In this episode of Infrastructure Matters – Insider Edition, Krista Macomber and Randy Kerns are joined by Jim McGann, Index Engines’ Vice President of Strategic Partnerships, for a conversation focusing on the topic of the convergence of cyber security and storage.
Specifically, their discussion covers:
- Critical capabilities of cybersecure storage systems, including immutability
- The Index Engines – Dell PowerProtect Cyber Recovery solution, which The Futurum Group audited
- New approaches and technology, such as artificial intelligence (AI), that bad actors have been using to ramp up their game when it comes to attacking organizations, and how to keep up
You can watch the video of our conversation below, and be sure to visit our YouTube Channel and subscribe so you don’t miss an episode.
Listen to the audio here:
Or grab the audio on your streaming platform of choice here:
Disclosure: The Futurum Group is a research and advisory firm that engages or has engaged in research, analysis, and advisory services with many technology companies, including those mentioned in this webcast. The author does not hold any equity positions with any company mentioned in this webcast.
Analysis and opinions expressed herein are specific to the analyst individually and data and other information that might have been provided for validation, not those of The Futurum Group as a whole.
Transcript:
Krista Macomber: Hello, and welcome to this Insider Edition of Infrastructure Matters. My name is Krista Macomber with The Futurum Group. I’m one of the regular hosts on the show, and I am very excited to have two fantastic guests on the show today. We have Randy Kerns, who is a Senior Strategist with The Futurum Group, and we also have Jim McGann, who is VP of Strategic Partnerships for Index Engines. Randy and Jim, thank you so much for joining today.
Randy Kerns: Always look forward to it, Krista. Thanks.
Jim McGann: Thanks, Krista, for having us. Really appreciate it.
Krista Macomber: Thank you so much. We’re going to talk today about the concept of cybersecurity and cyber resiliency. We’re hearing a lot about that these days with ransomware and just all of these other headlines for all of these cyber attacks that continue to be happening and the influence on the storage market and some new capabilities that we’re seeing emerge.
But before we get there, Randy and Jim, do you want to maybe give a little bit of background on yourselves and your roles, so that way people are just familiar with your particular vantage points?
Randy Kerns: Okay. I guess I’ll go first. I’ve been in the industry a very long time. I do projects typically around strategies for our IT clients, and these are typically to solve a particular problem that sometimes are more expansive. I also do projects with our vendor clients at times about competitive strategies and what’s necessary to really meet the customer needs that I work with, so hopefully I can relate what’s real and what’s happening today that’s useful to them. All right. Jim?
Jim McGann: Yep. Thanks, Randy. My name is Jim McGann. I am Vice President of Strategic Alliances with Index Engines. With our CyberSense product, which is our core product today, we go to market through strategic partnerships, mostly OEM partnerships. The reason is that customers really want the capability that CyberSense delivers to be integrated with their storage environments, whether it be primary or secondary storage. So, I’m responsible for bringing those partners to market, and we’ll talk more about that as we get into this.
Krista Macomber: Yeah, absolutely. Randy and Jim, thank you so much. Jim, I think that’s actually a really great segue into the first topic that I thought would be great to touch on. As you mentioned, you and your team do a lot of work with storage OEM partners, and one of the big trends that we’re seeing in that space is the ability to add security capabilities into the storage solution. So, capabilities like immutable storage, for example, that today is just table stakes to try to avoid any tampering with data copies once they’re created. We have access control and a whole bunch of other features that we’re seeing being added. Maybe, I will start with you, Jim. Why do you feel this is important today and what does this mean for you?
