Why backup anomaly detection is essential, but not enough.
A fire starts in your home in the middle of the night. You’re fast asleep, when a malicious low-life targets your house in an unprovoked and indiscriminate attack. A lit newspaper is pushed through an open window. After a few minutes the curtains catch alight.
Luckily, your smoke alarm is triggered, and you wake with a start. But you’re dazed and confused. By the time you work out what’s going on and get downstairs, the carpet and the armchair are on fire too.
You shout at your partner to “grab the cat, get the hell out, and call the fire department!!!“
You try to contain the blaze with a fire extinguisher. The fire department arrives fast. You’ve successfully stopped the fire spreading and the professionals quickly extinguish the flames. The emergency is over, and you’re relieved the damage was limited.
The fire chief confirms what you already know. Your smoke alarm has saved the day. This could have been so much worse.
What does this have to do with anomaly detection?
It doesn’t take a genius to work out where we’re heading with this analogy. Whether it’s a domestic fire or an enterprise cyberattack, the ability to respond fast is critical.
In principle, the anomaly detection tools that are now prolific in enterprise backup and storage tools are like smoke alarms.
The moment that a cyber incident is activated, these tools will recognise the patterns of behaviour in your data that are associated with criminal encryption or exfiltration events. With almost instantaneous alerts, anomaly detection will enable you to respond quickly and limit the impact of a live cyberattack.
Prevention is better than even the fastest response
The ability to respond fast is essential, but you need to remember that when anomaly detection kicks in, an attack is already in progress. Damage is already being done. What if the curtains in this analogy are your HR records? the carpet – your billing system? What if the armchair is your email server? Bringing them back will be disruptive, probably time-consuming, possibly costly, and in some cases – impossible.
Predatar brings proactive threat detection to your storage and backup environment. The big idea is to hunt down malware before an attack is activated. Why? Because prevention is better than even the fastest response.
So how does it work?…
You probably already have malware in your backups.
More than 80% of Predatar customers have found malware in their backups that they didn’t previously know was there. This is malware that has slipped through firewalls and front-end antivirus tools, before being replicated into backups and snapshots.
It hasn’t triggered anomaly detection, either because it’s not been activated yet, or often it’s small ‘reconnaissance’ applications like spyware and key loggers which only cause tiny, almost imperceptible changes in your data.
On average, cyberattacks aren’t triggered until 14 days after attackers first gain access to their victim’s IT network. It’s during this time that these tools are deployed by the criminals, to gain deeper access and ultimately enable them to cause more damage. Reconnaissance software is currently used in 91% of ransomware attacks.
Predatar assumes that any workload in your storage or backups could be infected. By running fully automated recovery tests and full malware interrogation using Trend Micro Vision One, Predatar finds and eliminates even inactive malware before a crisis begins. Predatar in always-on, hunting down threats based on intelligence from Trend Micro’s global threat intelligence network.
Does Predatar make anomaly detection obsolete?
Definitely not. Cyber resilience is all about layers of defence. In fact, Predatar has some powerful anomaly detection built in to complement its proactive threat-hunting capabilities.
The great news for lots of businesses is that in most cases, the storage and backup products they are already using have anomaly detection capabilities built in, including these ones:
If you are using any of these products, you really should be utilising the anomaly detection features that are available to you. The products above are also compatible with Predatar. So adding proactive threat detection to your backup and storage is easy.
In conclusion
Anomaly detection for your storage and backup environments is essential for limiting the impact of live cyberattacks. Businesses should make sure they are enabling the reactive anomaly detection tools that are built into the platforms they are already using.
Predatar is different. Infrastructure teams can quickly and easily add a layer of proactive threat-hunting to their backup and storage environments with Predatar’s SaaS Recovery Assurance platform to eliminate threats before an attack is activated.
Earlier this year, Predatar launched CleanRoom 3. Our third-generation Cyber Recovery CleanRoom has been redesigned from the ground up – to make our unique Recovery Assurance technology accessible to more organisations than ever before.
In our recent webcast, ‘Recovery Assurance for All‘, Ian Richardson (Predatar CTO) and Rick Norgate (Predatar Managing Director) explain how we’ve broken down some of the biggest barriers to the adoption of this important technology. If you missed it, don’t worry – we’ve pulled out some of the key questions and answers from the session in this blog
Ben: We’ve been using the term ‘CleanRoom’ at Predatar for a few years now, and recently we’ve been hearing it used more and more by cybersecurity experts, major tech vendors, and in the industry press. Rick, what is a CleanRoom? And what does it do?
Rick: That’s a great question. When we talk about CleanRooms, we’re specifically referring to Cyber Recovery CleanRooms. You might also hear them referred to in the industry as Isolated Recovery Environments. Essentially, it’s an isolated environment that you can use to perform recovery testing and malware scanning.
