24:55 Video
Ransomware Jail. Is There Any Way Out?
Is there any way out of Ransomware jail? Discover how Pure’s portfolio can be used with Commvault, Veeam, Veritas, and more to safeguard against ransomware attacks.
Click to View Transcript
Andrew Miller: Welcome to Pure Accelerate Digital 2021. And more specifically to the session "Ransomware Jail. Is There Any Way Out?" Or maybe even you know, if I'm trying to make bail, I'm asking that for a friend. I'm never asking it for me. Today, what I'd like to walk through is three sections. First
two are more educational talking about first threat scenarios, new developments, the underlying factors behind ransomware. Secondly, General defense in depth recommendations, things you should be thinking about, there's no, there's sadly, no silver bullet in this space. Then last, but especially not
least, how Pure can help not starting there, potentially. My name is Andrew Miller. I'm a principal technology strategist at Pure. Potentially most importantly for today, I started on the customer side for seven years, admin, engineer, and architect everything from storage to virtualization,
security, to networking, a lot of different hats and learned a lot. Although it was kind of painful at times, sometimes, eight years on the partner side SE to manager to director make promises on a whiteboard and they come true, you get to come back if not, not so much, building out a tech marketing
team for a couple years for a company in hyper growth mode a week or two a month in Palo Alto. And now enjoying my role at Pure where I work with customers and partners liaison back to product management engineering as a store to peers technical vision. And I'm human, I've got kids. And this may be
this may be the only kangaroo picture you get to see today. So depending on where you're on the world that may make you smile, who knows. Now we know that we wish as it practitioners, this is what we wish our life was like and maybe even now with work from home and at work. It actually can be laptop on the
beach kind of thing. But we know that life is really much more like this, right? You know, there's constant deadlines, new projects, things from CIO, competitors, etc. So while we want things to be like this on a day to day basis, frankly, it's more of just trying to keep up and into that comes to the very
unwelcome guest of ransomware. Alright, so based definition, keep it fast, encrypted data until you pay money, you don't get it back. Okay. Now, these slightly technically starkie. But actually also technically correct definition, is a problem that requires unplanned restore of massive amounts of data from
systems that just weren't designed for it. Right. So you know, when I was a backup admin I on a college, if you'd asked me, Hey, can you restore 50% of your data center really fast for backups? I just kind of look at you sideways. Like that's not what you do from backups. And that's not what you gave me the
budget for asked me to do any of that kind of thing, right? What's interesting and challenging about ransomware is that it actually often takes out of the picture the tools and methods that are usually revolve around RPO and RTO, disaster recovery type tools, because you know, the encrypted data on the
hosts gets merrily replicated over to the other site right away, because that's what's supposed to happen with replication technologies. But understand this a little further, we have to go into the anatomy of an attack, and really how attackers get in initially. So the initial entry points are
often frankly, us we as humans, so this is, you know, getting in via zero day, vulnerabilities on browsers, sometimes you know, stuff like around, you know, enabling a macro and that kind of pieces. So, as I presented this over the years, because for better or worse, I mentioned this earlier, I've been talking
about this dog for quite a while, if you put in your Mila ransomware into Google, you'll find a bunch of stuff. So often, people don't want to comment during a presentation, but they'll come up and you'll have some fun conversations afterwards. So gentlemen, Toronto, telling me about an
email that he'd received the day before present that looked like it was from iTunes for 4999 out. And now that's not a lot of money. But no, but it is for an app. It's like what did I hear my wife or my kids by the only thing wrong in that email? Was the dispute this purchase link. And unless you did view source,
you wouldn't know that went to a website that might be taking advantage of a zero day vulnerability like the government warn people eight months ago or so to update Firefox, right? Because of zero day vulnerabilities or lady and accounting 7:40am. Opening a PDF looked like it was from
established vendor security hole in a PDF software machine got compromised. Or as you saw, I've got kids, we all have families, significant others, etc. If we get an email that says there's been a security event at such and such area or maybe a COVID, outbreak, etc. Our primal brains kick in, we're not thinking is
this a ransomware attack, we're thinking what's going on my loved ones I need to know kind of thing. Now what used to happen before his attackers would get in and try and encrypt right away today, as you see their average attack length in 2018 was 206 days. 20 1951 days don't have great data for 2020.
