VeeamON Resiliency Summit 2023 Keynote
In 2023, innovation fueled every industry from renewable energy to space travel, all powered by data. The world runs on data. It's worth more than oil, and inherent value brings inherent risk. Natural disasters, accidents, and ransomware attacks are increasingly prevalent.
Years of globally impactful work can be erased in an instant. But, not with us. With Veeam, your enterprise becomes radically resilient. We give you the power to restore any workload anywhere, anytime, instantly, so you can meet every challenge head on.
There's a reason over 80% of Fortune 500 companies work with us. We provide comprehensive recovery with tailored solutions that scale with you. When you partner with the global leader in data protection and ransomware recovery, you can bounce forward. Veeam: Radical Resilience starts here.
- Welcome to our first ever VeeamON Resiliency Summit. I'm Anand, representing 5,000 Veeamers, and it's my absolute pleasure to kick things off today. But before we dive in, let's start with a question from the past, from as far back as 1983. What would you have answered to this question? "Shall we play a game?" Yes, no, nothing at all? The correct answer of course, was nothing at all. That meant you would not have been phished.
Many of you will recognize that question. It was from the film "WarGames," which came out in 1983, a film which brought concepts like hacking, IT, and cybersecurity to the forefront for the very first time, likely the world's first and most famous computerized phishing attempt. It's hard to imagine that it's been 40 years since this cult classic graced our screens, and actually, it is even more relevant today.
Threats have gotten a lot more complex, a lot more intricate, more devious, more commonplace. Now, a few months back, I shared the highlights of Veeam's survey of over 5,000 companies around the world. This was back in May at VeeamON.
Now let me reshare some of them because if anything, the trends we shared actually keep accelerating. We talked about how 85% of you had suffered at least one attack in the past year. A full 93% of you shared that the cyber attacks actually targeted your backup repositories first. And 75% of you told us that you lost some of your backups. 40% of your data was encrypted during the attack.
Think about it, two out of five file servers, two out of five databases or applications, two out of five mailboxes. Let that sink in. That's like losing two out of five of your kids' pictures. You can't go back just like your business data. That's why most people get cornered into thinking that the only way out is paying the ransom. In the world we live in, ransomware attacks are not about if or even when for your business, but it's about how often.
This is a very real problem. And resiliency, the ability to recover instantly with no data loss, is the name of the game. Now, our inboxes and news feeds have been full of headlines every single day for months on end. Cybersecurity is an everyday battle. That's why Veeam is committed to this challenge every single day. So today, while I'd love to be talking to you about how Veeam is the number one market leader in data protection and ransomware recovery; or how Veeam leads in virtualization for years now; or how we lead in cloud and hybrid workloads from AWS to Azure and Google Cloud; or are number one market share in Microsoft 365, protecting more than 17 million Microsoft 365 users to date; or about the best Kubernetes backup solution in the industry with Kasten, not to talk about backup for Salesforce, which is actually becoming our fastest growing offering ever.
What I really want to talk to you about is how Veeam can help dramatically improve your cyber resiliency. It's about how quickly you can recover with no data loss. And this has been Veeam's first principle since our inception, even before ransomware became the thing to worry about. Veeam's innovations, like Instant Recovery or Secure Restore, were centered around recovering instantly with no data loss, no matter what the reason for it. And we started this journey 15 years back, because our belief is that backup is a process and we are the best at it. Ransomware is an event.
But really, rapid, safe recovery is the critical outcome for any cyber incident and it's foundational to Veeam's journey and it has been an integral part of our brand, of our mission and our purpose. Our focus is, has and always will be on you. While we are proud of our journey, we know that it's your trust, it's your partnership that has led us here and that's why our mission is very simple. It is to keep your business running. It is to ensure that when challenges come about, you don't just recover, you thrive. We want every company in the world to not just bounce back from an outage or data loss, but to bounce forward.
And we call that at Veeam, Radical Resilience. We want to help you recover, but we also care about what happens after. Veeam provides the shortest gap between incident and recovery, keeping your business running, growing and moving ahead. Resilience is about bouncing back, but Radical Resilience is about bouncing forward. So for today's summit, Team Veeam has a lot to share. Joining us is Markel, an insurance provider.
Like Veeam, they are right there for their customers at their time of need, the ultimate in resilience, and a fitting backdrop to the introduction of a new program, Veeam Cyber Secure. Now, what Veeam Cyber Secure does is it gives you direct access to our team of cyber resilience experts before, during, and after any incident. It really provides you with a critical peace of mind that you need and deserve. We will also be talking about a groundbreaking work with the Defense Information Systems Agency or DISA, part of the US government.
We got on the DoDIN APL, the Department of Defense Information Network's approved products list. It is a big deal. We secured the common criteria cybersecurity certifications, and these are not just milestones for the sake of it. It actually underscores the trust placed in Veeam by the US government and many other international entities, because trust is the bedrock of a public-private partnership.
