Most organisations fail miserably at defending themselves from cyber attack and ransomware intrusion. That’s the view of James Blake, EMEA CSO at Cohesity, who spoke to Computer Weekly about key features in the backup company’s recently launched Datahawk service and its Data Security Alliance initiative.
“I’ve seen how people do defence and why they fail miserably,” said Blake, who added that security has often had budget and headcount thrown at it – but no real intelligence.
“There is no real linear correlation between spend and headcount and operational capability,” he said.
“The rules [of any defensive scanning capability] can never be ahead of the adversary. The attacker always has first-mover advantage.
“And then you’ve still got to assume that defences are built with good processes and rules are maintained, and that’s just not the case.”
So, said Blake, a huge part of dealing with any ransomware attack is to successfully tackle the impact and recovery from the attack.
That means being able to restore the last clean copies of data that has not been corrupted.
To address this, Cohesity – which is a backup software and appliance supplier at its core – identifies clean data using licensed threat intelligence information from Qualys’s Blue Hexagon as part of its Data Security Alliance initiative.
“The idea is to stop the ransomware process unfolding before it reaches the final stages – exfiltration and impact – in the Mitre Attack 14-stage model,” said Blake.
That happens by detecting signature patterns in backups to identify a safe recovery point without malicious artefacts, he added.
Meanwhile, Datahawk functionality proactively hunts for file system-related activity in enterprise systems, said Blake.
These include file system changes, dropping executable files associated with ransomware processes. “Anything that touches the file system,” he said. “Droppers, and temporary files that launch when someone click an email, for example.”
Other capabilities include data auditing and classification to understand the likely impact of an attack.
“Compute and storage are becoming commodities,” said Blake. “What’s important is the data. And it’s vital to understand where those assets are. If there is an impact on the system, you need to know what it does.”
“Datahawk leverages data in the data management platform to classify critical data and PII [personally identifiable information] to allow the customer to understand what data has left the business and what impact that might have.”
Meanwhile, Cohesity has also brought Fort Knox cyber-vaulting into Datahawk. This is its take on how to put data beyond the reach of attackers.
For the company, this means vaulting data in the sense of it being invisible on the network. In other words, said Blake, “it can’t be discovered, it is not mounted, but can be recovered to a chosen location”.
Cohesity’s approach contrasts with other suppliers, which use immutable snapshots or the immutable storage functionality in AWS S3 storage.
Cohesity – like other suppliers – only makes such data accessible via multi-factor authentication, but uses the concept of a “clean room” to which data can be mounted before being put back into production.
The company announced its Data Security Alliance at its ReConnect Summit last month. It brings together 12 partner companies with cyber security and data security management expertise, including Palo Alto Networks, Cisco, BigID and Splunk.
Meanwhile, DataHawk is a software-as-a-service (SaaS) offering that combines the company’s Fort Knox data-vaulting service with threat scanning and detection and intelligent data classification into one offering. A customer must purchase DataProtect before adding services such as DataHawk.