But and these numbers are a little mushy because no one's rushing to report these numbers exactly right kind of thing. But the point is that attackers do not just get in and encrypt right away. A couple years ago, actually here to store and this one I need to wholly anonymize D SQL DB database admin, his
machine got infected, didn't encrypt his machine right away, reached out across the network to the purpose built backup appliance where the database backups database dumps were. And he had that mounted because he was doing table restores and other stuff he ought to do. reached out encrypted, the
backups, then went and reached out and encrypted, the MDF, LDF files, right, you know, the primary data, and then encrypted his machine. That's the definition of a really, really bad day. What we're seeing further now, though, is the attackers saying okay, however, before we go and
encrypt the data, let's think logically about how will people avoid paying ransoms, we'll have backups on data protection methods. So during that time, that 50 to 200 days, trying to get access, it was a great ryoga tech chain for Microsoft all the way to domain admin credentials, even hopefully access on your
backup servers on your storage arrays on the data targets where you send your backup data to, so that they can very logically break backups or re snapshots. Then they go and encrypt, they ask for ransom. And now when we're in recovery mode, there's two things that become critical here. First, do I have my data
before the point of encryption, not necessarily all the way back to gain access? Because if we roll company data back weeks or months of companies make literally go out of business, frankly, that's just not viable. But do we have the data before the point of encryption end? Do we have it in a form that's fast
enough to restore to avoid major organizational reputational financial impact? Now, one thing that I try to be very upfront about here is that the the world has gotten scarier, and it's not slowing down. Fortunately, sometimes I'll get this kind of a presentation, you know, a lunch and learn in a steak house
where people have knives you're trying to be careful. But five years ago, impact of ransomware was around $24 million numbers that I've seen for 2020, around $20 billion. That's 833 times growth in five years. That's insane. It far outpaces any Silicon Valley hyper growth story you may have heard about.
Also, the point there is that it's not just the ransoms paid, it's the impact ransoms paid have actually been spiking. But the impact the organizational, reputational financial impact is the LARP is much larger than ramsons paid. And we even saw a clue that this might be happening. Back in 2015. There's
FBI Special Agent Joseph bonneval, onto the public store where he was at a small cybersecurity conference, a local reporter, you know, his news, doing some q&a afterwards, just being very direct, and was recorded as saying new often To be honest, we often advise people to pay the ransom the
ransomware is that good now that got in from the local paper to regional to national paper. And of course that came. We saw that shades of that back then. And so many high profile targets. Now, if you'd like to keep up the space and educate yourself, a little bit of a free kind of career educational tip is create
a saved Google search and go and have that email you whenever there's a new hit on ransomware don't have an email every single time there's no hit have an email you on a daily basis are only getting 20 3040 emails a day kind of thing. In that you'll see nonstop stories about customers being hit to tax one
to highlight because there's so many out there, Medical Center, multi multi hospital organization in California that got hit, leaving the customer name out because I tried to be number one, you know, put focus on people that have gone through very challenging event. And they actually got hit and for seven
days, seven days they couldn't dispatch ambulances access the EMR, the core medical data, CT scans, etc. Could do CT scans, that kind of thing. After seven days, they chose to pay the ransom, which was only $10,000. Now if you're familiar with healthcare and hospitals, like $10,000 is almost a rounding
error on a medical budget. Average attack average ransoms have actually been going up over the last couple of years. So it's in the 100 to $200,000 range which still for a hospital IT budget is not a significant other money necessarily depending on the hospital. But then 30 days after they pay the
ransom, guess what happened? They got hit again. So there's a little bit of a blank if you do and blank if you don't dynamic going on here, unfortunately. Now we've had worms and viruses with us for a long time. Right? What's going on here to change two main impact items want to
