Why backup anomaly detection is essential, but not enough.
A fire starts in your home in the middle of the night. You’re fast asleep, when a malicious low-life targets your house in an unprovoked and indiscriminate attack. A lit newspaper is pushed through an open window. After a few minutes the curtains catch alight.
Luckily, your smoke alarm is triggered, and you wake with a start. But you’re dazed and confused. By the time you work out what’s going on and get downstairs, the carpet and the armchair are on fire too.
You shout at your partner to “grab the cat, get the hell out, and call the fire department!!!“
You try to contain the blaze with a fire extinguisher. The fire department arrives fast. You’ve successfully stopped the fire spreading and the professionals quickly extinguish the flames. The emergency is over, and you’re relieved the damage was limited.
The fire chief confirms what you already know. Your smoke alarm has saved the day. This could have been so much worse.
What does this have to do with anomaly detection?
It doesn’t take a genius to work out where we’re heading with this analogy. Whether it’s a domestic fire or an enterprise cyberattack, the ability to respond fast is critical.
In principle, the anomaly detection tools that are now prolific in enterprise backup and storage tools are like smoke alarms.
The moment that a cyber incident is activated, these tools will recognise the patterns of behaviour in your data that are associated with criminal encryption or exfiltration events. With almost instantaneous alerts, anomaly detection will enable you to respond quickly and limit the impact of a live cyberattack.
Prevention is better than even the fastest response
The ability to respond fast is essential, but you need to remember that when anomaly detection kicks in, an attack is already in progress. Damage is already being done. What if the curtains in this analogy are your HR records? the carpet – your billing system? What if the armchair is your email server? Bringing them back will be disruptive, probably time-consuming, possibly costly, and in some cases – impossible.
Predatar brings proactive threat detection to your storage and backup environment. The big idea is to hunt down malware before an attack is activated. Why? Because prevention is better than even the fastest response.
So how does it work?…
You probably already have malware in your backups.
More than 80% of Predatar customers have found malware in their backups that they didn’t previously know was there. This is malware that has slipped through firewalls and front-end antivirus tools, before being replicated into backups and snapshots.
It hasn’t triggered anomaly detection, either because it’s not been activated yet, or often it’s small ‘reconnaissance’ applications like spyware and key loggers which only cause tiny, almost imperceptible changes in your data.
On average, cyberattacks aren’t triggered until 14 days after attackers first gain access to their victim’s IT network. It’s during this time that these tools are deployed by the criminals, to gain deeper access and ultimately enable them to cause more damage. Reconnaissance software is currently used in 91% of ransomware attacks.
Predatar assumes that any workload in your storage or backups could be infected. By running fully automated recovery tests and full malware interrogation using Trend Micro Vision One, Predatar finds and eliminates even inactive malware before a crisis begins. Predatar in always-on, hunting down threats based on intelligence from Trend Micro’s global threat intelligence network.
Does Predatar make anomaly detection obsolete?
Definitely not. Cyber resilience is all about layers of defence. In fact, Predatar has some powerful anomaly detection built in to complement its proactive threat-hunting capabilities.
The great news for lots of businesses is that in most cases, the storage and backup products they are already using have anomaly detection capabilities built in, including these ones:
- Rubrik Security Cloud
- Veeam Backup and Replication
- Cohesity DataProtect
- Pure Storage Pure1 Meta
- IBM Storage Defender (including Storage Protect and Defender DataProtect)
- IBM FlashSystems
If you are using any of these products, you really should be utilising the anomaly detection features that are available to you. The products above are also compatible with Predatar. So adding proactive threat detection to your backup and storage is easy.
In conclusion
Anomaly detection for your storage and backup environments is essential for limiting the impact of live cyberattacks. Businesses should make sure they are enabling the reactive anomaly detection tools that are built into the platforms they are already using.
Predatar is different. Infrastructure teams can quickly and easily add a layer of proactive threat-hunting to their backup and storage environments with Predatar’s SaaS Recovery Assurance platform to eliminate threats before an attack is activated.
New to Predatar?
Discover how Predatar works in 90 seconds:
Watch the Recovery Assurance explained video.