Jim McGann: Well, like you said, Krista, a lot of the storage vendors are adding a lot of new features to enterprise storage, really to help protect from malicious activity. So, locking it down, safeguarding it, copying it, hiding it off the network, whatever they can to try to outsmart the bad actors that exist. But no one is focused on the integrity of the data itself. What happens if the data goes bad? A lot of vendors talk about storage resiliency or data resiliency. The definition of resiliency is to recover quickly from difficult conditions. It’s not a flood or a fire. A cyber attack is very different. What we’re focused on with CyberSense is, how do you know the data’s bad? After an attack, how do you know where the good data is versus the bad data? We see from our customers that the security and storage space is merging. The funny thing is when we go to a customer, three or four years ago, you would sit with the infrastructure team and it’s like, “Well, is the security team coming in?” It’s like, “No, that’s a different team. We don’t really work with them.” Now when we go to meetings, we get the storage team, we get the infrastructure and data protection team, and we get the CISOs organization in a meeting.
I think that makes me incredibly happy because that didn’t happen in the past. I know folks like yourself at Futurum are doing research that security and storage are coming together, but we see over the next few years that it’s going to go beyond the table stakes, as you mentioned, and become a critical feature. One of the things that we are looking at is the NIST cybersecurity framework. You can put up a slide now that shows really the framework of, as an organization, can you identify? Can you protect? Can you detect? Can you respond and recover from a cyber attack? Customers often say, “What should we do, or what can we do when we’re attacked?” That’s a good framework to use and CyberSense maps neatly into there and overlays on top of existing storage to add that level of capability and turn enterprise storage more into cyber storage. Does that make sense?
Krista Macomber: Yeah, no, absolutely, Jim, it does. I know when Randy was giving his overview of his role in the team, he alluded to the conversations that we have with customers as well and Randy in particular really leads that charge for us. I know just based on the conversations, Randy, that I’ve been a part of with you. We’ve definitely been hearing that as well in terms of the need to be a little bit more proactive and start to have some of these capabilities built in that not only just lock down the data, but really start to uncover if an attack is occurring and then the ability to, Jim, you were alluding to, respond as quickly as possible, really try to minimize that amount of business downtime and also minimize that amount of data loss. Randy, I guess, anything else you’d add from that perspective?
Randy Kerns: Yeah, there is. Unfortunately, there’s been a lot of promotion about how fast you can restore, how fast you can get data back. But the ones that do that without doing what Jim talked about, we’re doing a forensic analysis of what data’s been altered, you can end up reintroducing the problem. That’s a vicious cycle. So, saying how fast you can restore data is the wrong answer. You really need to go through this process to analyze and figure out what’s been affected and then treat the infection, so to speak. Use some medical term might be nice, but the idea is that you’ve got to remedy that before you go do blind restores.
Jim McGann: Good point Randy. I think some of the data protection vendors add capabilities, whatever they can to their data protection solution. But what they’re looking at is the change in compression rates of the data, looking for encryption or changing in file sizes or threshold analysis. Those are very near misses. It’s like, “Hey, we think something happened and you’ll need to go figure it out. Just restore the previous backup and you’re good.” But like you said, the deep forensic analysis allows more intelligence there. If you just want to restore the previous backup, if you’re going to override a bunch of other stuff that hasn’t been infected, you don’t know what’s happening, or you can override Oracle databases or SAP HANA databases and so on. So, I think the important part is not really looking for indicators that something may have happened, but getting a deep level of forensic analysis. That’s really where CyberSense shines. I think, Krista, you’re going to talk about some of the evaluation you did recently on that topic itself, right?
Krista Macomber: Yeah, absolutely. To your point, Jim, Randy and I both, we had the great opportunity earlier this year to evaluate a solution that you guys collaborated with one of your OEM partners, Dell. It’s called PowerProtect Cyber Recovery. What we did was we really audited this solution from the standpoint of cyber resiliency and in particular, resiliency against ransomware attacks. I think the solution that Dell is bringing to the table is very flexible and certainly very robust in terms of the feature set that we deemed to be very critical for optimizing resiliency against ransomware. I think my personal favorite parts was the fact that we got to spend some time with your team at Index Engines and really look at CyberSense. Jim, you bring up some great points because I think it’s a concept that’s been, as you mentioned, promoted a lot in the data protection space. I personally work with a lot of data protection vendors and talking about anomaly detection and the ability to uncover that an attack is occurring. It’s been talked about by most, if not all, of these vendors in this space. I think from the standpoint of CyberSense really having, as you mentioned, that deeper visibility, that was something to me that really stood apart because, to your point, it helps to reduce maybe some of those false positives, so increase the confidence that this does point to an attack, but also, like you’re mentioning, provide that greater visibility into which files have been affected, so that not only, as you’re mentioning, we can hopefully avoid good changes from being overwritten, but also so that we can avoid potentially malicious files from being restored back into production and then reinfecting the environment too.