Resiliency can only be attained through the highest levels of security and compliance. Now, a lot of our customers have also told us they would really like to rely more on Veeam for the needed skills and talent to protect the data, to bring the right level of resilience and cyber focus, and to just have Veeam manage the entire infrastructure for them. Now, driven by this customer feedback, we just announced Cirrus by Veeam, Veeam's BaaS offering, backup as a service, starting with Microsoft 365 and Microsoft Azure, and coming soon to many more workloads. Now we offer customer choice, operate the solution in their own data centers, leverage our VCSPs, or count on Veeam directly.
So Cirrus by Veeam for us is yet another addition to meet the customers where they are and where they want us to be. I'm also excited today to announce our partnership with Sophos, because resiliency is not something you achieve alone. Our ecosystem grows along with us each and every day.
Sophos is a name synonymous with cutting-edge cybersecurity solutions, helping companies make sure that data remains uncompromised, accessible and resilient. Expect to hear more details shortly today. With Radical Resiliency at its core, we are super excited to share details about the new releases of Veeam's Data Platform 23H2 and the new Veeam Backup & Replication 12.1 release.
Now Danny and Anton will go through a lot of details, so without much further ado, to help us deep dive into the new releases and the new capabilities, our tech maestro, Veeam's CTO, Danny Allan. Alright, Danny's in the house. - That is awesome, Anand. I am so excited to be here, especially in the face of these rapidly increasing threats that we're seeing all around us. - Absolutely, and, you know, one of the things is, I wake up every single day to these relentless headlines on hackings and ransomware breaches and...
So what's happening, Danny? - You're right. There's this rapidly increasing threat landscape that we're facing and that is everything from more targeted ransomware attacks, to more sophisticated data encryption techniques that we're seeing and we're also seeing an insider threat inside the organization. So it's a very multifaceted threat landscape that we're facing.
- Absolutely agree with that. Now, I've heard you say one phrase when you sit down with customers all the time and it really resonates. You talk about threat, team, and tech.
Tell us more about it. - Well, the threat, as I said, is continuing to exponentially increase. And for us, that's about continuous monitoring and threat intelligence and we're putting that into the platform. The technology of course, is where Veeam shines. We excel here, we're very focused on making sure that we have multi-factor authentication, immutable data and sandboxing techniques to ensure the integrity of our customers' data. And then of course the team, it's about rapid incident response.
And so we use a AI driven technologies and automation to ensure that our customers can react to the problem as fast as possible. - I can't wait to hear you share more of this with everybody here. Take it away Danny. - Thank you. So, today, to kick this off, we have a very special lineup that we're eager to share.
We have with us Bryan Seely, ethical hacker, cybersecurity expert, author and former US Marine. Bryan is passionate about consumer privacy and staying safe in a constantly changing technology landscape. Bryan, thanks for joining us here today.
I am so excited to hear about your expertise and very unique perspective on how critical cybersecurity is in technology today. - Well, I'm very excited to be here. I am Bryan Seely, I'm a cybersecurity expert and ethical hacker, and today I'm giving you five things you should know before your next cybersecurity attack. First thing, paying the ransom. It's an option, definitely one way to go.
I would prefer not to have that be the choice. Lots of companies end up paying the ransom, and I don't blame 'em, some of 'em are multi seven, eight digit ransoms that they pay, but how many of them actually get their data back? If the data's been stolen and used for ransom and then they actually ransomware your stuff, it's a whole nightmare. Cyber insurance might not pay. You have statistics all over the place. 20% don't get their stuff back, 55% try to pay for the ransom and they actually get stuff back, who knows? It could be a huge nightmare. Colonial Pipeline was a perfect example of that.
They had backups, they paid the ransom, and it still didn't get all their data back and it took longer than it would've taken to restore everything. The best approach is to have proper backups that are not available to be intercepted, destroyed. I think we call it immutable. Basically, it can't be rewritten.
Kinda like when you burned a CD back in the '90s. Hackers, oh, like to do things the easiest way possible. So, once they breach a company, they're a pretty sophisticated organization, they will try to put a backdoor in. That's almost always the first step is maintain a back door, a back way to get in.
So if they kick you out, they reboot a machine, you didn't lose all your work. They don't like having to do things twice. So, they can hack you again. So if they know you're gonna pay a ransom, they'll probably come back for repeat business. I mean, it's good business sense, I guess.
You see companies two, three times in the news, same company six months down the road. Well, it might not be a new breach. It's very hard to get rid of a backdoor in a very large organization. Rebuilding doesn't happen overnight. So if you are going to defend yourself properly, So if you are going to defend yourself properly, it's gonna take a lot of work and it can't all be done in one day. Meticulous planning, critical.