There is often some confusion around the term ‘CleanRoom’. When you look at how some technology vendors are using it in the market, and you dig into what they mean by ‘CleanRoom’, they’re generally referring to a tool that’s used post-attack to conduct forensic analysis. Imagine an organisation gets attacked – they’ll need to recover workloads somewhere to check they are clean and haven’t been compromised before they begin restoration.
At Predatar, when we talk about a CleanRoom, we’re actually referring to a proactive tool. The overarching concept is the same, but a Predatar CleanRoom is used to test your backups for recoverability, and then scan them for malware on a proactive basis – that’s the key difference when we talk about CleanRooms in the context of Predatar.
What is the role of a CleanRoom within a Recovery Assurance solution?
Ben: We talk about Predatar as a Recovery Assurance platform. So, Ian, can you explain what the role of a CleanRoom is within that overall solution?
Ian: Predatar is built on two core components. The first is CRO (Cyber Recovery Orchestration) software. This is the AI and automation engine at the heart of the solution. It pulls metadata from your backup applications into the platform. When users access their CRO interface via a browser, they can manage how they want their recoveries to work. They can trigger them manually, or set up rules for automation – which is where the real power of Predatar lies.
Users can choose whether they want to trigger workflows based on a signal of activity (like some sort of anomaly), on a predefined schedule, or both. The goal is to prove recoverability every single day, not just when a disaster strikes.
The second component is the CleanRoom. The CleanRoom is essentially a secure, isolated recovery environment where you can test and validate your recoveries without risk to your production environment. This is where users recover their workloads to. Following a successful recovery, Predatar runs a full malware scan – all without the risk of reintroducing potentially compromised data back into your live systems. This is how Predatar can give organisations confidence that if they ever need to recover for real, their data is clean, usable and safe.
So, to recap: the CRO automates and proves recoverability, then the CleanRoom provides a safe space to validate that recovery before putting anything back into production. Together, they close the loop on Recovery Assurance.
Can you give a real-world example of a Recovery Assurance use case?
Ben: Now, we’ve talked about the concept of Recovery Assurance. Rick, can you give us an example of a real-world use case?
Rick: Sure, I can do that. There’s a highly relevant and high-profile example in the UK at the moment. Marks & Spencer (M&S) is one of the biggest retailers in the UK. It’s been around for as long as I can remember – on every high street, in every town – in petrol stations, in airports – everywhere.
M&S was attacked last month by a group called Scattered Spider. The attack took place over the Easter break. We’re seeing more and more cyberattacks occurring during holiday periods, when IT and security staff are more likely to be out of the office, impacting the speed at which they can respond to and contain an attack.
So, back to M&S. They’ve already paid out to the ransomware group via their insurance company but have been unable to recover fully. They’re currently losing around £43 million per week.
Now, what’s really interesting about this attack – and this is fairly common – is that the ransomware gang originally gained access to M&S’s systems via social engineering. Once they had compromised employee accounts and gained access to the network, they didn’t immediately install ransomware. They spent time observing, learning, and escalating their access. Then, once they had reached all the systems they wanted to, they deployed ransomware to create maximum disruption.
So, how can Predatar help? First off, when this ransomware gang first accessed the Marks & Spencer environment, they likely installed reconnaissance tools like keyloggers and spyware to learn as much about the environment as possible. Often, these tools can be used discreetly, without triggering perimeter alarms or anomaly detection – which are usually designed to spot encryption and exfiltration events.
This is where Predatar can help. By running proactive recovery testing and carrying out full malware scans on workloads, Predatar has a high chance of picking up the criminals’ surveillance tools.
Predatar has found malware in 80% of our customers’ backup environments that they didn’t previously know was there – and much of that is made up of tools like key loggers and spyware.
Secondly, Predatar can also help once a malicious encryption event begins. Predatar has anomaly detection built in, which will trigger when workloads start to become encrypted. This acts as an early warning system to raise the alarm during an active attack.
How is Predatar different from other cyber resilience solutions?
Ben: That’s a great example, Rick. But there are lots of technologies on the market offering cyber resilience right now. Ian, perhaps you can tell us what makes Predatar different?
Ian: That’s a great question, and it’s one we hear a lot. There are plenty of technologies out there that claim to offer cyber resilience, but there are a few key ways in which Predatar really stands out.
First and foremost, Predatar is unified. A lot of the options on the market today come directly from backup and storage vendors. The big catch here is that they’re built to work only within their own technology ecosystem and stack. So, if you don’t want to be locked into a specific vendor, or you’re running a mix of technologies, Predatar is a great choice.