Jim McGann: Right.
Randy Kerns: One of the things, it’s really a process and that’s what you were trying to get at I think earlier. You can’t short circuit these processes. You’ve got to do it in the right sequence. You’ve got to do the right things. I know there’s people standing behind you yelling, “Is it up yet?” We’ve all been there, but you’ve got to do the right thing.
Jim McGann: No, exactly. Some customers say, “Hey, vendor X or vendor Y has a point and click solution to recover from a ransomware attack.” It’s not that easy. It’s a hard problem. You just don’t want to recover backups and recover previous snapshots. You want to understand what happened. It’s the importance of knowing the level of, what’s the blast radius? What’s the forensic level analysis of what’s happened? You mentioned Dell. Dell is a great partner of ours. We have over 1400 customers worldwide that have deployed this solution out there. The great thing is there’s dozens of customers that have this deployed that are recovering on a monthly basis, and they’re the ones you don’t hear about in the press. The Cloroxes and the MGM Grands that are struggling to recover are the ones that don’t have a cyber resilient solution in place. Hopefully, they will soon. What Dell has provided really is a world-class solution, as you said, Randy, is to provide that deep level of understanding of what happened to keep data secure and protected. So, it’s really redefined data protection into cyber protection. Again, if customers think data protection is enough for cyber protection, they’re wrong and they should be reading the reports, because it’s not the case. To find out Monday morning when you’ve been attacked is going to be a really rude awakening.
Dell has been a great partner. We do have other partners. Dell has a very specific deployment with their data domain, isolated vault. We hear from customers that they’d like to analyze data in production or analyze different types of environments. I know this is really becoming a standard part of production storage, both primary and secondary storage environments, but the beauty of what we can do with CyberSense in the backup environment is to scan backups without re-hydrating those backup images. It’s a unique ability that only Index Engines provides. But additionally, scanning can include scanning of snapshots as well and we have other partners that are coming to market that are scanning snapshots and checking the resiliency of the data in those snapshots, so it’s more of a production environment. The idea is that customers can deploy different levels of solutions both in production and in secondary storage environments as well.
Krista Macomber: I think you bring up a couple of really great points there, Jim. I think to your point, the flexibility there to determine when the scanning is occurring gives a little bit more of a robust and comprehensive view as well, kind of what you’re alluding to. I think it just keeps coming back to the fact that these are not your typical disaster events that we’re used to recovering from. You talk about the blast radius. So, when we think about, for example, an earthquake or a fire or another natural disaster that maybe used to be the bigger concern for disaster recovery, it’s pretty obvious in those instances when the event occurred, specifically what was impacted in terms of systems and data. But that’s just not the case here when we think about ransomware and these other cyber attacks. So, I think that’s where these capabilities really add that value there to the Dell solution and, of course, to the work that you’re doing with your other partners as well.
Jim McGann: I think as we were talking about, this is a very difficult problem to solve. Nobody’s looking at the integrity of data. I know it’s really made possible by artificial intelligence and machine learning, and I think we’re going to talk a little bit about that because I think it’s an important topic. Whereas, if you’re just looking for indicators of compromise, which is change of a file extension or a change of a file size or compression rates of your backup, it’s good, but it’s not the best solution that’s on the market today, which we consider that CyberSense is. But it’s also very much something that can be circumvented. The bad actors are smart and they are using AI and they’re using advanced techniques. When you go into organizations that have a lot of old technology or tech debt that’s there and they’re exposed, instead of focusing on keeping the bad actors out, which is next to impossible these days, it’s focusing on data integrity on a continual basis, so that it’s part of the daily process and the workflow of the organization. If you go to sleep on Tuesday night and wake up to a cyber attack, you know where the data that has integrity is, and you can facilitate an intelligent and rapid recovery. That’s the key to the whole solution.