You need people who are obsessed with the security because their goal is money and all they have to do is get it right once. You have to get it right 100% of the time. So, you're competing for different ends. A lot of people, they get off at 5:00, commute home, have their kids. These hackers, sometimes they're teenagers, they've got no responsibilities other than try to break in. And they're successful a lot.
So you have to outsmart them. They're not going to do the crazy long to-do list. They're gonna go after an easier target.
You want to be the person swimming away from the shark who's not the slowest, I guess, is the way to put that. Another thing hackers are, they're pretty resourceful and they realize going after you through the firewall or finding a zero day is not the way to do it. That's the hardest way possible. The technical sophisticated, what you see in movies, that's not the most common way actually.
The most common way is through people, through tricking somebody. Just a simple con, but most of it's via email. Somebody clicked on a link they knew they probably shouldn't have, but it didn't go to the CEO's email, it went to the CEO's personal email where at home he doesn't have all the sophisticated equipment, he doesn't have all the amazing things that a Fortune 1000 would have.
He hasn't even taken his home address off of whitepages.com or or all of the other directory sites. And if you're not in Europe and you're in the US, your data's all over the internet and it's really hard to get rid of it, especially in one day. So you have to do advanced planning.
You've gotta get rid of anything that can make you a target. And if you're a C-level, you are a target, period, whether you wanna believe it or not. Hackers are jerks, let's just call it like it is. They will go after your backups immediately upon breach because that's the first thing you're gonna go to to try to restore to make it like it didn't happen. Cyber insurance, they wanna make sure you have proper backups, they wanna make sure you're compliant with endpoint protection and all these different things. Everyone's looking at the backups.
Did you do 'em properly? Well, if you can access 'em at all times, then no. No you didn't. And if the hackers can get in, they'll get them faster because they'll learn your environment better than you did. It's the first thing on the list, 90 plus percent of the time. Why are we waiting? If it's not done, get it done.
Then lastly, the most important asset you have, it's your staff, your employees. If you're burning them out, but you're taking care of all your processors and your hard drives and you've got redundant everything, these people are irreplaceable. You get people burned out, they feel unappreciated, they are tired, overworked, they lose drive and it affects their personal life, that affects their work life and it doesn't take that much to avoid that. So pay attention to your people, self-care routines, sleep, proper backup so if they go on a vacation, they're not constantly emailing while they're gone. So many different things. I am very excited for an AMA that we'll be doing with Veeam in the coming weeks.
And with that I'm gonna hand it back to Danny. - That was exceptional. Thank you, Bryan. I love the focus on people and the wellness of ourselves and I never considered that paying the ransom did not guarantee a fast recovery, but it does make sense. You might still be stuck with a slow recovery and that's stipulating that paying the ransom even allows you to recover. Veeam research has shown that this doesn't even work 21% of the time and paying the ransom certainly doesn't provide resiliency.
Resiliency, that is our core focus and reason for being here today. And what is it? Resilience is simply the ability to either withstand or to recover quickly from challenges. As an industry, we have proven that our organizations are frequently not resilient to the emerging threats and existential business challenges of our time.
And we have seen that the threat landscape continues to evolve with new threat vectors and malicious activity, threatening our businesses, employees and our data on a daily basis. Specifically, we have all seen the alarming increase in malware attacks over the past year, most notably in the form of ransomware. According to a comprehensive study by Veeam in 2022, 76% of organizations were hit by a ransomware attack and this increased to 85% in 2023 with two thirds of those organizations being hit more than once. And cyber criminals are also getting smarter and specifically targeting backups. In our 2023 ransomware trends report, we saw that 93% of ransomware attacks targeted the backups, with 75% being at least partially successful in deleting or destroying some of them. Do you know why the threat actors are targeting the backups? You're more likely to pay the ransom.
In fact, our ransomware SWAT team has determined that this is one of the very first actions of the attackers, the first indicator of compromise, certainly before deleting or encrypting files and spreading malware around the network. IT and security experts alike know that the critical resiliency strategy must be a good clean backup that you can access at any time and from anywhere. But at Veeam we take this even further and we believe that backup is your best line of defense. This is because, as Anand mentioned, it's not a question of if you'll be attacked. It's not a question of when you'll be attacked.
It's a question of how many times. It's a realization that given sufficient time and resources, every environment can be compromised. And we know that when your primary data and your backups are encrypted or destroyed during an attack, you can't recover.
And let's be honest, when you can't recover, you go out of business. So you're probably wondering, what can I do to prevent this? Or how do I make sure that my teams and company are prepared, especially when we live in a world where trust is not enough? The concept of Zero Trust dictates three things. One, we must assume breach. Two, we need to explicitly verify critical user and API interactions.
