#vmworld
Ransomware Threat Recovery
Using Rubrik PolarisAndrew Miller, Rubrik
Jason Nash, Rubrik
SAI3712BUS
#SAI3712BUSVMworld 2018 Content: Not for publication or distribution
VMworld 2018 Content: Not for publication or distribution
VMworld 2018 Content: Not for publication or distribution
Security Attacks Happen
Ransomware attacks are growing more than
of enterprises have fallen victim to ransomware that successfully bypassed security measures
71%
ANNUALLY
350%
Source: Cisco 2017 Annual Cybersecurity Report Source: Barkly Inc. SurveyVMworld 2018 Content: Not for publication or distribution
What Our Customers Are Saying
• "Rubrik is the perfect mix of on-prem and cloud offerings. While many people talk about the cloud because it's cool, Rubrik is truly delivering the value and promise of the cloud.”
• "A product that adds immediate value with almost zero configuration effort – that’s huge.”
• "Radar is a real value add. We already have Rubrik running on backups. Now, we just toggle this on, and we have visibility immediately into files we couldn't monitor before.”
• "UI is very clean and straightforward. It's clear what was impacted, we can drill down and go granular, and restore instantly. Rubrik takes a previously manual, laborious process and makes it super simple.”
• "This is why we chose Rubrik over <****>...drives greater value."VMworld 2018 Content: Not for publication or distribution
TweetBlogger
I have a job!Email
Background
Certs
@ thejasonnash@ jasonnash.com@ Rubrik.com (Field CTO)
& PartnerVCDX (2x), CISSP, etc.
Jason Nash
VMworld 2018 Content: Not for publication or distribution
TweetBlogger
I have a job!Email
Background
Certs
@ andriven@ thinkmeta.net@ Rubrik.com (Technical Marketing)
[email protected] years customer +8 years partner.Lots of Random Ones
Andrew Miller
VMworld 2018 Content: Not for publication or distribution
Agenda
*Demos
Ransomware Landscape
Foundation – Rubrik Cloud Data Management
Polaris – Platform, GPS & Radar
VMworld 2018 Content: Not for publication or distribution
Ransomware Landscape
VMworld 2018 Content: Not for publication or distribution
ran · som · ware/`ransəm , we(ə)r/
noun
a type of malicious software designed to block access to a computer system until a sum of money is paid.
VMworld 2018 Content: Not for publication or distribution
11
Base Definition
We’ll make it fast.
• Malware that typically infects endpoints (laptops, etc.)
• Spread via browser vulnerabilities (malicious pages), e-mail attachments
• Encrypts local filesystems and attached network mounts
• Targeted attacks on individual storage vendors plausible – immutability will
come into play over time.
• (Previous) Best known name = Cryptolocker
VMworld 2018 Content: Not for publication or distribution
12
Demo!
VMworld 2018 Content: Not for publication or distribution
13
Can’t ignore this…
VMworld 2018 Content: Not for publication or distribution
VMworld 2018 Content: Not for publication or distribution
15
The world has gotten scarier.And it’s not slowing down…
VMworld 2018 Content: Not for publication or distribution
16
• ZDNet – 2016 = $1B Cost
• 2015 = $24M
• 2017 = $5B to $10B
• Confusion – FBI Recommendation & About Face
• High Profile Targets – SF Muni, Education, Healthcare, many more.
• Challenges are not just 1) Data Accessibility but 2) Speed of Restore.
• Not If but When – Why?
What’s New
VMworld 2018 Content: Not for publication or distribution
17
Maturing Market
• RaaS Kits – Ransomware as a Service Kits
• Market Segmentation
• Customer Service Improvements
• Reliable Payment Model – Bitcoin Impact
What’s New
VMworld 2018 Content: Not for publication or distribution
18
This is a maturing businessthat competes with YOU.
VMworld 2018 Content: Not for publication or distribution
19
Operational Overhead?
1. Education
2. Antivirus, Patching, Filtering
3. Insurance
4. Data Protection - Backups
Classic Defense Recommendations
VMworld 2018 Content: Not for publication or distribution
Complexity is the Enemyof Reliability
Whatever you do. Whatever you buy.Simplify your Architecture & Expect More.
VMworld 2018 Content: Not for publication or distribution
21
What we’ve seen that makes a difference…
1. Reliability of Data Recovery
a. Simplicity of Setup + Day to Day Operation
b. Immutability of Snapshots
c. Accelerated Detection
2. Speed of Data Recovery
a. Speed of restore via Live Mount and Polaris Radar
b. Automation/API to enhance Restore Capabilities
Key Solution Components
VMworld 2018 Content: Not for publication or distribution
Foundation - Rubrik Cloud Data Management
VMworld 2018 Content: Not for publication or distribution
23
Data Management: 1990s to Present
1990s – Present
Backup & Replication
Software
Backup Storage
Backup Software
BackupServers
BackupProxies
Replication CatalogDatabase
Tape Off-site ArchiveBackup Storage
a
DedupeMetadata
2000s – Present
Data Management: 2000s to Present
VMworld 2018 Content: Not for publication or distribution
24
Meet Rubrik Cloud Data Management
Backup Software
BackupServers
BackupProxies
Replication CatalogDatabase
Tape Off-site ArchiveBackup Storage
a
DedupeMetadata
Private Public
Software fabric for orchestrating apps and data across clouds. No forklift upgrades.
VMworld 2018 Content: Not for publication or distribution
25
How It WorksQuick Start: Set up in minutes. Auto-discovery.
Automate: Intelligent SLA policy engine for effortless management.
Rapid Ingest: Parallel ingest accelerates snapshots and eliminates stun. Content-aware dedupe. One global namespace.
Instant Recovery: Live Mount VMs & SQL Server. Instant search and file restore.
Secure: End-to-end encryption. Immutability to fight ransomware.
Cloud: Archive to the public or private cloud with CloudOut. Adopt the cloud for DR or test / dev with CloudOn. Protect apps in cloud with CloudCluster.
Primary Environment
SLA Policy Engine
Log Management
Private Public
NAS
AHV Hyper-V
VMware VMwareVMware VMwareVMware VMware
VMworld 2018 Content: Not for publication or distribution
26
Demo!
VMworld 2018 Content: Not for publication or distribution
27
Your Data Center Today
Backup Proxy
SAN
Production Servers
Backup Server
Search Server
Disk-Based Backup
Tape Archive Offsite Tape Vault
VMworld 2018 Content: Not for publication or distribution
28
Rubrik Simplifies Your Data Center
SAN
Production Servers
Scale Out
Scale Out Rubrik
Replication + Long-TermRetention + Search
PrivateVMworld 2018 Content: Not for publication or distribution
29
End-to-End Encryption
Virtual Workloads
Databases
DR SiteMain Site
Key Mgmt(TPM or KMIP-compliant server)
Private Object Storage
NFS Tape
Public Cloud
Data Security• Source/connector to cluster• Node-to-node• Cluster to cluster• Cluster to other storage tier
• In-flight using TLS protocol• At-rest with AES-256 to FIPS 140-2 Level 2
Key Mgmt(TPM or KMIP-compliant server)
File Servers
VMworld 2018 Content: Not for publication or distribution
30
What we’ve seen that makes a difference…
1. Reliability of Data Recovery
a. Simplicity of Setup + Day to Day Operation
b. Immutability of Snapshots
c. Accelerated Detection
2. Speed of Data Recovery
a. Speed of restore via Live Mount
b. Automation/API to enhance Restore Capabilities
Review - Key Solution Components
VMworld 2018 Content: Not for publication or distribution
Rubrik PolarisPlatform & GPS
VMworld 2018 Content: Not for publication or distribution
Introducing Polaris SaaS Platform
32
• The challenge: Cloud fragments everything
• A unified system of record brings all business apps and data together on a common platform
• Polaris offers a new class of data mgmt apps via open APIs
• Apps address data control, policy, information governance, security, data intelligence
VMworld 2018 Content: Not for publication or distribution
GPS: Multi-Cloud Control and Policy Mgmt
33
Navigate your global environment Global dashboard | Custom analytics and reporting | Global system activity
On-prem
Edge
Cloud
EDGE
VMworld 2018 Content: Not for publication or distribution
Demo!
VMworld 2018 Content: Not for publication or distribution
Rubrik Polaris RadarThe Next Polaris Application
VMworld 2018 Content: Not for publication or distribution
Security Attacks Happen
Ransomware attacks are growing more than
of enterprises have fallen victim to ransomware that successfully bypassed security measures
71%
ANNUALLY
350%
Source: Cisco 2017 Annual Cybersecurity Report Source: Barkly Inc. SurveyVMworld 2018 Content: Not for publication or distribution
When an Attack Happens, It’s Hard to Bounce Back Fast
Prevention Resiliency
RecoveryRestore as quickly
as possible
AnalysisUnderstand impact of
an attack
DetectionIdentify all strains of
ransomware
VMworld 2018 Content: Not for publication or distribution
Defense in Depth Integrates Prevention with Resiliency
Source: Gartner, “Use These Five Backup and Recovery Best Practices to Protect Against Ransomware.” June 2016.
“An effective response to the ransomware threat must be a holistic and multilevel one
— reducing the likelihood of a successful attack to the bare minimum, while
simultaneously ensuring the ability to recover from an unprevented attack.”
VMworld 2018 Content: Not for publication or distribution
Introducing Radar: Recover Faster. Stay Smarter.
Complement your layered approach to security by increasing resiliency against ransomware. Radar accelerates recovery by providing organizations deep intelligence on the impact of an attack.
HolisticRansomware
Response
Prevention
Resiliency
Recover FasterMinimize downtime. Restore to the most recent clean state with just a few clicks.