Krista Macomber: I think that might be a good thread, so to speak, for us to pull here. We’re definitely seeing that these attackers are starting to use AI to do things like generate smarter phishing emails or even adapt their approaches. For example, I’m hearing about these polymorphic ransomware attacks that are changing so that way they’re not detected as easily. Maybe, a good topic for us to conclude on here is maybe some approaches to keep up. I know, Jim, you’ve mentioned a couple of things, but Randy, I’d love to get your perspective too, just in terms of, again, as these attacks are evolving, when we think about AI and things like that, maybe some best practices here to keep up.
Randy Kerns: There’s an important thing to bring up, and I’m sure Jim’s going to tell us about some of these, but the problem is organizations can acquire a new tool, a new product, for example, where they’ve advertised all these capabilities for detection. The reality is that that detection may be okay today, but not tomorrow. Like you were saying, things continue to evolve and change. So, they can’t be lulled into a sense of, “Hey, I’ve done it. I’ve done all I can. Everything’s good now.” You really need tools or systems that continue to evolve as the attacks continue to change, and that’s one of the values I think Jim can talk about with Index Engines. It’s one of the ones that impresses me. Jim?
Jim McGann: I mentioned a lot of vendors may add signature scanning. How difficult is it to change a signature? It’s two seconds and it’s a new signature, and unless you’re getting realtime signatures fed into your system, it’s not going to be detected. They’re looking for specific things or they’re looking for changes of some activity, a lot of behavioral analytics and a lot of network traffic and stuff. The bad actors can spoof that, especially the stuff that’s prevention. The MGM attack in Vegas was done by a phone call to get administrative passwords in, and we’re hearing the threat actors are actually paying employees inside the organization that have administrative permissions a lot of money to pass some of that information. So, how is prevention tools going to help you then? It’s not. What we looked at when we first started with CyberSense is taking a completely different approach and looking at the content of the data, inspecting it, and using analytics that are indicative of changes that these cyber criminals make. So, looking for patterns that are typical of the corruption that cyber criminals do to the data. Doing it on content is very difficult. We know it’s difficult because we’ve done it. A lot of vendors are not doing it because it’s just very challenging to do at scale. So, we do it and we have customers that are doing it across petabytes of information and doing 200 or more data points that are looking at how the data changes over time. So, the snapshot from one day to the next day, the next day, or the backup from day one to day two and how it changes over time.
But all those analytics and all those data points and all those observations create millions and millions and millions of statistics that no human can process. You can’t look at that as a human and say, “Let me make sense of this and figure out if I have a problem with the data.” That’s the beauty of AI. You can feed all that information to it and the machine learning there will process it and come up with deterministic decisions as, “Hey, there’s a problem with the data.” What we’ve done at CyberSense is saying that with 99.5% accuracy, when CyberSense gives out an alert, something happened to your data. So, when you get an alert, you know something’s wrong. Krista, you mentioned earlier about minimizing false positives or false negatives. If you put out a system out there that’s constantly giving you alerts that are not accurate, it’s going to be ignored. We know that. They’re not going to take it as credible. With CyberSense, when the customer gets alerts, they knew something’s happened. As you mentioned earlier, Randy, about the deep forensic analysis, they could look at the CyberSense dashboard and exactly know what happened. It takes a situation, which is a massive panic mode where you’re getting calls from the CXO or the board members saying, “What happened? Are we back up and running?” to, “I got this. I understand what happened. I know what the blast rate is, I know it was affected. Those servers are offline. I know what backups or snapshots to restore and I’ll be back in production in hours or worst case, a day or two, versus weeks or months.” That’s really what we focused on as a fundamentally different approach.
