Category: Uncategorized

Last week saw the release of the latest IBM Storage Protect update. Predatar technology is built to work exclusively with IBM storage software, so naturally we stay very close to the development of what is already an incredibly powerful backup and recovery platform. In fact, Predatar’s Technical Director, Steve Miller is something of an authority on the Storage Protect Suite.
   
Here’s his take-aways on the version 8.1.15 release.

—

A few months back, I talked about Multi-Factor Authentication in Storage Protect, and how it would be a fundamental way to secure Storage Protect environments from now on.

With the release of 8.1.15, IBM have further beefed-up security access for Storage Protect with some relatively simple changes that we tend to take for granted on many other systems that we use.

Complex passwords
Firstly, Storage Protect admins can now establish complex passwords requirements. Up until now, it would have been possible for administrator IDs to have simple words as a password. I can’t help but wonder how many installations remain out there with the default userID and password setup still in place since the day it was implemented.

Although Storage Protect still doesn’t distinguish between upper and lower case, it’s now possible to set a requirement for passwords to have a set number of alphabetic, numeric and special characters.

Invalid logons
There has also been a refresh with the settings allowed for invalid logon attempts. Previously, the lowest value for this was 0. As it was the default, it effectively meant that invalid logon attempts were not being checked.

As of the new release, the default value for this is changed to 1, and the range is changed from 1 to 10. Again – it’s a sensible, if overdue update, making administrator access more secure.

TLS certificate loophole
Finally, the default behaviour for a new Admin ID is to require a TLS connection. Previously, the default was that the first connection was an enabling session, allowing the administrator ID to download the TLS certificate from the Storage Protect server. That’s been recognised as a security loophole and closed off.

In summary
Making data secure has always been the top priority of the Storage Protect development team. Encryption, both at rest and in transit was always fundamental, but administrator access had remained relatively open for a long time.

Looking at the pattern of these updates, it’s clear that IBM has recognised the risks of rogue administrator access, and it’s a critical threat to close-down. According to a 2021 report published by Verizon, 36% of data breaches are caused by internal bad actors. The changes that have arrived in 2022 are designed to remove weaknesses and will help to reduce risk in this area, and as a result any organisation using Storage Protect will benefit from the updates.

—

There are lots of ways you can leverage the power of IBM Storage Protect and Storage Protect Plus to boost cyber resiliency in your organisation. Predatar cyber recovery orchestration works hand-in-hand with IBM storage software to ensure your backups are infection-free and ready for quick, clean and complete recovery when you need it. You can see in this 5 minute demo video, or contact our team with questions.

On 28th June 2022, IBM announced that Predatar Cyber Recovery Orchestration is now part of the IBM Storage Software Portfolio. We invited Matt Fordham, technical storage pre-sales lead for IBM in to Predatar HQ to explain why he’s excited about Predatar joining the IBM pack.

Predatar: Good morning Matt, Thanks for joining us today, So you’ve been working with our team for quite some time. Can you explain the relationship between IBM & Predatar?

Matt: Thanks to our culture of innovation and our commitment to R&D, IBM consistently deliver class-leading enterprise storage technology, but it’s really through our Partner EcoSystem that we elevate the impact of our technology and achieve even greater outcomes for our customers.

We’ve been working with the team at Predatar for more than 10 years. It’s been amazing to see the development of the Predatar platform and it’s a natural evolution to bring it into the IBM Storage software portfolio.

Predatar: Why is the addition of Predatar to the IBM Storage Software portfolio significant for IBM?

Matt: When I speak with customers, it’s a different conversation today. It isn’t about storage and infrastructure, it’s about data security, it’s about resiliency. Businesses are re-evaluating the way they store and manage data, and recoverability is the top priority.

Predatar’s cyber recovery orchestration brings new capabilities to IBM that help us answer some of the biggest challenges our enterprise customers are facing today. Predatar will add value in our existing Storage Protect accounts and enable us to win more new business too with a better proposition, a better package and better outcomes for our customers.
 

Predatar: For those that are new to Predatar, can you explain what Predatar is all about in your own words.

