystems on the back end become a bottleneck to those functions you can either ingest or you can search and correlate but doing both at the same time will generally bring those systems to a crawl.
If not to a complete halt with pure. You can even put a GPU in front of us to do some of the compute and to to do highly transactional sorts of uh reviews And we can allow you to leverage the full capabilities of those GPU. S without again impacting the performance and the storage back in. So you can actually peg them at 100% leveraging. Pure really important as you start to look at
large data sets that you're ingesting and trying to work with to actually find these threat hunters in these threats I'm sorry or anomalies in your environment before they actually break out as as an actual attack. Good. Thank you. Alright, last question is mine. Uh so you all have shared a ton of best practices um if there is one takeaway for everyone that's listening that they could maybe
implement sooner than later or just the best practice overall, what would you think that would be? Well, I'll start if it's okay Kristoff and we'll land with you. So I mean so the non pure answer out of me is gonna be hygiene number one thing that you can always do to protect yourself against any sort of attack,
ransomware or other you know, known security vulnerabilities is hygiene where you can can patch your systems, bring them up to date, you create your much harder target for the adversaries and they're a lot more likely to go the other way. Now the pure answer in me of course is you know, leverage the flash array and flash played security platforms to the extent that you can so where europe,
your customer go, turn safe mode on today, if you haven't already, that should be your number one thing. If you're not a pure customer, look at the at the capabilities that pure can bring to the table from a security perspective and see if there aren't specific use cases in your environment where we may be a benefit. So like that tier zero infrastructure,
like your security analytics, your backup platforms for resiliency those types of things. Good. Yeah. From from my standpoint I think the biggest takeaway from the research is that clearly this is a team sport you're going to have especially in a larger organization to work with different types of folks, the storage folks, the backup and recovery people that of course cybersecurity team and
there may be a bunch of other teams, networking team etcetera etcetera. So that's the first point. I think the best practice here is ransomware is not somebody else's problem. It's everybody's problem actually it's such a problem that it is a top concern uh something between top one or top five for many organizations, most organizations are reporting that it is an executive or board
level concern not just an I. T. Problem. So which leads me to my second sort of high level recommendation which is engaged with leadership and making a leadership driven from the top initiative, you should have a holistic view of ransomware preparedness, you should be somehow auditing yourself internally, maybe followed in this model uh measure yourself figure out where you
have weaknesses. Believe me, they'll find them. Uh It's not a matter of if it's a matter of when and I think by taking this into account then translating these requirements into the technologies that will support your efforts. You have a much better shot at again being prepared for whatever hits you, things will change for sure. New attacks will emerge.
There's only one thing I can uh be pretty sure of while there is no statistics in the future uh there will be more and more attacks, it's not going to stop and I think the frequency and scale is, is going to actually accelerate in the next few years. So definitely also a great way to revisit your infrastructure, be better prepared from a digital transformation standpoint.
Um, all of these are good changes that can help the business long term, so it's a great investment anyway. You look at it right, good. And I love that, you know, it's not a question of of if, but a question of how and when it's going to come. Right, so it's sort of the world that we live in and,
and you know, thank you both for offering um some best practices on how we can best be prepared before, during an african attack and hopefully it's just before and not during and after, but you know. Perfect. Well, thank you. Um, I'd like to thank everybody for, for joining on behalf of Christoph and Andy E S G and pure storage. We hope that you learned something today that
you can implement sooner than later. So thank you so much and until next time
Christophe Bertrand
Practice Director - Data Management and Analytics, ESG
Andy Stone
Field CTO Americas, Pure Storage
Ransomware attacks continue to be top of mind for business and IT leaders—and for good reason; they compromise access to an organisation’s lifeblood—data. The recent rash of ransomware attacks has had tremendous costs, including downtime, staff time, device costs, network cost, lost opportunity, ransom paid, and so on. With millions of dollars spent annually to guard entry points to data, many organisations still underestimate the strategic value of augmenting data protection and building a resilient architecture.
ESG analyst Christophe Bertrand and Pure Storage CTO, Andy Stone reviews a recent ESG survey of IT cybersecurity professionals. Using the report as a basis for their discussion, Christophe and Andy provides best practices and strategies for every stage of an incident - Before, During and After.
Test Drive FlashBlade
No hardware, no setup, no cost—no problem. Experience a self-service instance of Pure1® to manage FlashBlade, the industry's most advanced solution delivering native scale-out file and object storage.
Meet with an Expert
Let’s talk. Book a 1:1 meeting with one of our experts to discuss your specific needs.
Questions, Comments?
Have a question or comment about Pure products or certifications? We’re here to help.
Schedule a Demo
Schedule a live demo and see for yourself how Pure can help transform your data into powerful outcomes.
Call Sales: 800-976-6494
Media: pr@purestorage.com
Pure Storage, Inc.
2555 Augustine Dr.
Santa Clara, CA 95054
800-379-7873 (general info)