TECHunplugged analyst Max Mortillaro recently had the opportunity to travel to San Jose, California for Security Field Day 11. One of the presenting companies, Index Engines, focuses on ransomware protection with its CyberSense solution.
IT Infrastructure Chaos – A Nest Bed for Ransomware
Index Engines stated that ransomware attacks continue to wreak havoc across industries due to a combination of factors that include vulnerabilities in systems and software, weak authentication and access controls, insufficient endpoint security, the complexity of IT infrastructures and, still on the infrastructure site, improperly configured backups and either poorly tested or inexistent disaster recovery plans.
Furthermore, weak authentication and access controls and insufficient security awareness training are a blessing for phishing and social engineering attacks. Lately, attackers have even begun utilizing AI technologies to simulate voices of known persons, when the attack is not carried outright by an insider working for the organization.
This doesn’t imply that nothing can be done to combat ransomware or data exfiltration attacks. On the contrary, there are many opportunities to improve an organization’s security posture by strengthening security controls across all the areas mentioned above.
Nevertheless, when damage has been done, the only hope left is to recover data from backups. But is that enough?
Data Protection is not Cyber Resiliency
Most organizations assume that having backups in place is sufficient to recover from a cyber-attack. Mature organizations already implement BCDR (Business Continuity / Disaster Recovery) – and no, this article will not go into a detailed description of continuity of business processes vs. operational disaster recovery.
There is however one key distinction to be made: operational disaster recovery (commonly called DR) is tailored to address disasters (either natural or man-made) or critical infrastructure failures. In operational DR, most of the time production data is replicated to a secondary site (whether on-premises or in the cloud). When a disaster hits, a procedure is activated to seamlessly switch over to the secondary site, and DR processes are then activated. If data must be recovered from a backup, it is assumed that data is clean and has not been corrupted in any way.
Cyber resiliency is very different. Although it leverages similar technologies (such as backups and data replication), it deals with a potentially catastrophic disaster where the intent of the attacker is to either lock out the organization entirely or wipe out its entire infrastructure. In such cases, there is a very high probability that both primary and secondary locations will be hit. In addition, attackers target the backup infrastructure on priority to deprive the organization from any possibility of regular data recovery.
TECHunplugged analyst Max Mortillaro recently discussed with Krista Macomber (The Futurum Group, Senior Analyst for Data Protection, and Tom Hollingsworth (Tech Field Day Organizer, podcast host) on the Tech Field Day podcast.
While this article does not intend to deep-dive on cyber resiliency architectures (the podcast linked above provides further insights into this), at least two components are required: a secure, air-gapped data vault with immutable storage (to recover from if the entire infrastructure has been compromised), and an environment to test data and workloads before their recovery.
Unlike orchestrated and almost automated DR failover/failback operations, cyber resiliency recovery activities will require a meticulous analysis of the workloads to ensure they are free from any ransomware.
Cyber Resiliency with Index Engines’ CyberSense
CyberSense stems from Index Engines’ history as a company focused on high performance, high ingest data indexing. Currently, Index Engines servers 1400+ customers globally across all verticals, protecting environments starting from 1 TB up to 40+ PB.
The solution sports a purpose-built indexing engine that is highly scalable and capable of ingesting up to 11 TB / hour over multi-stream connections. True to its legacy in indexing, CyberSense performs content-based indexing of user files, production databases (yes, modern ransomware will not just encrypt the files but will instead look at database tables and pages, and will encrypt or partially encrypt the data itself), and core infrastructure components. The solution is not only capable of parsing a broad set of file types, but it will also look for embedded files and perform recursive scanning, protecting against potentially nested threats.
Figure 3 – An overview of modern ransomware variants, how they evade common analysis software, and how they operate – Source: Index Engines
CyberSense includes an AI-based machine learning model with 200+ content-based analytics and detects corruption patterns due to ransomware (including partial/intermittent encryption, and techniques to reduce entropy).
Data is observed over time; the solution can detect ransomware with a 95% precision when deployed out of the box, but as it gets to observe data and become acquainted with the organizations’ environment, this accuracy will grow up to 99.5%.
The company recently released CyberSense 8.6 which supports RHEL 9.2, PostgreSQL scanning for corruption. It also boasts an enhanced CyberSense management interface providing alerts, hosts, backups, and settings pages. Finally, a new threshold feature was added to generate alerts on unusual or suspicious activity.
A new “cyber sensitivity” index was added, showing a probability that a given host data has corruption indicative of a ransomware attack. This score is derived from multiple AI analysis models, and organizations can throttle it to control its sensivity.
TECHunplugged’s Opinion
CyberSense is an interesting solution that TECHunplugged has had the opportunity to evaluate in previous research activities. It combines unique detection capabilities with advanced indexing and in-depth scanning, complemented by comprehensive validation of data integrity including files, databases, and core infrastructure.
The company partners with OEM vendors to integrate CyberSense with the vendors’ offerings. It is currently available through three vendors: Dell PowerProtect, Infinidat InfiniSafe, and IBM Storage Sentinel.
Although it offers strong capabilities, the company focuses exclusively on ransomware detection and recovery testing. While this is already laudable, organizations expect much more, and there are low hanging fruits to be explored, such as the ability to pinpoint whether an insider is performing suspicious activities.
Going beyond simply reporting a spike in activity and providing instead organizations with additional context (for example involved user identities) would greatly benefit to Index Engines and organizations alike.
As competitors continue to enhance their cyber resiliency capabilities, Index Engines still has a leading edge when it comes to advanced detection capabilities, but the company needs to start looking at enhancing its solution with adjacent capabilities to further demonstrate leadership and innovation in a hot and competitive market.
Additional Resources
Check out Tech Field Day website for Security Field Day 11 presentations and videos.
Also, check out TECHunplugged’s review of Prisma Cloud’s presentation at Security Field Day 11:
Disclosure: Max Mortillaro was invited to Security Field Day 11 by Tech Field Day, a Futurum Group company, and had his travel and accommodation expenses covered. TECHunplugged was not compensated by Tech Field Day or any presenting companies and has no obligation to create content.