Matt: The Predatar cyber recovery orchestration platform works with IBM Storage Protect Plus to automate many of the manual processes associated with backup and recovery.

By continually recovering, scanning, and cleaning backup workloads, Predatar gives users the knowledge that they will be able to recover quickly, cleanly and completely when they need to, and dramatically reduces a business’s time to recover in the event of a cyber-attack.

Predatar: How does Predatar complement and enhance IBM’s exiting cyber recovery offering?

Matt: There’s a lot of commonality between Predatar’s capabilities and IBM’s Cyber Vault. In fact, the two solutions complement each other and are particularly powerful when they are used together. With Cyber Vault our customers can achieve near instant recovery of their most time-critical workloads from primary storage, but longer-term retention data is no-less important.

Predatar dramatically decreases time-to-recover data from secondary storage. Together with cyber vault, Predatar gives customers the knowledge they can recover all of their business-critical data quickly, no matter where it is stored. Predatar and IBM are changing the game for businesses looking for simple, effective, and dependable recovery.

Predatar: What do you think is the most exciting/important feature(s) or capability of Predatar?

Matt: To appreciate the power and impact of Predatar you need to see it in action. It’s modern, intuitive interface removes the dependency on highly technical backup admins for data security tasks and empowers almost any user to have a significant positive impact the cyber resiliency of their organisation.

–
If you would like to take Matt’s advise and see Predatar in action, please contact your IBM Storage rep or get in touch with the Predatar team. We’ll be happy to give you a tour of the platform and answer any questions.

Here at Predatar, we keep a very close eye on everything Storage Protect. After all, it’s IBM’s powerful storage software that underpins the Predatar recovery platform and our cyber orchestration capabilities. So naturally, when IBM released version 8.1.14 last week, we were keen to pop the hood. Predatar’s Technical Director, Steve Miller shares his thoughts:

– – –

I’m pleased to see there is a handful of useful updates for Storage Protect in the new release, with one in particular that customers have been looking out for. Multi Factor Authentication for Admin Users has made its way into version 8.1.14.

In 2021 IBM released Command Approval for the product. Put simply, this meant that organisations could use roles to determine what functionality was allowed for individual users, and would require administrator approval for potentially destructive commands. This was an important first step, but it left loopholes for organisations that might have shared user IDs or common passwords – even if not intended maliciously, it would have been possible for a user to enter a delete command and then use an admin ID to authorise it without proper oversight.

This will now be much harder to do using the new MFA. Essentially, when an administrator is created, they are given a key that is used by an authenticator app to generate a code – then, when the user logs in they are required to enter both their password and the code which regenerates every 30 seconds.

If this is configured properly, then, in conjunction with Command Approval, it’s going to massively reduce the possibility of an accidental deletion of critical data within the Storage Protect environment.

Further – it can be used to lock down access to the environment more generally. There will still be automated IDs that can’t use MFA, but it should be possible to use this to secure access to the Storage Protect environment, and, even if users are using common passwords, the requirement for them to also enter the code would mean that a malicious actor is going to find it very difficult to get access.

IBM had to make lots of choices when they implemented MFA. They could have over-complicated things or mandated that customers use a particular piece of software for the token. By adhering to open standards and providing a list of approved applications, they are encouraging wide and early adoption of this enhancement, something to be applauded.

As always, a couple of caveats apply – this still won’t prevent access to the logical infra behind the Storage Protect environment – if a rogue administrator or malware gets access to the box and is able to delete or encrypt database or storage volumes, then it really doesn’t matter if they can login to the application or not – they can still wreak havoc, so it’s important to ensure there are additional copies of the data behind an airgap, either physical or logical.

Secondly, large organisations that are going to upgrade and take advantage of MFA should make sure to plan it carefully. Server to server operations need to be considered and its important that, although you are making your environment more secure, you don’t make it impossible for administrators to carry out their day-to-day functions.

If you need more information, help setting this up, or advice on configuration, get in touch with your Predatar account manager or contact info@predatar.com. We’re always happy to help.

