00:00
Hi there. I'm tom veal I'm senior Vice President of editorial with information security media group topic today is ransomware before during and after the attack. My privilege to be speaking with Andrew stone, the Cto of America's with pure storage. Andrew, thanks so much for taking time to speak with me. Yeah, likewise tom it's great to see you again.
00:19
So emits the daily headlines and ransomware is a daily headline these days. What are the trends that you're watching most closely? I mean I think tom you know what I'm watching is how these attacks start to evolve. Right? So what we're starting to see more and more are the multifaceted attacks and we've always kind of seen them to some degree but now they're
00:42
becoming way more prevalent. So you're getting a tax where it's it's not just the ransomware on the front end but you now have data exfiltration coming into play even have like tertiary and even fourth line attack vectors like um call media relations services where the Attackers are threatening to call the local media and tell them that you've been breached if you don't pay. Um they're also extorting money so threatening
01:06
to sell I. P. To foreign nations or competitors as well. So I guess in terms of trends kind of watching that but also industry trends pretty closely so you know who's next to get hit, we all know health care is prime continues to be prime. A lot of infrastructure is continually prime uh you know, but you know what's gonna be next in essence.
01:30
So when people talk about sophisticated attacks, remember nobody gets hit with an unsophisticated attack. But do they mean the attacks or the Attackers? I generally think they mean the attacks themselves, the Attackers, what I find are in most cases not that sophisticated themselves, you know, what this has evolved to is more business centric people as I I tend to call
01:51
them, right? The Attackers are generally folks going out researching companies figuring out who's likely to pay, then they go rent their infrastructure, they, you know, go on the dark web, rent a ransomware as a service platform for about 100 and 49 bucks a month. They even go by the credentials to to get
02:06
initial access from an initial access broker on the dark web. So these are not folks generally launching, you know, watering hole and phishing campaigns to get credentials. These are not people coming up with zero day attacks. In most cases they're renting their infrastructure, their borrowing the tools, they're buying the credentials.
02:24
Right? So I would say that the the Attackers themselves are not that sophisticated. The attacks themselves, yes, can be uh you know, the tooling is quite advanced in some cases now. Where do you see organizations leaving themselves most vulnerable to these attacks? Yeah, I think um where they're most vulnerable is generally where they're not looking,
02:44
right? So you can only protect what you can see. And you know what I tend to find in a lot of cases is that organizations don't tend to cover their their entire estate. They will pick and choose what they deem as critical applications or their most high profile applications, leaving less, you know, important quote unquote, you know,
03:05
applications more exposed. Well as an attacker, you don't know what the critical applications are when you're, you know, working your way through an organization in most cases, so you know, finding and uh you know where they're, they're not actually watching their applications, it's where they're they're most exposed and most vulnerable in most cases it's
03:25
weakest link theory. Right. Sandra we talked upfront about the three phases before, during and after. I want to ask you about some specific subcategories that match these, let's start with this hygiene. What do you want people to know about that? It's the most critical aspect of any good security program.
03:42
Right. The number one thing you can do to protect yourself from any attack, you know, ransomware included is good hygiene. The reason is where you can keep your systems patched and up to date, a couple of things will happen. # one, the Attackers that we just said are not that sophisticated are going to encounter resistance.
03:59
So if the tools that they have won't just run by default, they're likely to just move on to an easier target. But also you where you're keeping your systems up to date and patch, you need to be able to do things like patching a critical vulnerability in 24 hours patch high in a couple of days a medium in a week and a low within a month.
04:19
Right? But where you're doing that again, you're you're building up the resistance that these Attackers would encounter overall. So it makes you a much harder target than the guy next door. Next subcategory authentication. Yeah, same, same thing on authentication. So, you know,
04:35
multi factor authentication, gets a lot of play. Um M F is great, but it's not insurmountable, it's can be circumvented and you know what I tend to focus on with folks is the concept of credential vaulting for administrative credentials especially. So where you have admin credentials in your environment, you need to be vaulting those credentials, which means that administrators
04:55
have to check them out to use them. They use them for the period of time. They need they get checked back in and those credentials rotate and you know, platforms like beyond trust and cyber arc, you know, they have these capabilities, they're expensive, they're hard to implement. But where you do that again, you raise the bar on the attacker, you make it that much harder for them to get admin
05:16
credentials in your environment, which really slows their ability to launch an attack. And the next step subcategory is a big one awareness awareness is huge. You know, there are two faucets to awareness. The first is the end user awareness training that that we often hear about like a fish me campaign or something, you know where you're teaching users don't open these links don't click on these things but the
05:36
second category is really around executive awareness training and through the through the form of like a tabletop exercise. This is when you bring your executives together and you actually role play out an event, you unfold what will actually happen when one of these attacks occurs. And it's really important that you do this with your executive teams at least once a year, if not twice and you need to include the board at
05:56
least once every couple of years if not every year as well. Another category and one that maybe gets overlooked logging, logging, you know just like the first two you have to log everything, you have to log all of your systems. You can't protect. What you can't see. The issue that we often see with logging is
06:15
that you know you often aren't logging to a fast enough back end and this is an area where pure actually can help. The problem with logging is that you're trying to ingest data at the same time, you're trying to correlate data on these platforms with most storage back ends, you can do one or the other but not both at the same time with pure we open up the floodgates so to speak so that you have the ability to log and correlate at the same
06:39
time without creating a performance implication. So you know where you're logging, you need to log everything ingest it all. Get everything into a big hot and warm pool of data, put the right tools on top so that you can correlate events across three areas, the network, the end point and the end user all three so that you can then take those events. You can correlate them,
07:00
orchestrate and feed your cyber threat hunters. So you're giving them a sniper scope of where to go look for problems in your environment and always bring it back to pure storage. If you were to sum it up, how are you helping your customers get a better handle on ransomware in all three phases? Before during and after the attack. Yeah. Well tom we just talked about, you know before
07:19
an attack. It's all around logging. So we provide the fastest analytics platforms back ends available on the market today with our flash array and flash blade security platforms. So where you can run those logging environments like Splunk or elastic on pure we can make them way faster and help you find the Attackers hopefully faster in your environment but
07:41
certainly create faster correlations for and results for your cyber threat hunters during an attack. We have a feature called safe mode on our rays which in essence serves as a safety mode. I'm sorry, a safety net on the arrays themselves so that you have a point to begin restoration immediately after an attack. This is really unique to pure.
08:01
A lot of folks will talk about immutable backups or immutable snapshots. That's not unique. Are snapshots are super immutable. Safe mode cannot safe mode, snapshots cannot be deleted even by someone with administrative privilege on the array. You have to invoke and out of band multifactor support process with peer support to be able to delete them from an array.
08:23
So they're guaranteed safety net for recovery ability. The last piece in terms of after an attack all comes down to speed because that's what executives care about with our flash array and flash blade security platforms. Again, we have the fastest recovery ability on the market today, especially when you start looking at integrations like what what we have with
08:42
partners like calm vault. We're able to get into the hundreds of terabytes per hour of recovery which is tens or hundreds of times faster than our competitors. So where you want speed and recovery, we have the fastest platforms available today. Very well said and I appreciate your time and insight today. Thanks so much for taking time to speak with me. Thank you tom really appreciate it.
09:04
Again, the topic has been ransomware before. During and after the attack you just heard from Andrew stone. It's cto Americas with pure storage for information security media group. I'm tom field. Thank you for giving us your time and attention to that