walk through first is around how do you pay the ransom. So think about a thing about you know, old movies, you've got a briefcase full of money you put under a park bench, put in a trash can, etc. The first thing that's changed is how we pay the ransom specifically cryptocurrency now, I'm not here
make kind of political financial social commentary on cryptocurrency, Bitcoin, Ethereum Dogecoin, whatever else, okay, what I am here to say is this provides a relatively reliable, relatively anonymous payment method unless you get a state actor pretty unhappy with you. It's basically
anonymous kind of thing. And now if you remember that $10,000 ransom, not a lot of money in some ways, but in the US average software developer salaries 69,000 a year at other parts of the world, you know, very different costs of living where, you know, average salaries might be 20, or 10, or five or less,
right, you know, kind of thing. This is now where it starts to become an economics commentary. And part of why I've continued presenting and talking about this topic is because it keeps being relevant, but also meets this fascinating intersection of economics, finance, of psychology of technology all
kind of pulling together. So we're familiar with the current economic concept of outsourcing. Right, and that, you know, production follows, where their skill sets, there's the raw materials, etc, kind of thing. This goes into the idea that cryptocurrency enables the outsourcing of ransomware
attacks around the world. And then you pair that up with number two ransomware as a service kits. So if you're sitting here thinking, you know, I feel like my careers in a dead end, I don't know what my boss is gonna retire, you should absolutely think about cybersecurity, not not whatever
else you were thinking about as a career transition choice, I get it. But the reality is, on the dark web, you can purchase ransomware as a service gets even with different business models, sometimes, you know, you purchase the whole thing, you own it. Other ones, you know, 80% is yours. 20% goes back to
the kid author, you know, vendor who actually maintains it, even lead to some kind of market segmentation, with different price ranges, different amounts of configurability encryption types, technical skill needed from, you know, a stereotypical script, Kitty to someone who can copy paste, and someone has more
of no technical aptitude. There's even what I call the power of the channel. This is a little bit of my own career reflected here, that I went from kind of customer to partner solution integrator to vendor, right? That same dynamic happening in the ransomware landscape, you're like, Well,
okay, I get the vendor. And the companies that you know, people that get these kits, they're the vendors or solution integrators or whatever, right? But customers really well, when you get hit by ransomware, you've been acquired as a customer, a very unhappy, unwilling customer, but you're now a
customer, where it's in their best interest to make it as simple and as seamless as possible, do pay the ransom. So coming into f5, intentionally want to get infected by five different ransomware variants. They didn't pay the ransom didn't VMs don't feed the beast. And they actually wrote a case
study about the best practices around customer support, that actually the ransomware vendors provided everything from helping navigate Bitcoin to sending us I mean, this was actually a good customer service experience. Last point in section number one, landscape threat vectors underlying items. If you asked
me, as a data center architect, is everything in your data center, up to date and patched, Unknown: I really, Andrew Miller: really didn't like that question. I knew how much I have to do every day, there's so much going on. And
things to keep up with, I've got new projects, I'm not keeping up with strict guidelines and patently every single time it comes out. So we're used to competition in various ways. As it practitioners, you know, whether that is Software as a Service, maybe rogue or Phantom, it vendors that, you know,
packaged products into a simple solution. We're not used to someone competing with a core and efficiency of modern it today, whether it's in the data center, or in the cloud, keeping track of every single layer in the stack, keeping everything up to date, keeping everyone intelligent about how they use
their computers. This is the reality. And why sadly, I've been saying for almost five years now, it's still true. Unfortunately, slowing the growth of ransomware in the near term, is almost impossible. So what can we do? This is interesting, hopefully, but but discouraging, I realized. So for
So for part two. Let's talk about defense in depth. Okay, so we talked about how ransomware in some ways is a subset of a disaster recovery conversation. It's also a subset of a security conversation. Okay, so whenever you think about security, there should be defense in depth or maybe maybe security in depth.
If there's too much operational overhead, we have too many layers. The layers can become meaningless. It's what I saw is called you know, barking Chihuahua syndrome. Like you get so many emails that you might make an auto file roll and me to look at that. I never did that. Right. So thinking about we need
layers of defense in depth, but thinking about how many we have first, from before the attack human standpoint, this is focused on us as people education, you know, things around, I'm not enabling macros. Being careful about opening attachments. If I get an email from Charlie Jane, Carla, the
CEO of Pure who emails me personally just about never right, I should be very careful about sending constant information to his personal email for an urgent board meeting, you know, kind of thing. Next, before the attack from a technical standpoint, this is a huge landscape,
hundreds, even 1000s of products, many of them that we partner with is Pure, many of them, that our partners, our channel partners, solutions integrators diode resellers, focus in and specialize around recommending for you. As well as we have various partners that actually do manage security
practices. It's absolutely worth looking into this. Make You don't have too much in this space. But you definitely need multiple pieces here. Next, before the attack from a financial standpoint, now this is about cybersecurity insurance. So I used to only talk about this in terms of the
downsides, to be honest that you knows, we know that insurance companies are in the business of writing premium or writing policies not paying premiums, that's fine. That's their business model. But actually, they're insurance vendors that actually have recommended lists of companies that can help you
during recovery, what to do what you need to disclose financially, or for regulatory reasons, or helping clean out the data. Last, but not least, of course, is after the attack from a technical standpoint, right? I knew that we had
to get your data protection, getting to know a little bit of what peer does. So does anybody need the FBI or HIPAA to tell you that you really need backups? Right? It's easy, right? We should be done, we still got another few minutes left. But there's more going on here. This is where we always
get a little bit philosophical, or architectural. So when I go back, personal history of being involved with business impact analysis, that's where you take application, you look at the cost of downtime, you group them into tears based on RPO, you know, how much data do you lose RTO? How long to bring it back
online. To do that grouping, you use the concept of risk, you know, so risk, it's a function of the likelihood of a threat, acting on a vulnerability, the impact of that on the organization. So how do you protect against low likelihood or low probability, high impact threats, because hopefully, even
if someone's trying to attack you every day, you're not recovering from a ransomware attack every single day. Right? I'd argue that the last thing you want is a very complex last line of defense. Because if your last line of defense around data protection, requires day to day care and feeding, it won't be
there when you need it, given all the other stuff that you have to do every day says, complexity is the enemy. So what can we do here from a Pure specific perspective? Now we're in section number three, two key architectural concepts. The first is around simplicity and reliability of data recovery.
Fundamentally, do I have my data, if I've been attacked, do I know for sure that my data protection is still around the backups have been compromised, or data protection points have been deleted. How we do that is around simplicity, simplicity of setup and of day to day operation. And also
immutability. I haven't mentioned that term yet, probably should have sooner, we'll come back to that more as we go along the way. And even can we protect to the point of if someone has compromised the admin credentials on the data protection systems, that's a really hard scenario to protect
against. But next, maybe I've done all this work up here, great. But if I can't recover fast enough to avoid major reputational, organizational financial impact, backups exist. So a customer different competing system, not going to call it out by name, they went to recover. Fortunately, backups
hadn't been compromised. And it was almost like Windows progress bar style for a large amount of their data center back to the often ransomware can now drive having to restore, you know, 4050 60% or more of your data center, not just a couple files, right? So you may have faster stores for a couple files. But
what about for 50% of your data center, they went to restore. And it was like more like Windows progress bar style just kind of counts up and up and up and up. They got to the point where it was 60 days and they cancelled it. The tree falls in the forest does it make a sound i don't know i'm not sure i
care. But if your backups take 60 days to restore your data protection, 60 days to restore, they actually exist, is painful to think about. But I'd argue they don't speed of restore. And Pure working with various backup vendors around features live mount even explores the dive in and we do have actual customers
of help with this. So I like to talk here about now. go even further. What Pure does is usually in terms of what I call the trifecta of getting credit to appear and cut for that, before the attack simply implement and operate during the attack knowing that I've got my data, whether due to
immutability in safe mode, or we'll say what Safe Mode is in a minute. Or and then after the attack, can I bring it back quickly enough, not just to restore, but even for restore iteration. Because if you have to clean out route change credentials clean out rootkits you may need to try multiple
times with certain VMs or servers, etc. And so you tried once and get it out? Well, can I try again? How quick can that restore iteration loop be? So the first line of defense immutable snapshots on primary data. This is why I like to say snapshots on Pure snapshots want to be when they grow up, you can
take them instantly, you can have 1000s of them. There's no performance impact when you do and usually there's not these random garbage collection processes that kick off in the background and in unpredictable ways. They've, they take no space when you make them. And as they do diverge from the
baseline, duplicated and compressed, same data reduction pipelines Pure has in general. Importantly, they've always been immutable. You cannot modify snapshots on Pure. So now I say this is intentional. He's on primary data, this can be on flash array or flash blade for familiar with your products,
that kind of thing. But really what's your primary data, your application data, it's in a format, where you can clone off of a snapshot, you can roll back from a snapshot, and not have to rehydrate it from another system, okay kind of thing. There's nothing faster than metadata at that point, well
architected metadata, there's actually a case study, a blog post on the Pure website of a hospital, that was nothing more than Pure snapshots was able to recover from ransomware attack. And the reason why I highlight this is because the vast majority of attacks do not many attacks, do not
get access to the storage array to the backup servers, attackers are getting smarter, they're doing that more. But if they don't, this is all that you need. This is where it stops. And this is a feature we don't charge for. And it's very robust and proven out. Next, though, going into the idea of better
backups, right kind of thing. So when we talk about this, this is now say, because this should maybe be a belt and suspenders approach, we've got protections on my primary data, I just want to protections my backup data, maybe not everything's on Pure. Okay, I get it. So let's think about that same trifecta. For a
backup standpoint, from a Pure perspective, we can give you a fast tear, whether it's flasharray. See, that's a balance of cost and economics and capacity and performance, or flash play that is super high throughput. We can put these underneath the existing backup and recovery products, many
companies that we partner with veem combo Veritas, maybe you keep seven days or 14 days on a very fast recovery tier that has extra protections. We'll talk about that in a second. And as well as those recovery tiers can either enable can enable data labs, or other or live mount or other ways of running the
backups that re being able to restore where the VMs say run off the backup storage, and they can storage v motion them back, or crazy high throughput. So if you ask me, How can I get 50 gig of throughput? On a regular storage platform, I get a little bit queasy. On flash blade, it's around 50 gig I can we're
actually working to the numbers around 270 terabytes an hour, which is actually pretty crazy. But what about that safe mode thing? The thing about better backup. So this is now capability that's provided both on flash array, and flash blade, it can plot apart primary data and backup data. It actually
started a couple years back when we had a customer larger software as a service company, you know than they have. And they were worried. They if they had an admin go out the door unhappy the classic rogue admin scenario, if you will, how much damage could he caused the trust of their employees, but just
contractually like how many contracts would they have to pay out to their employees. So they asked us to provide the ability to actually prevent an admin from doing the final deletion of data. This actually builds on top of some of the capabilities that we had around how we handle snapshots and snapshot volumes
when they're deleted, stay around for 24 hours, that's kind of an admin get out of jail free card unless you manually do the final purge, or eradicate, if you will. So Safe Mode is a capability built on top of our snapshots been around for 10 years. Safe Mode itself has been around for a couple years now.
And actually is immutable snapshots plus more that prevents the local admin even if someone has compromised admin credentials like a ransomware attack or from doing the final deletion of the data on a Pure system. It can protect any data set, backup data, primary data application data. And we don't
charge for this feature. I Pure Andy Andy stone likes to call this almost kind of a permissions air gap. Sometimes the term air gap gets turned around this context. It's not usually real physical air gaps. But the idea that you need a separation of powers to do that final deletion, that's where
Pure support is involved. Now, I intentionally in public formats don't talk specifically about how we do this, I like to talk about what we do, which is that CES solves for the very challenging attack scenario of admin credentials being compromised on a storage system, having any storage system,
right, our backup server or backup data target. And that actually that final deletion of the data so that you know that you can have your data before the point of encryption. Now it goes back to that original anatomy of an attack slide, you know kind of thing and we don't charge this feature, it may take
extra space, right? snapshots take space, but that is well worth it through recovery scenario. Now, I hope that you've enjoyed walking through this, this is actually a condensed down and trimmed down version, sign that off and I'll walk through in 45 or 60 minutes. We've also got some
great deeper dive sessions, specifically around flash blade, and around flash array, and more of how this functionality works. as well. I'm looking at doing a deeper dive to kind of set another tear session that instead of this being you know, 24 or 25 minutes is actually you know, 45 to 50 minutes where we
kind of play out some of these factors more and even think about some of the pieces that are going on. I hope this was helpful. I greatly appreciate you attending accelerate. Enjoy the rest of your week.
Meet with an Expert
Let’s talk. Book a 1:1 meeting with one of our experts to discuss your specific needs.
Questions, Comments?
Have a question or comment about Pure products or certifications? We’re here to help.
Schedule a Demo
Schedule a live demo and see for yourself how Pure can help transform your data into powerful outcomes.
Call Sales: 800-976-6494
Media: pr@purestorage.com
Pure Storage, Inc.
2555 Augustine Dr.
Santa Clara, CA 95054
800-379-7873 (general info)