Well, it’s January – time to take stock and plan for the year ahead. For many of our customers this means taking an objective look at their IT software assets. If you are too, you’re probably wrangling with conundrums like this…

Should you put more investment into software that’s been in place for several years? Hold and maintain? Or cut your losses and start over?

In this post, we consider your IBM Storage Protect environment and what can be done to maximise your investment.

The truth is, there’s probably a lot of features and functions in Storage Protect that you’re not using and some powerful new features that you may not even know about. If you want to get Storage Protect working harder and smarter for you in 2022, we recommend you focus on these three C’s

Focus 1 – Convergence

For most readers, you will certainly be running Storage Protect for your bare metal and database workloads and maybe SP4VE or a competing product for your virtual machines. Many SP users run Veeam and even copy Veeam workload to tape via the IBM workhorse. This is inefficient, makes disaster recovery processes more complex, and therefore increases risk.

Thanks to IBM’s acquisition of the source code last year for it’s new generation backup project – Storage Protect Plus (SPP), it’s now possible to mount and read virtual workloads directly from SP container pools allowing you to exploit the huge data reduction benefits of Storage Protect.

Last month IBM released a tech preview of Open Snap Storage Manager (OSSM), which utilises the technology.  A full release of OSSM will be released in the next few months. For any SP user running multiple backup products (and there are many), implementation of OSSM should be a high priority project for 2022. It has the potential to reduce your storage costs and simplify your storage environment significantly.

–

Focus 2 – Cyber

It’s always been the case that a good backup is an essential component of your defence against data loss and downtime. And whilst it’s unlikely to prevent a security breach it remains a cornerstone of your recovery and mitigation strategy. If you use IBM Storage Protect, here’s a few things to watch out for in 2022.

1. Multi-factor Authentication (MFA). A mainstay of most enterprise security policies, it should be no different for your web portal administrator access to Storage Protect. An Opt-In approach including a QR code for “teach to app” should be available early in 2022.
2. Command approval. It just make’s sense to require a second administrator to approve data destructive commands and its available now as a feature in Storage Protect.
3. Data Encryption. Many ransom payments are made even when companies can recover without access to decryption keys because of the fear of data exfiltration. With malware dwell times increasing, attackers have already taken your sensitive data and passwords. Client and server encryption is a free feature in IBM Storage Protect.
4. 3-site replication. Storage Protect users no longer need to use protect storage pools and can replicate data from a source backup server to two targets.
5. S3 Object Lock. Already supported by Storage Protect Plus, this immutability feature will be made available for Storage Protect in 2022.

–

Focus 3 – Cloud

We have not seen a significant shift to Cloud backup for enterprise customers yet. But expect this to change in 2022 as cloud begins to take an important role in cyber security. S3 object storage will take centre stage for long-term policy managed data. Storage Protect Retention Sets provide a useful and cost-effective way to manage this type of long-term storage and can now be stored in AWS, Azure, GCP and IBM Cloud object storage.

–

Finally, As we move further into 2022, we expect the mega trend of “everything-as-a-service” (XaaS) to gather pace. All the major OEMs from Dell (Apex), HPE (Greenlake) and now IBM are offering Opex models for consuming server and storage infrastructure. This, combined with the demands on administrators to constantly verify the integrity of backup through constant recovery testing and scanning, is making managed backup services increasingly popular. We’ll cover more on this in an upcoming post.

If you’d like to get more out of Storage Protect and Spectrum Plus this year, talk to Predatar. Our intuitive backup management platform and cyber resiliency tools help enterprise infrastructure teams to take control of their Storage Protect and Storage Protect environments, while our team of expert Data Defenders provide flexible managed backup and recovery services on a subscription basis.

Contact us at info@predatar.com

Looking forward at the year ahead – we can see it’s going to be a big one for Predatar. But before we really get stuck in to this exciting new year, we wanted to take a few moments to reflect on some of the best moments and biggest achievements from 2021 – with a particular focus on our user community. After all, it’s our users’ feedback and ideas that drive us forward.