Predatar is agnostic to the technology stack. So, whether you’re using IBM, Rubrik, Cohesity – we can integrate with and orchestrate recoveries across all of them. And it’s not just about the products – we support multiple workloads on those platforms too: physical, virtual, snapshots from a storage subsystem – you name it. Instead of siloed tools for each backup platform or application, Predatar gives you one solution that works across many. It’s centralised, consistent, and scalable.
The second big difference is around speed and simplicity. When it comes to setting up things like CleanRooms, many of the products on the market today are more like DIY kits. They come with a reference architecture, some automation scripts, and then it’s up to you to pull it all together using your own resources. That might be fine for a huge enterprise with dedicated teams, but for most organisations, it’s a slow, complex, and costly project.
Predatar takes a completely different approach. We’ve productised the solution. We can deploy a fully functional CleanRoom environment – integrated with orchestration, automation, validation, and reporting – in just a matter of hours, not weeks. No complex integrations, no need to hire teams to build it out – just straightforward deployment and value from day one.
So, in summary, it’s one platform that brings together multiple backup products, supports a wide range of workloads, and makes recovery validation fast, simple, and accessible to any organisation.
Ben: Rick before we move on have you got anything you’d like to add with regard to what’s different about Predatar?
Rick: I think Ian’s covered that really well – as he always does. But there’s one thing worth adding. It’s important to say that Predatar is a proven technology. We’ve been doing recovery testing for the best part of 12 years, and we brought our first CleanRoom to market almost five years ago. Today, Predatar CleanRooms are in use all around the world. We’ve got customers in pretty much every geography using Predatar every day. We’ve got numerous customer case studies, and as I mentioned earlier, 80% of our customers have found malware in their environments that their primary XDR tools didn’t detect.
This proves that even if you have the very best XDR tools at the front end, malware can still get through. The more layers of defence you have, the better.
What was the big idea behind CleanRoom 3?
Ben: Okay, I think we’ve now got a good overview of Recovery Assurance, CleanRooms, and Predatar. So, let’s focus more specifically on CleanRoom 3. Rick, can you explain where the idea came from – and what was wrong with CleanRoom 2?
Rick: The first thing to say, Ben, is that there was nothing wrong with CleanRoom 2. And in some instances, CleanRoom 2 will still be the best option. The inspiration for CleanRoom 3 came from our customers and some of the channel partners we work with.
The concept of CleanRooms is resonating across the market, but we were getting feedback that the complexity of scoping and deploying the solution was causing friction. Customers didn’t want to buy lots of third-party products to make it work. With CleanRoom 2, for example, you needed Windows licences, SQL licences, VMware licences, and your own XDR licences too. That just adds complexity, increases cost, and slows down implementation.
With CleanRoom 3, the two guiding principles were: [1] we wanted to make CleanRooms as easy and quick to deploy as possible, and [2] we wanted to remove any dependency on third-party licences.
How did Predatar make the CleanRoom 3 concept a reality?
Ben: So, as Predatar’s CTO, Ian, I guess it fell to you and your team to put the concept into action and make Predatar’s third-generation CleanRoom a reality. Can you talk us through how you achieved it?
Ian: Yes, I’m excited to walk you through what’s new, because this is where we’ve really made big strides – not just from a technical perspective, but also in terms of making CleanRooms much more accessible and scalable for our customers. Let me break it down into a few key areas.
Firstly, we’ve removed the dependency on third-party software and licensing. In earlier iterations of our CleanRoom, there were certain third-party tools and licences – especially VMware – that we had to rely on. That added complexity, cost, and friction for our customers.
With CleanRoom 3, we’ve designed the entire environment to be natively driven by the Predatar portal. That means no additional licensing requirements and no extra software stacks that customers need to purchase, maintain, or configure. Everything is powered and controlled natively through Predatar. So, we’ve massively simplified the stack, making it cleaner and quicker to deploy, while also removing those hidden blockers around licence management and support overheads.
Secondly, we no longer require new hardware or cloud infrastructure. This is one of the most powerful changes in CleanRoom 3. It eliminates the need for customers to stand up new infrastructure – whether that’s physical servers or spinning up a collection of virtual machines. Instead, CleanRoom 3 lets you deploy into your existing environment exactly how you want – whether that be on bare metal or virtualised through VMware or Hyper-V.
For customers, this means no new hardware requirements, no additional software contracts, and no need to carve out or maintain separate infrastructure. You just deploy it however you need for your environment – and then we bring the CleanRoom to life on top of it: completely isolated, fully secure, and built for Recovery Assurance.
Thirdly, the deployment is now faster than ever – and this is an area where we’ve really pushed ourselves, because we knew that one of the biggest barriers to cyber recovery solutions was time to value. With CleanRoom 3, we’ve built a fully automated deployment process. What used to take weeks – from provisioning to configuration and validation – now takes just a few hours.