And thirdly, we must enforced least privileged access. These Zero Trust principles have always been core to Veeam and set a north star for how we ensure that your data is secure, protected, and available within the Veeam Data Platform. Let me give you an example of this. Veeam has designed our platform to assume breach, to assume the attackers would sometime get into the backup software. This means that the Veeam backup storage has Zero Trust of the Veeam backup application.
This is both powerful and unique in the industry. Even if the entire operating system and software stack is completely compromised, we provide guaranteed recovery from the hardened and immutable backup repository. Just download Veeam Community Edition and you can be back up and running. In addition to your IT teams and a Zero Trust backup software architecture, your cybersecurity teams compliment these efforts by detecting, monitoring, investigating, and responding to threats through their XDR, that stands for extended detection and response systems, and SIEM, security information and event management tools, but it's not enough.
At Veeam, we understand how critical it is for cybersecurity and IT teams to align and partner to ensure your information and data is not only protected and secure but clean and easy to recover. We help you unify your teams to combat the relentless threats of malware. Built on the principles of data security, data recovery, and data freedom, Veeam is providing you the confidence you need to take a stand against cyber attacks. Today I am excited to announce the new Veeam Data Platform 23H2 Update, reducing incident response time with proactive threat hunting for your backups. Integrating SIEM, YARA and NIST cybersecurity best practices, Veeam keeps your business running.
Firstly, our new built-in AI-powered malware detection engine, this brings malware detection earlier in the lifecycle, closer to the attack with real-time detection during backup. This new feature allows your security team to shift to proactive threat hunting thanks to backup anomalies being immediately reported to your SIEM or ServiceNow. And, you can get a second opinion before you recover from your trusted SIEM tool that accurately marks recovery points as clean, infected, or suspicious using our completely new Veeam Incident API.
Secondly, we know that reinfection is a top concern of your IT and cybersecurity teams after an attack. With the new Veeam Data Platform 23H2 Update, your teams can leverage YARA content analysis to recover clean the first time. Now, what is YARA? It's a silly term because it stands for "yet another recursive acronym," but it's simply an open source model to help malware researchers identify and classify malware. Within the Veeam Data Platform, our YARA content analysis uncovers and confirms identified ransomware strains in your backups with pinpoint precision to avoid reinfection.
Additionally, our new I/O anomaly visualizer makes your team aware of potentially anomalous disc activity during backup and using Continuous Data Protection or CDP, you can now roll back to the moment before infection with split second precision, and we know that every second counts after an attack. Ensure your teams are using tested, orchestrated recovery from an industry leader. Finally, our new platform release ensures your organization has a secure foundation and avoids the most common security mistakes when it comes to configuring backup with an enhanced security and compliance analyzer using known best practices to mitigate against ransomware and other cyber attacks. Couple this with our new "Four-eyes" principle. This reinforces your best line of defense, your people, by preventing accidental or malicious deletion of your backups, guaranteeing your organization's survival. And when it comes to battling cyber criminals, we all know that the best way to defeat a hidden threat is to shine a light on it.
Perhaps one of the things that I am most excited about is our completely new Veeam Threat Center. We pull insight from the entire platform and infrastructure, combine this into a single pane of glass, identifying threats, highlighting risks, and providing you with a simple and powerful security scorecard for your entire data protection environment. As I shared earlier, technology is only one part of the equation. Your people and process are just as important to improving security maturity across your enterprise.
In our 2023 Ransomware Trends Report, 60% of organizations noted that they need a complete or significant overhaul between their backup and security teams. And I believe that today's product announcements bring you one step further to unifying IT and cybersecurity teams, and together we can turn the tide against cyber threats. But let's take these concepts and understand how they work. And in order to do this, we need to introduce the father of Veeam Backup & Replication, our Chief Product Officer, my friend, Anton Gostev.
Anton, over to you. - Thank you, Danny, and welcome everyone to the Resiliency Summit. I'm excited to share with you multiple unannounced capabilities coming in our next platform update, which we're planning to release before the end of this year. Really, this next release came out so big in the end, you'd think it should have been called version 13. However, as to avoid an unlucky number, we just humbly called it 12.1.
First, let's talk about some major updates to our malware detection capabilities. To give you a more coherent story, let me first remind about the inline malware detection functionality that we first announced at VeeamON this May. This capability uses two independent detection engines.
The first engine taps directly into a backup stream, and it uses a specially trained AI machine learning model to detect previously unencrypted disk blocks becoming encrypted by ransomware. As well, it also detects a few other ransomware markers. This detection mechanism works on image level, so there are no prerequisite to use it. The only drawback is slightly increased CPU usage on backup proxy or backup agent. However, as you know, CPU is rarely a bottleneck during incremental backups anyway. Now, the second engine, on the other hand, analyzes file system indexes for the presence of suspicious files with no malware extensions.
It also looks for all sorts of unusual activity, like many useful files, maybe it's documents, PowerPoints, being deleted or many files with previously unknown extensions appearing. This detection engine requires that you enable guest file system indexing in backup job settings. Even if we perform malware detection inline and during the backup, backups themselves do not happen too often, maybe once a day, right, maybe twice a day, which potentially means a significant delay between the infection and the time being detected. Also, if you look at definitions of actual attack stages, you will realize that both of these engines are designed to detect attack on the last 14th stage, called the impact stage. This is quite late and this is the reason why many customers invest into real-time detection and response tools which are capable of detecting attacks on very early stages, such as, for example, initial access stage or persistent stage. And it would be like really nice to learn about an attack from the systems, right? This is exactly why we created a simple API, enabling third party cybersecurity tools to easily feed the detected infection details directly into Veeam so we immediately know that the future backups of this machine will contain malware.
And the best part is you can actually have Veeam respond to these detected threats by instantly triggering an out-of-band backup of the affected machine before malware had time to damage your data. And remember, yeah, the backup itself, it takes time, but the snapshot, which is what is being backed up, can be taken in a matter of seconds, right? Now, regardless of which engine detects malware, whether it's built-in engine or whether it's an event from an external engine, right, we will automatically mark the corresponding restore points as suspicious to prevent accidental restore and just to draw your attention to these machines, right, and have these backups investigated. And this was actually the moment when we realized that we do need to give you convenient investigation tools. So we worked hard this summer to build some additional offline, as I call it, offline malware detection capabilities. So with offline malware detection capabilities, we enable you to easily leverage two different malware detection engines, both of which will of course perform the content scan directly in backups without having to restore the backups first.
The first tool is a regular antivirus engine. This is best used when you don't know what malware strain you're dealing with. We integrate with a number of antivirus products out of the box, however, you can actually use any antivirus that supports a command line interface. And when you don't have any, well, there is always Windows Defender installed on a backup server. Now, if using an antivirus scan is best compared to a border control process where you not looking for a particular individual, but rather you're checking everyone for anything suspicious, then YARA rules are best compared to a description of a specific wanted person. YARA allows you to efficiently look for the specific malware strain your environment is impacted with, but only after it has already been identified by you or by security professionals assisting you with recovery from a cyber attack, be it a cyber police unit, FBI, your cyber insurance company staff and so on.
Now, how do you actually perform the set content scan? Well, there are a couple of options. Ongoing scans can be performed on a scheduled basis with SureBackup, which has been extended with this new mode. And by the way, this mode where you only perform a content scan doesn't even require you to set up a virtual app, so it's much easier to start using.
You can also, in addition to that, you can perform ad hoc scans like when you wanna scan the particular backup here and now. And we actually give you, as you can see, a few different options depending on your use case. If it's a recent attack, we will then scan restore points sequentially from the freshest one. If it's a sleeping ransomware, then we will use the method called binary search to minimize the number of restore points you need to scan. Or, finally, you can just do the generic backup content scan for all of your restore points.
And by the way, if you Google this YARA acronym, don't get confused by all the malware detection focus. Yes, YARA rules are indeed designed primarily to detect malware, however, they can be used to detect anything at all. For example, one of the use cases is schedule the periodic scans of your backups to ensure they don't contain any personal information, credit card numbers, any other type of sensitive info. Really critical capability, right? So with that, let's now switch gears and talk about new capabilities around backup infrastructure security.
And some really good stuff is coming here, too. First feature is four-eyes authorization. Why we're adding this capability? Well, the reality is there are some backup infrastructure management operations that are quite dangerous and yet are too easy to perform, including by mistake or by accident, right? For example, even if you use immutable backups, which everybody should, backup admins can impact their disaster recovery plans by inadvertently removing the backups from the product configuration, right? And yes, the backups are immutable, you can always import them back, but this process actually may take a few hours in large environments and this will ruin your recovery point objective. Now, to avoid such incidents, we added four-eyes authorization functionality, which requires one other person with a Veeam backup administrator role to approve sensitive operations. Very important to realize that this is not a replacement for immutable air-gapped backups as this is primarily for protecting the product configuration, right? Actual backups must still be hacker-proof and indelible remotely, right? So for example, through a direct connection to a storage device where they're stored.
Also with the next risk, we were taking the usefulness of our V12 best practices, another feature that was new to V12, to the whole next level with a continuous monitoring of the established baseline. As you can see, you can now schedule the analyzer to run periodically, which is super important as it's easy to forget to enable some important settings back after, for example, troubleshooting session with the support or maybe even Mr. Hacker, who is already inside your network perimeter preparing your backup infrastructure for the attack by weakening it, right? But thanks to these periodic scans, you will now get a warning email in case of any deviation from the baseline that you previously established. And additionally, actually there are almost three times more checks than in the original release, and that's thanks to all the feedback from early V12 adopters.
Importantly, the security compliance analyzer output would be one of the main data points used to give your backup infrastructure and your DR strategy it's core in our new and shiny Veeam Threat Center. So Veeam Threat Center consolidates all security related information into a single pane of glass so you can clearly understand, like your disaster recovery risks and how likely are you to meet your recovery time objectives in case of a disaster, be it a natural disaster or a cyber attack. Notably, while Veeam Threat Center is powered by the Veeam ONE engine, as you can see, it's actually integrated directly into the backup console and specifically into the new analytics note of the management tree. So looks pretty cool, right? But there is one more thing, as always, right? And that's a new and modern way to get help and assistance with our product. So what is this one more thing? Veeam AI Assistant. How cool is that? That's actually, yeah, that's a GPT bot built direct into your backup console and is available right at your fingertips.
What are some important facts about this bot? First, it uses a custom AI machine learning model trained on all our technical documentation and even a little more. It runs in a private GPT instance, so we're not sending your questions to some public ChatGPT instance or something like that. Yeah, they stay with them in its private deployment. And it's actually based on our own product knowledge bot for internal use, which has been getting totally raving reviews by our technical sales folks in the past months. So it's pretty proven already. So the next release is very cool indeed, and we can't wait for you to start using all these innovations you see on the screen.
By the way, all functionality I talked about today has been in beta since September. Do reach out to your local Veeam sales rep if you're interested in joining the private beta program. Back to you, Danny. - Wow, that's great, Anton. I'm super excited about the inline malware detection, but I have to say the AI assistant is incredibly exciting as well. We love hearing about the latest innovations your team delivers, and super excited for these massive updates for all of the 450,000 Veeam customers.
Now, for what you've all been waiting for. Who wants to see some of these features in action? Rick Vanover, Senior Director of Product Strategy, take it away. - Thanks, Danny.
Inline detection is a cornerstone feature of Veeam Backup & Replication 12.1, but I actually wanna start at another view. This is Veeam ONE. This is where customers start their day, and everything looks okay. That is a really good starting point for our detection discussion.
So I want to draw your attention to the inventory section of Veeam Backup & Replication. In here we have a new section called Malware Detection. So this is built into Veeam Backup & Replication, and it's very easy to use. So this little set of options here will do so much to tell us how our detection experience will go.
The first thing I want to draw everyone's attention to is the ability to, first of all, just turn on inline entropy analysis. So I have it set to extreme, so that means it's gonna put the most amount of resources, CPU, into the detection when the image is captured. And then the second thing I wanna draw your attention to is the suspicious activity detection. Now this is the wake up call to the market. Now is the time to start doing file system indexing. This will take the file system indexes and look for suspicious files or detection of a large number of file extensions that might be a suspicious type.
And then on top of that, with the entropy analysis, which is powered by artificial intelligence and machine learning that Veeam is publishing, you can have really good detection. And the best part is, this is a update for what are we looking for. This is done automatically. And for organizations who don't have their Veeam server connected to the internet, we can download a file to do that as well. And then once something is detected, we can use the Veeam Incident API to take a quick backup of those objects as something happens.
Now, I've prepared a few things in this environment. I've got four different systems that are either suspicious or infected. And if we look at this, I see an antivirus scan caught something, malware extensions found something present. Both of those are on one system, and then another system had a large amount of encrypted data. Now, Ken, once we have these types of detection incidents, what kind of additional looks can we do with 12.1?
- Certainly, Rick. Well, when we have these types of scenarios, we know that there's always a lot more to it that we really need to get to the bottom of. Take, for example, this backup, we see that it's been marked as infected, but what do we do with that? Well, one of the actionable items that you can now take with Veeam Backup & Replication version 12.1, is to take advantage of our integrated YARA rules engine. Now, if you're not familiar with what YARA is, it's basically a set of rules used by security researchers to identify and classify malware. And now with version 12.1,
we can simply right-click on a backup and select the new scan backup menu. Now that we're in the menu, let's talk about the different scenarios that we can solve for with the three options that we have available. The first one, find the last clean restore point. You're gonna use this option when you've had an attack recently and you need to get a system or systems back online as quickly as possible, but you have no idea when your last clean restore point was. With this option, Veeam's gonna scan sequentially from your most recent restore point and scan back until the first clean backup that's gonna be safe to restore from is found.
Now moving on to the second option, find the last clean restore point within a range, you're gonna use this option when you have no idea when an intrusion has occurred, and unfortunately this is an all too common scenario. As we know, ransomware may lay dormant in your environment for many months before an attack is ever initiated. The way that this process is gonna work, Veeam's gonna optimize the order of how we scan through your restore points so that we can very quickly find a clean backup that's gonna be safe for you to restore from. This process is super efficient when it comes to scanning through large sets of data and you have no idea where to even begin. Now, there will be those times where you do have to scan through large amounts of data.
This could be for analytics, could be for security and compliance audits. And that's gonna bring us to our third option, scan all restore points in a range for content analysis. The way that this is gonna work, Veeam's gonna scan sequentially through all the restore points within a backup chain all while applying a YARA rule. We're gonna test for a condition, whether it's been met or not, and report that out.
Now let's go ahead and run a YARA scan. I'm gonna check the scan restore points with the following YARA rule option, look at my menu and choose. Let's go with common rules YARA.
That's actually gonna hunt for a specific type of malware that turns your servers into phishing bots and it can sit in your environment for quite some time. So let's go back a year and then we'll click okay to run this job. And that's gonna take a few minutes to run, but I do wanna show you what success looks like. Here we've got another backup that I've applied the very same YARA rules to. As you can see here, Veeam has scanned through each of the restore points, hunting for the malware and thankfully finding nothing.
And that's it. Simple, straightforward, easy to use. - Outstanding, Ken. You and I have been at Veeam for nearly 13 years and this level of detection for threats is truly incredible, whether it's at that first capture or after it's under management by Veeam with the YARA rules. Friends, there is so much more into 12.1. This is one of the highlight capabilities.
Be sure to check out everything in 12.1. - Rick, Ken, these demos are great. We're so excited about the inline and YARA rules. There are more demos yet to come, but first we'd like to direct your attention to a very exciting announcement, one that many at Veeam have been working on. I'd like to bring on to stage Larissa Crandall, Vice President of Global Channel and Alliances at Veeam, for a very special partnership announcement. - As Veeam continues to deliver innovation in areas of data protection and cyber resilience, we continue to expand our partnerships with leaders in the security industry.
Today, we are proud to announce our partnership with Sophos, a worldwide leader in cybersecurity products and services that defend more than 600,000 organizations worldwide against active adversaries, ransomware, and other security incidents. I'd like to welcome Marty Ward, Vice President of Technology Operations at Sophos. Marty, welcome. - Thanks, Larissa, great to be here. - Yeah, tell us about Sophos.
- Absolutely, we're excited to partner with the world leader in data protection, and Sophos has been in the cybersecurity space for decades. And while we conserve organizations of any size, we do have a particular focus on small and mid-market organizations as well as small enterprises. And we serve all those industries with a complete portfolio of everything from endpoint to network security, cloud and email security, and even services which we've been very focused on the last few years, including what we're talking about today, our managed detection response service. - Well, we cannot wait to bring this to market. With our new partnership, we are developing integrations between Veeam and the Sophos MDR platform.
Tell us a little bit about your MDR service and how the integration with Veeam will benefit our mutual customer base. - Absolutely. Yes, Sophos and Veeam are partnering to help customers detect and respond to cybersecurity threats faster, including ransomware attacks, better than they can in the past to ensure their backups stay safe and secure. Sophos and Veeam technologies integrate to exchange critical information when a security threat arises. The Veeam Data Platform monitors customer environments to detect potential threats against backups both internally and externally.
Should a threat be identified, Veeam sends an alert to Sophos Managed Detection and Response. This is our fully managed 24/7 service delivered by experts who detect, investigate, and respond to these cyber attacks, targeting computers, servers, networks, cloud workloads, email accounts, and more. From there, the Sophos MDR team can determine the best way to protect the customer's data and backups from the threat and initiate threat response actions on behalf of the customer. For instance, Sophos MDR can help roll back to the last known good backup or in the case of an attempted backup deletion, determine if an attack is occurring and take actions to disrupt, contain, and fully eliminate the attacker. - We are so excited to bring this to our partners and customers. Veeam, being software-defined and hardware-agnostic, supports a very broad ecosystem of partnerships.
This helps you provide the proper solution to meet your specific business needs. Our teams are working with many of the security market leaders today so we can deliver more tools to help you combat the security threats that face you every day. You can expect to see such announcements from Veeam in the very near future as we continue to expand our security ecosystem and continue our focus on delivering Radical Resilience. - Thank you, Larissa. Such an exciting announcement with Sophos, an industry leader in the endpoint detection and response space. This partnership will just be one of many to come.
Now, let's see this SIEM integration in action. Back to our exceptional demonstration team. - Thanks, Danny.
The Veeam Data Platform has an incredible amount of information about threats and what we're detecting in backups, but a natural question, how do we get that to the right people or to an additional external system? Let's turn it over to Emilee to see how easy that is to do. - Yeah, thanks Rick. As you said, there's no shortage of information that's available part of Veeam Data Platform.
So at VeeamON Miami this year, I had the opportunity to demo the ServiceNow integration coming in this release. Today I'm gonna show you how you can easily integrate any SIEM provider leveraging syslog to collect analytics and critical events in your Veeam environment. Now, as we all know, the Veeam data platform does a great job of logging events as Windows events. You saw earlier, Ken and Rick both demonstrated some different security, new features that are coming within the Veeam Data Platform, and that has actually triggered some events that we can pick up. So let's show you how you can grab some of those different types of incidents and have them reported directly into your SIEM tool so your security team can be aware if there's any anomalies that are taking place.
So here I am in Veeam Backup & Replication. If I come up to my main menu, you'll have the option here to go ahead and select SIEM Integration. Now you'll just go down to your Syslog Server, you'll go ahead and hit Add, and then you'll just plug in the IP address of that syslog server, you'll choose your port, and then you also have the option of selecting a transport method. It's just as easy as that. Once that is done, you can go ahead and log into your SIEM tool of choice.
So for this demo, I am actually leveraging Nagios. So you'll see underneath Nagios, I have a few different Veeam Backup & Replication servers. They're all pulling in different syslog events. If I wanted to search those logs, and let's go ahead and do a malware search since Ken ran that malware scan. I can scroll down, and you can see one of the first options in here is gonna be that malware detection session has finished.
Looks like it was successful. There was no malware that was detected. So again, very straightforward, super easy to go ahead and have this data pulled into your SIEM provider. But that's just not it. We also could do this with Veeam ONE. So Veeam ONE is our monitoring and reporting tool that Kirsten's gonna be talking about a little bit more so in depth, but you'll have the option underneath Server Settings to actually add in your syslog server, choose the type of criticality that you wanna have be alerted, and then from there you'll have options or you'll have access to all 300 plus different alerts and alarms to be sent to your SIEM provider.
So start thinking about Veeam Backup for Microsoft 365, the alarms that are available within the virtual infrastructure and being able to have those be more proactive and give your security team kind of a better idea of what's going on in that data protection environment. So Kirsten, syslog, ServiceNow, those are all great new features in Veeam ONE. Can you tell us what other great security features are coming? - Yeah, Emilee.
So one of the new security features within Veeam ONE that is coming in the next release is the new Threat Center dashboard. This is gonna provide you with a one-stop view to strengthen compliance, ensure platform health and gain insights into data protection and security in a single place, really giving you a comprehensive view across the entire environment. If we take a look at the threat center, you can see that we have a data platform scorecard. This is gonna show you where you are currently at in your protection journey, identifying any type of improvements that you need to be done.
The first score is the platform security compliance score. This is based on the results of the security and compliance analyzer that is run in Backup & Replication. If you run this in one backup server, this information might be very easy to consume, but if you have multiple backup servers in your environment, this is a great place to see all that information and improvements that need to be done, in one place. If I click on this link here, this is gonna take me into the new best practice analysis state report.
From there I can take a look at how well I am following these best practices and server configurations and security best practices in my environment. In this environment, I just have one backup server connected. So you can see that my backup server has a lot of work that needs to be done so it's following the best security for my business. If I click through the report, you can see that I have my backup server here, how many best practices it is meeting, if there's any best practices that I have suppressed and the score here as well. If I go to the last page, you can identify all of the backup infrastructure security recommendations, and product configuration recommendations as well.
If I slip back to the threat center, the next score I wanna take a look at is the data recovery health score. This is gonna show you the status of your restore points and provide you with a score based on the results of the scanning that took place during the backup job. Next we have the data protection status score. This is gonna show you if you are meeting your RPOs and backup immutability status, making sure that my backups are being sent to a backup repository with the immutability setting in place. Next we have the malware detection map.
This is gonna show me if any of the results based on that scanning that took place in Backup & Replication, those restore points, have they've been infected, or if they have not been affected. In this scenario, you can see that my most affected object actually resides in our data center in London. I can take a look at the restore points so I can do further digging to make sure that I am isolating that issue as needed. If I scroll down to the SLA compliance overview, this is gonna show me if I am meeting my SLAs.
It's gonna look at the job policies and show me how many workloads are meeting my SLAs and if none of them are. A lot of job policies can contain many different workloads. So this is going to tell us if a workload was unable to be backed up and finished, with a warning or an error. Next, I have the RPO anomalies widget. This is going to tell me which workloads did not finish the backup job successfully. So the SLA compliance overview provides us with a great general overview and the RPO anomalies widget will tell us which workloads have not met my backup policies and did not finish successfully.
Isn't that some pretty powerful stuff, Emilee and Rick? - I think so. Outstanding job, both of you. And it's really important to note that the Veeam Threat Center is another example of what I like to call shared technology. You're gonna see that also in the Veeam Recovery Orchestrator.
Outstanding stuff, great job. Back to you, