Ransomware attacks are an unrelenting threat to organizations. Stats show that every second, approximately 19 attacks are orchestrated worldwide. The high-profile ones grab wide public attention, but there are many less publicized cases that we don’t know of. Some of these victims are still dealing with the aftermath years later.
Druva presented Druva Security at the virtual Security Field Day event last week. Security is a fundamental piece in all of Druva’s endeavors. It is narrowly targeted at two things – to reduce the severity of the impact, and time to recover. Sr. Product Manager, Badri Raghunathan, gave a tour of the spectrum of real-time ransomware detection and recovery capabilities baked into the Druva platform.
At the Losing End
What makes a ransomware attack an existential-level crisis for organizations is that the target is always high-worth assets and critical infrastructures. Modern organizations, even small businesses, are complex systems. They are made of teams of engineers running hundreds of services that touch every part of the consumers’ lives. All of it happens behind the scenes. Powerful and clever ransomware gangs disrupt the workings of these critical infrastructures, destabilizing institutions of the biggest repute in just a snap.
Typically, the attacks begin at a point of vulnerability, and festers gradually into the rest of the environment as hackers surf the land looking for the prize.
“Given our footprint, it’s a secular trend we see across workloads – ransomware attacks on the edge spreading to the cloud, and the datacenter and public cloud – no workload is spared,” said Raghunathan.
Over and over companies have sustained catastrophic losses for not being able to catch the breach swiftly. With the latest attacks, experts say, that only organizations that can respond fast stand a chance of getting back control of their assets without incurring losses.
Real-Time Ransomware Response and Recovery
Using quick-recovery solutions in tandem with effective cyber hygiene methods and best practices helps coming back from a devastating attack sooner. And that begins with a sturdy cybersecurity protection that prioritizes prevention over cure.
Raghunathan referred to a particular case to make this point. In this particular case, the attack was detected after an Active Directory (AD) account was found compromised. A huge red flag in and of itself as the Active Directory is where all the permissions and accesses to network resources are stored.
“Having a footprint in the Active Directory means you have the keys to the kingdom,” he said.
Leveraging that critical information, the hackers dropped a malicious payload across all edge devices. Then a mass encryption event was carried out locking down all data in the cloud accounts.
An investigation was started internally while the actors attempted to infiltrate the backup systems. But why not kill the attack chain on the spot, you may ask. Here’s why arresting movements is tricky with ransomware attacks. Attackers use ultra-stealth techniques that often go undetected by the common detection techniques. To make matter worse, they have now found ways to piggyback the defense system itself which allows them to live in the environment for long, making the damage widespread and lasting.
Here’s where real-time detection comes handy. Druva’s Security identifies and flags down abnormal activities within minutes. In this case, it was under 45 minutes which made a full recovery possible within just 4 days. How?
“This customer leveraged our cyber recovery capabilities to lock down infected backups and recover safely and securely,” said Raghunathan.
Druva leans into some foundational protection capabilities to shield data. These include built-in features like Transport Layer Security (TLS) for data in flight and deduplication for data at rest, Cloud Service Provider for infrastructure and platform layer security, and so on.
“We see a handful of attacks every other week, and have a lot of experience that helps us improve our products.”
Druva’s swift detection is made possible, in no small part, because of their ML-powered continuous protection. It screens the environment around the clock for suspicious requests, malicious activities and encryptions. Findings are arranged and displayed in a single-pane-of-glass view that tells operators about all active threats and risks at a glance. This helps dispatch an immediate response.
Users can scan all files for indicators of compromise (IOCs) and isolate the impacted ones to check the infection. Quarantining can be done manually or by integrating Druva with third-party incident response tools. All infected files across edge endpoints can be deleted in one go. In this manner, a full recovery is guaranteed within days, not weeks.
With the speed of ransomware encryption reaching unprecedented level, there is great emphasis on real-time detection and rapid response. The cornerstone for that is a fundamental layer of protection that fixes exploitable vulnerabilities in the environment, continuous protection that combs for anomalous activities 24/7, and broad recovery features that let organizations retrace their steps to the pre-attack state without big losses. Doing these can only guarantee a clean and speedy rollback. Druva Security covers all three bases giving companies a chance at rapid restoration.