This is thanks to a new wizard within the Predatar portal, which generates an ISO image specifically for your environment – complete with all the networking and configuration embedded within it. This allows customers to run their unique ISO image on any system they choose, whether it’s a virtual machine or a bare-metal server.
The process is as simple as connecting the system to the ISO image, booting from it, and sitting back while everything is configured for you. We’ve essentially removed the DIY complexity and replaced it with a push-button deployment experience.
Now, CleanRoom projects don’t take weeks. A customer can stand one up in the morning, run test jobs that afternoon, and start building true recovery confidence immediately.
To sum it up: CleanRoom 3 is all about removing friction.
Key takeaways
CleanRoom 3 is another big stride forward for Predatar and for Recovery Assurance technology as a whole. Here’s three key takeaways from the webcast:
#1. If you’re not using any sort of proactive Recovery Assurance today there’s a high chance that there’s malware in your backupsalready …just like 80% of Predatar customers before they deployed our solution.
#2 Predatar is the only vendor agnostic pre-emptive Recovery Assurance platform available
#3 CleanRoom 3 has made Recovery Assurance more attainable for lots of organisations. It’s more cost- effective, more flexible, and easier to deploy.
If you want to know more about how Predatar’s Recovery Assurance platform can benefit your organisation, visit www.predatar.com
I’ve been mildly obsessed with Geoff Manaugh’s book, A Burglar’s Guide to the City for a while. It’s one of those rare reads that permanently shifts your perspective. This book is not about cyber crime, it’s not even really about traditional crime. It’s about how we understand and navigate the systems we inhabit every day. And it’s a book, I think every CISO should read.
At its core the book argues that burglars are the ultimate super-users of urban environments. They don’t merely move through cities, they manipulate them. Walls become doors, rooftops turn into pathways and manholes become secret entrances. The criminals Manaugh describes don’t smash through front doors with guns – they meticulously uncover hidden routes that others miss.
One of the most compelling stories in the book focusses on the infamous Hole in the Ground Gang. In the mid-1980s, employees at a First Interstate Bank in Hollywood began hearing unsettling noises including what sounded like metallic scraping and muffled drilling from beneath the vault floor. The power flickered unexpectedly, telephones disconnected randomly, and at one point the alarm system spontaneously kicked in late at night, terrifying a lone bank manager. Authorities, when notified, investigated and dismissed it as rats.
But rats don’t drive Suzuki 4×4’s through sewer tunnels beneath the streets of West Hollywood.
The Hole in the Ground Gang were no ordinary thieves. They understood LA at an almost geological level. They had intricate knowledge of the city’s hidden infrastructure including storm drains, underground rivers, sewer lines, and forgotten passageways. They accessed maps that showed subterranean routes leading directly under the bank vault. Slowly, quietly, and meticulously, they excavated their tunnels, exploiting unseen pathways until they reached their target, slipping away with over $2.5 million worth of cash and valuables, undetected.
They weren’t caught, and now the statute of limitations has expired. Reflecting on their audacity decades later, even the lead investigator confessed to Manaugh he’d love to meet them over a beer, purely to learn exactly how they’d done it.
The gang’s secret? Deep knowledge. They treated the urban landscape not as obstacles but as opportunities, uncovering vulnerabilities everyone else overlooked.
That’s exactly how today’s most sophisticated cybercriminals operate.
Digital attackers don’t typically hammer against your firewall, they quietly navigate forgotten tunnels in your IT landscape. They leverage misconfigured backup systems, exploit outdated login credentials and silently traverse hidden, neglected digital infrastructure. Their advantage lies in their superior understanding of systems sometimes better than the businesses that own them.
To fight back effectively, defenders need similar insight. This is exactly why we developed Predatar’s Recovery Risk Report. Much like uncovering the Hole in the Ground Gang’s subterranean maps, the Recovery Risk Report exposes hidden risks in your backup and recovery estate. It helps you visualise the hidden pathways and blind spots cybercriminals are likely to exploit.
By illuminating these overlooked entry points such as forgotten servers, unpatched backup servers, and vulnerable data copies, it empowers your team to proactively seal them off, dramatically reducing your cyber risk exposure. It also identifies opportunities to strengthen your recovery processes, giving you clarity and control over the infrastructure you depend on most during a recovery.
Think of the Recovery Risk Report as your digital equivalent of those storm-drain maps, empowering you to spot vulnerabilities before attackers do. Because when it comes to protecting your business, understanding the hidden logic of your backup estate isn’t just helpful, it’s essential.
Apply for a free Recovery Risk Report.
Every month we’re giving one Predatar News subscriber a Free Recovery Risk Report (worth $999). Learn more and apply here. If you’re not already on the Predatar mailing lists, you can join the sign up now to stay up-to-date with the latest product news, industry insights… and now, it seems, book reviews too.