Shaping the future of Predatar together

Last year we really ‘switched things up’ with the Predatar user group. Moving from an email-based group to a more collaborative community forum using LinkedIn and the all-new Predatar Ideas Portal gave all of our users the chance to engage with us (and one another) in new ways.

The new format has given our users a mechanism to give feedback directly to the product development team, make suggestions, and vote for the ideas they want to see most on the Predatar product roadmap. We saw over 50 new ideas submitted in 2021. 20 were shortlisted and 4 are now in production.

If you want to see how your input is shaping the future direction of Predatar you can take a sneak peek on the Ideas Portal. Why not share your ideas with us while you’re there?

Beta programme

We ran two community betas in 2021. These focussed on new cyber resilience features (more info below). By engaging with our user-base early, we were able to deliver functionality to meet the needs of real customers with real-world challenges from the very first release.

We want to say a huge thank you to everyone that took part and we encourage you all to join our beta programme in 2022.

Events, content and product updates

2021 was our busiest ever year at Predatar. We launched 22 new features across 11 releases, while also hosting a number of industry events. Here’s just a few of the highlights:

• Q1: We launched a raft of new cyber resilience features in the Orca 11.7 release. These features gave users the ability to quickly search for viruses across all their backups and plot these on a real-time infection map.
• Q2: User Experience is a key driver for Predatar, and Q2 saw the release of Grizzly Bear 12.0. This brought a new user interface (UI) codenamed Sherlock. Built using React, Openshift and Containers the Sherlock UI took the Predatar platform to the next level – bringing more insights, improved ease-of-use and greater support for mobile devices.
• Q3: Hot on the heels of the 12.0 release came Grizzly Bear 12.3 with unique behaviour-based automated testing, virus scanning and cyber orchestration. These features were all designed to help businesses recover fast from cyber-attacks. And the result? With Predatar, organisations can recover up to 85% faster versus using manual methods. See the Grizzly Bear release in action here.
• Q4: In October we ran the largest Storage Protect User conference of the year. We were joined by industry leaders from IBM and IBM’s Partner network to discuss the impact that ransomware is having on businesses and backup professionals. The stand-out session from the event was an interview with a victim of a real ransomware attack. You can watch it on replay here.

A big thank you

As we say goodbye to 2021 we want to put out a huge thank you to all of our users and partners that came together as a Predatar community. You’ve helped us to keep moving, improving and developing our platform to meet the demands of our growing user base.

Building a community is hard work. We appreciate all of you and the support you have given us. We wish you all a happy and restful holiday. Stay safe and we’ll see you all rested, recharged and ready to go in the new year!

Corporate social responsibility (CSR) is a company-led movement and management style that aims to contribute to the wider social causes such as climate change and other ethical responsibilities.

Corporate. When you hear the word, you’re tempted to think of looming grey buildings, suits and ties, briefcases, and board rooms. You wouldn’t be far off in some cases. Corporate refers by and large to massive, faceless organisations. So, where does social responsibility come in and why does it matter just as much to smaller businesses?

If we imagine that every organisation, every business, every institution leaves a handprint on the earth. That’s a whole lot of handprints. But the fundamental thing that businesses and corporations need to understand is that some of these handprints will be stickier than others. Many will leave residue that will be difficult – perhaps impossible – to remove, for years to come.

In some settings, there’s a higher chance of a smaller business leaving a bigger, stickier handprint. Budgets are often tighter and business focus may be narrower; the wider responsibility to the planet feels inconsequential and maybe even needless. But we know this isn’t the case. In a recent study conducted by Social Green Solutions – awarders of the Green Compass Sustainability Award to businesses – there were a mass load of benefits companies with the award were seeing. Overall, there was a 50% increase in employee morale leading to 50% less employee turnover, improved productivity, increased financial performance and some were even seeing new market penetration opportunities.

What long-term and short-term changes can smaller businesses make that can have a lasting, positive impact?

It’s the million-dollar question, really. The more small businesses do, the more we’re finding out. Only in recent years have we been able to gather enough information to suggest that simply having things in place like CSR policies, can make a real difference in the years to come. Even more instant results, such as reduced printing costs and better working relationships have been noted on the long list of benefits for smaller companies. That’s not to say that implementing CSR practices won’t be costly for organisations, though. There are some changes that may require a higher investment. But, when it comes to the quality of your product, people, and the planet, we think it’s an investment worth making. You can start with…

1. Establishing a set of realistic goals and creating a CSR policy

2. Appointing a responsibility or CSR team to oversee any projects

3. Writing up some sustainability guidelines for in-office and remote workers

4. Encouraging volunteering and charity contributions through volunteer days for individuals and teams

5. Educating your employees! There are plenty of training courses out there aimed at clueing your organisation up on socially responsible practices.

At Predatar, we’ve recently appointed a CSR team and implemented a Corporate Social Responsibility policy, alongside a public statement which you can view here. We’ll be working with our teams and partners to make sure we’re doing our bit and keeping our word.

Not another acronym…

We’re not sure about you, but even we  struggle to keep up with all the different acronyms which, particularly within the IT industry, seem to constantly crop up everywhere.

One acronym our team came across lately is NIST and, yes, some of us had to look it up on Google. It turns out that NIST stands for National Institute of Standards and Technology and it’s not new. Based in the US, NIST has been around for 120 years, playing an essential role in enabling and measuring technical innovation not just in the US but all over the world.

Why should I care?

So, why is worth knowing one more acronym? And, why should we bother to understand what NIST do? The answer is simple and remarkably relevant: cybersecurity. We know this is a bit of a buzzword at the moment. Not a week seems to go by without news of a cyber or ransomware attack somewhere around the globe. You may have read about the Kaseya’s cyber-attack at the beginning of July (our blog “Good v REvil” provides a good summary). Not too long ago, the Lazio region in Italy was the subject of a very sophisticated ransomware attack that disabled all its IT systems and ended up disrupting the regional Covid-19 vaccination registrations. So, what role does NIST play in all this? A very important role, actually. NIST have developed a tool to measure cybersecurity.

NIST’s Cybersecurity Framework

This framework focuses on using business drivers to guide cybersecurity activities and reinforces the need for cybersecurity risks to be included in organisations’ risk management processes. The Framework consists of three parts: the Core, the Tiers, and the Profiles. The Framework Core is a set of cybersecurity activities, outcomes, and informative references that are common across sectors and critical infrastructure. Elements of the Core provide detailed guidance for developing individual organisational Profiles. By using Profiles, the Framework can then help an organisation to align and prioritise its cybersecurity activities with its business/mission requirements, risk tolerances, and resources. Finally, the Tiers provide a mechanism for organisations to view and understand the characteristics of their approach to managing cybersecurity risk, helping prioritise and achieve cybersecurity objectives.

A very important feature of NIST’s Cybersecurity Framework is its scalability as it can be easily adapted to organisations of all sizes, sectors and maturities. It is also outcome driven and does not mandate how an organisation can achieve these outcomes, meaning that whether you are part of a small company with a low cybersecurity budget or a large corporation with a million bucks’ budget, tiers and profiles can be tweaked and customised to achieve a result which is in line with your cybersecurity programme.

Education, Education, Education.

It would be rather reductive, however, to only associate NIST to the Cybersecurity Framework. Their work compasses several areas which range from cryptography to IoT (Internet of Things), ICS (Industrial Control Systems) and practical cybersecurity solutions such as password standards and guidelines. Another primary focus for NIST are education and training. In partnership with government and academia bodies, NIST have been leading the NICE (another acronym, sorry…) i.e., National Initiative for Cybersecurity Education since 2008. The NICE framework provides a common classification of cybersecurity roles and functions, by describing the responsibilities, skills and knowledge required to perform cybersecurity tasks. This framework is increasingly relied upon across all sectors to help address skills gaps and develop cybersecurity awareness and learning.

It doesn’t have to be complicated.

So, who would have thought that this simple acronym could have such an impact on organisations’ cybersecurity strategies? Being familiar with NIST Cybersecurity framework and general security guidelines is an important step in the right direction when it comes to protecting your organisation’s devices, IT systems and valuable data stored in such repositories.

In a world of complicated acronyms and obscure technical jargon, NIST provide clear and practical guidelines to tackle practical challenges which are part of our everyday lives. It could be as easy as ABC or 123 (as long as you don’t set these as your passwords! See NIST’s Password Guidelines)

Article By | Barbara Giunchi Burr

It’s time. Here’s the second, and final, installment of the exclusive interview Predatar conducted with a victim of a business-targeted ransomware attack.

Investigating the Breach

‘We had very understanding clients. It was established at a very early stage that there was no desire to publicise any of this information. But generally, we had to be careful about what we were saying. We couldn’t say anything that wasn’t definitely true, or anything that needed to be kept confidential.’

‘In our investigations, we realised that the cyber-attackers had been in our systems for several weeks, via a password breach. By tracing their actions, we were luckily able to identify that it was very fortunately, a very small portion of data that they had been able to access.’

We talk about this a lot over here at Predatar HQ regarding cyber resilient backups. Sure, you think you’ve got immutable backups. You might even have gold standard encryption. But how can you be sure that your backups aren’t brimming with dormant ransomware that you just haven’t noticed yet? Dormant ransomware is a threat to any business. It can sit in your systems indefinitely, gathering information until the cyber-criminals are ready to act.

Negotiating

‘It was a really challenging period of time. We were having crisis calls twice a day, and sometimes it would be every hour or two. We established that the cyber attackers were also overseas, meaning it made quite a difference to the timescales. We actually had to contact them through an address on the dark web, which our business knew very little about, so the experts told us how to operate in that space.’

‘After negotiating, we eventually agreed with them to pay a very small fraction of what they had asked for in Bitcoin. Which the experts told us is completely untraceable. We tested them by staging four different payments over a week or so to ensure that each time, they gave us a specific bit of data back. Our negotiator pushed the cyber-criminals to the edge of what was acceptable to them. There were a few times where they said they were going to release the data.’

The Aftermath

‘You could say we were lucky. We did get proof of all of our data back, and we already had a backup copy of the data anyway. A few months prior to the event, we’d actually made some changes into tightening up the security of our backup and recovery procedures and that helped a great deal. I’m glad we did that. However, not all of the data was completely up to date, so that still did pose an issue. It wasn’t perfect. But the main issue was a lack of accessibility for our clients; they couldn’t work in a normal way.’

Nowadays, even if a company has a seemingly usable backup in the event of a ransomware attack, there’s no guarantee that the backup itself will recover. And even if it does recover, there’s no certainty that it, too, isn’t infected with dormant ransomware. But that’s where companies like Predatar come in.

‘The whole experience was deeply unpleasant. Nobody wants to pay an attacker anything, but the advice from all of those experts was that it’s typically better to pay something until you’re forced to pay a higher amount.’

It’s almost impossible to estimate the actual cost that ransomware attacks have on a business. The total sum is not just the ransom paid. Businesses will start haemorrhaging money in various ways during a cyber-attack. This can be anything from time lost on major projects to not being able to generate a healthy profit without full functionality and use of data. There can also be a huge knock-on effect to future ventures, including damage to partnerships and client relationships.

So…what now?

After hearing this story, the first thing that crossed our minds, and that has probably crossed your own mind as you’ve been reading this article, is “how can we be prepared for disasters like this?” So, we’ve asked some questions and gotten some answers for you. Here are the top five tips we picked up from this case:

1. Have a plan of who you can go to as an advisor in this scenario. You will need a set of experts who can offer you insurance. They will also know the lingo and they’ll be able to understand the personalities, behaviours, and personas of certain cyber-attack gangs.
2. Understand the process of reporting the incident to the authorities, and how that process can help or even hinder a time sensitive cyber-attack.
3. Hire a negotiator. If this is an option available to your business, don’t skip it out. The experience with a negotiator can be, as our source described, deeply uncomfortable. Without a safety gap between your business and the cyber-attackers, you’re essentially dealing with intelligent criminals with no experience of that.
4. Look after your employees. It’s a very disturbing experience, and the well-being of your employees is extremely important throughout. Some employees will be on a need-to-know basis, whereas others will need more of an understanding.
5. Test your backups, then test them again. And then test them again after that.

We hope that this has been eye-opening read for you, and that- like us – it has given you some useful insight on the importance of having cyber-resilient processes in place.

What is it Like When your Business is ‘the One it Happens to’?

“It will never happen to our business.”

“What would they want with data like ours?”

“We’re a small business, there’d be no point.”

“We’re too secure. They’d never succeed.”

“We’d know straight away. Our IT team is prepared.”

Many businesses are guilty of ascribing themselves to at least one of these blasé statements. You may have even heard them casually uttered by the water cooler, after more dire news has broken about yet another attack on a large corporation. It’s the seemingly mundane trap that many businesses and employees will unwittingly fall into. The ‘it’ll never happen to me’ mentality. And, don’t get us wrong, we’re not saying confidence in your resiliency and security processes is a bad thing. It’s first and foremost necessary. But, too much of it and you’re at risk of being lured into a false sense of guaranteed safety.

This blog is going to be different from what we usually write. In fact, it’s not our story at all really. We’ve been privileged enough to speak to somebody who witnessed the ins and outs of a ransomware attack on their business first-hand. When we first heard this account, we decided it was far too compelling and affecting to not publish it. Far from it being a head on a stick, this first-hand account is a very tangible and frightening experience of how a cyber-attack can affect organisations. So, without further a-do.

Alarm Bells

It’s no secret that many ransomware attacks begin in a similar way, with the first sign of trouble being the functionality of employee devices. This can range from slower-than-usual performance to being completely locked out.

‘We were first alerted to a problem when a small number of our clients, namely in the financial sector, alerted us to being locked out of their systems. We were providing the software, and in some cases a hosting environment, to these clients. So, we quickly established that there was a pattern to this problem even though it was a fairly contained number of clients.’

Data from the CrowdStrike intelligence team showed that throughout the covid-19 pandemic in 2020, ransomware attacks in the financial sector rose by as much as 350%. Between March and May alone, the sector reported over 30 attacks.

‘The first thing we did was to look into what it was, and it didn’t take us long to realise that it was a cyber-attack. At first, our clients assumed that attackers were targeting their business specifically. But of course, we’d noticed this pattern and we established that the clients had been targeted through the hosted systems we were providing them.’

‘We did have some comfort in terms of thinking we could get the data back fairly quickly because we had mirrored the records but there was still some disquiet. And of course, the major issue was that client’s employees could not access their systems.’

When a ransomware attack happens, you typically have two major concerns.

1. Data.
2. Business function.

The two ultimately come hand in hand; a business without its data is a headless chicken. Directionless and against the clock. But that’s not to say that some businesses can’t function – albeit with very limited purpose – without data. So, why do we list these two concerns separately? Because often the cause for having to put everything on hold during a ransomware attack, is that systems simply aren’t accessible or are locked because of the nature of the attack. Some businesses get ‘lucky’, like this one, and only some systems are locked out. But other businesses can’t access any of their systems, or any of the systems that are key to their functionality. Take this case for example, where cyber-criminal gang DarkSide encrypted critical data belonging to Colonial Pipeline.

The Right People, at the Right Time

‘After the messages came through from the ransomware attackers, we started to look at what we needed to do about it with our crisis team. This team involved various people from across the business, including our own security expert, finance people, legal people and judicial leaders. We then contacted some external security advisors in that space and an insurance company. And the insurance company, realising it was a proper cyber-attack, were helping us to look at reducing the amount of cost implication. So, we were lucky, we had a sophisticated team we could put together quicky. We already had things in place that an average company usually doesn’t have.’

Making Contact

‘The next thing we did was to contact the people that had blocked the systems. We wanted to try and validate from our side who they were, and whether it was a real threat to us, or just a hoax. But all in all, we were in the dark. We weren’t really sure what was coming, not until you’ve got experts involved.’

Luckily for companies that fall victim to ransomware attacks, the industry is now saturated with experts in this field. From experts who deal with the aftermaths of cyber-attacks, to negotiators who will be right with you in the thick of it.

‘There were a number of deadlines presented to us by the attackers, saying that we had to get back to them within a certain time period. We kept holding them off, but never said no. That’s where we had an expert negotiator come in. Of course, we also contacted the authorities but the experts we had told us that the authorities would unlikely be able to do anything meaningful about the attack, before it was too late. The consensus was that we needed to negotiate with the cyber attackers.’

You might be thinking at this stage ‘but that sounds pretty terrifying?’. And you’d be right. At Predatar, we’re a team of experts too. We pride ourselves on our knowledge of things like this, but there’s seldom anything that can prepare you for negotiating with criminals when normally, you’re just doing your day-to-day job. On a slightly more comforting note, we later established with our source that their teams had felt more at ease by having brought in external experts, because it had essentially created a buffer between themselves and the attackers. In short, always have a plan of who you’re gonna call when there’s something strange in your systems. But we’ll talk more about this later.

‘So these experts helped us communicate with the attackers in terms of checking whether they did actually have the data they said they had, and how they planned on releasing it back to us in terms of dis-encrypting it. We wanted to be certain our clients’ data wasn’t going to be permanently compromised.’

Stay tuned for part 2, coming soon!

Let the cloud come to you.

To open our new CEO blog series, Predatar CEO Alistair Mackenzie (or as we like to so fondly call him, Al), talks about becoming cloud-native.

Working for a SaaS company, I was intrigued by this recent article on Cloud economics, and you should be too.

You can read it for yourselves of course, but here are the highlights:

• Analysis by the Andreessen Horowitz team showed that the top 50 SaaS companies were spending an average of 50% of their revenues on cloud infrastructure
• Repatriation to on-premise could halve infrastructure running costs for companies at scale

Personally, my favourite quote from the piece is:

“You’re crazy if you don’t start in the cloud; you’re crazy if you stay on it”.

The problem though is repatriation can be a non-trivial exercise, depending on how you arrived in the cloud in the first place. Simply “lifting and shifting” workloads to a public cloud provider then shifting back again is somewhat easier. Moving VMware workloads to the cloud is a good example of this, though it’s harder to understand the rationale. It’s not cheaper and it requires almost the same labour resources to operate, wherever the workloads reside.

So, starting in the cloud makes more sense; especially for new projects or new start-ups. In the early stages of turning your creative ideas into software code, paying a “flexibility tax” to access the agility of the cloud is worth the peace of mind. In 2019 when Predatar decided to move from a monolithic application design to microservices, it chose to use public cloud infrastructure as a service. The development team was in experimentation mode and the public cloud allowed for more creativity. But as we move the new SaaS platform into full-scale production, should we stay on public cloud infrastructure or move to on-premise?

Although no decision has yet been made, there have been several trends to at least make it a hard choice.

• Most OEM vendors now offer some form of Opex-based, consumption model for server and storage infrastructure. IBM just last week announced a new storage-as-a-service model for its best-in-class FlashSystem arrays.
• For new software development, the lingua-franca operating system is now Linux, available in all public clouds as well as on-premise
• The emergence of Kubernetes as the dominant container orchestration platform

One important point of note on this final trend. When the Predatar team started its journey towards making Predatar SaaS a cloud-native container-based solution, it could have picked from many cloud offerings. AWS, Azure and Google, all have their own distributions of Kubernetes, and this is the catch. Once you start developing code on one distribution, it’s not always straightforward to migrate to another. You can become stuck using the IaaS (infrastructure as a service) of that public cloud provider.

Fortunately, whether by luck or good judgement, we chose Red Hat’s Openshift distribution of Kubernetes. Openshift is 100% portable which means we decide where to host our SaaS platform; cloud, on-premise, or edge location.

It can take a long time for the decisions we make to play out. Cloud Architects don’t always have the benefit of hindsight when deciding which cloud platform to use. At least from an infrastructure perspective, Red Hat’s Openshift gives them the option to change their mind should they so wish.

Signing off,

Alistair Mackenzie