Increase Intelligence See how your data has changed to quickly identify what was impacted where.
Leverage machine learning to detect and alert on anomalous behavior.
VMworld 2018 Content: Not for publication or distribution
Under the Covers – How Radar works Multi-level Defense
VMworld 2018 Content: Not for publication or distribution
A Multi-Level Defense: How Radar Works
ANALYZE THREAT IMPACT
Prevent data loss with granular visibility into which applications
and files were impacted.
ACCELERATE RECOVERY
Minimize downtime by replacing time-consuming
processes with clicks.
DETECTANOMALIES
Leverage greater insights on suspicious activity to accelerate detection.
VMworld 2018 Content: Not for publication or distribution
Stay Ahead of Threats with Machine Learning
Detect Anomalies
We apply behavioral-based detection on application metadata to send alerts on unusual change activity. By using machine learning, we can detect new
strains of ransomware.
VMworld 2018 Content: Not for publication or distribution
The Architecture
2) Index “diff’d” against previous snap
3) Diff Index sent to Polaris for analysis
NOTE: Data never leaves the Brik, just metadata
1) Snapshot taken of VM and indexed
VMworld 2018 Content: Not for publication or distribution
Our Anomaly Detection Model
10 Files Added
20 Files Modified
4 Files Removed
11 PM Mon
ML Model learns baseline behavior Detect anomalies and alert as they come in
8 Files Added
23 Files Modified
6 Files Removed
11 PM Tues
2032 Files Added
1321 Files Modified
2032 Files Removed
11 PM Wed
VMworld 2018 Content: Not for publication or distribution
What happens post anomaly detection?
1) Email alert sent to user
2) Radar inspects snapshot for encryption
NOTE: Data never leaves the Brik, just metadata
3) Results uploaded to Polaris
4) User informed of results (in Polaris UI)
VMworld 2018 Content: Not for publication or distribution
Prevent Data Loss with Intelligent Data Analysis
Analyze Threat Impact
Visualize how an attack impacted your entire system with a detailed view of file
content changes at the time of the event. Drill-down to investigate what
changed at the file-level.
VMworld 2018 Content: Not for publication or distribution
Minimize Downtime with Fast Restores
Accelerate Recovery
Simply select all impacted resources, specify the desired location, and
restore the most recent clean versions with just a few clicks. Rubrik automates
the rest of the restore process.
VMworld 2018 Content: Not for publication or distribution
49
Demo!
VMworld 2018 Content: Not for publication or distribution
Benefits
Features Before Radar After RadarImmutable backups ✓ ✓
Fast recovery ✓ ✓
Machine learning-driven detection ✓
Data analysis on threat behavior and impact ✓Granular recovery with just a few clicks ✓
VMworld 2018 Content: Not for publication or distribution
Use Radar to Recover Quickly From Any Security Incident
Ransomware
Recover faster from cyber attacks with deeper insights on on how malware impacted your
entire environment.
Identify and restore in the event employees, contractors, or
business associates modify or delete sensitive information.
Insider Threat Event Monitoring
Monitor 24/7 for unexpected change rates. Get alerted to accidental user deletion or
excessive file growth.VMworld 2018 Content: Not for publication or distribution
What Our Customers Are Saying
“As a legal institution, the safety of our organization’s data is
always top of mind. That is why I am excited about the release of
Rubrik’s Radar application that can augment our security stack
while providing faster and simpler recovery workflows. Rubrik
continues to integrate security with data protection, ensuring that
all our backed up data is safeguarded from an attack.”
– David Comer, Senior Network EngineerVMworld 2018 Content: Not for publication or distribution
What Our Customers Are Saying
“When we were hit by ransomware a few years ago, we
leveraged Rubrik’s fast recovery and APIs to recover in under an
hour with zero data loss. Today, ransomware is much more
sophisticated than it was a few years ago. With Radar, we could
leverage its data intelligence to alert us on suspicious behavior
and better understand what was impacted at a granular level.”
– Matthew Day, CIOVMworld 2018 Content: Not for publication or distribution
54
What we’ve seen that makes a difference…
1. Reliability of Data Recovery
a. Simplicity of Setup + Day to Day Operation
b. Immutability of Snapshots
c. Accelerated Detection via Polaris Radar
2. Speed of Data Recovery
a. Speed of restore via Live Mount and Polaris Radar
b. Automation/API to enhance Restore Capabilities
Key Solution Components
VMworld 2018 Content: Not for publication or distribution
Questions?
Answers!
VMworld 2018 Content: Not for publication or distribution
Don’t Backup. Go Forward.
VMworld 2018 Content: Not for publication or distribution
PLEASE FILL OUTYOUR SURVEY.Take a survey and enter a drawingfor a VMware company store gift card.
#vmworld #SAI3712BUSVMworld 2018 Content: Not for publication or distribution
THANK YOU!
#vmworld #SAI3712BUSVMworld 2018 Content: Not for publication or distribution