Randy Kerns: I think it’s great. I really do. Some of the other approaches just are not really practical.
Jim McGann: Yeah.
Krista Macomber: I think it’s especially important when you think about just all of the different data protection and data security tools that your average given enterprise are using today. I mean, it’s tens or dozens of tools. So, I think from an administrator standpoint, that can cause you to become inundated with all of these alerts. I think, like you say, increasing the confidence really helps to know that this really is a true indication that something has happened and to be able to more quickly drill down into that. Jim, you brought up the concept of false negatives too, making sure that we’re not sleeping on anything either and not missing anything and having it fly under the radar. So, absolutely, very important.
Jim McGann: One of the common misconceptions is that databases aren’t being corrupted by malware, and we hear that from customers. You’ll hear that from your vendor because the vendor isn’t able to do that. Say, “Oh, you don’t need to worry about your database. If it’s corrupted, you’ll know it and just restore the previous one.” That’s a great myth, though the databases could be corrupted. Intermittent encryption inside a database will corrupt random pages inside the database, and databases will run in production with that corruption occurring and customers won’t even know it. So, again, that’s a false negative. All vendors that are doing backup are not inspecting the integrity of databases at all or touching that, whereas CyberSense does that. So, I think it’s important to look at all data, core infrastructure databases, critical user files, and make sure it has integrity. We are the only solution or CyberSense is the only solution on the market that can do that across data that matters to customers.
Krista Macomber: Absolutely. Well, I think considering the fact that we are unfortunately just about out of time here, that’s a great place for us to wrap up our conversation here. We will be sure to include the link to that full report. I mentioned that audit we did of the Dell PowerProtect Cyber Recovery with CyberSense solution. We’ll make sure, again, to link to that here in the show notes. Jim, Randy, this was fantastic. I want to thank you both so much for the conversation today.
Randy Kerns: This is great, but Jim and I could talk for hours on this.
Krista Macomber: Well, we’ll have to have you on again real soon, Jim.
Jim McGann: I look forward to it. Thanks, Krista. Thanks, Randy. Appreciate it.
Krista Macomber: We want to thank everybody for joining us as well. Again, this was an Insider Edition of the Infrastructure Matters podcast. Please make sure to like and subscribe, so that you don’t miss any of our future episodes, especially the ones like this where we get to have on some really great outside perspective. With that, thank you all so much and we will see you on the next one.
Author Information
With a focus on data security, protection, and management, Krista has a particular focus on how these strategies play out in multi-cloud environments. She brings approximately 15 years of experience providing research and advisory services and creating thought leadership content. Her vantage point spans technology and vendor portfolio developments; customer buying behavior trends; and vendor ecosystems, go-to-market positioning, and business models. Her work has appeared in major publications including eWeek, TechTarget and The Register.
Prior to joining The Futurum Group, Krista led the data protection practice for Evaluator Group and the data center practice of analyst firm Technology Business Research. She also created articles, product analyses, and blogs on all things storage and data protection and management for analyst firm Storage Switzerland and led market intelligence initiatives for media company TechTarget.
Randy draws from over 35 years of experience in helping storage companies design and develop products. As a partner at Evaluator Group and now The Futurum Group, he spends much of his time advising IT end-user clients on architectures and acquisitions.
Previously, Randy was Vice President of Storage and Planning at Sun Microsystems. He also developed disk and tape systems for the mainframe attachment at IBM, StorageTek, and two startup companies. Randy also designed disk systems at Fujitsu and Tandem Computers.
Prior to joining The Futurum Group, Randy served as the CTO for ProStor, where he brought products to market addressing a long-term archive for Information Technology and the Healthcare and Media/Entertainment markets.
He has also written numerous industry articles and papers as an educator and presenter, and he is the author of two books: Planning a Storage Strategy and Information Archiving – Economics and Compliance. The latter is the first book of its kind to explore information archiving in depth. Randy regularly teaches classes on Information Management technologies in the U.S. and Europe.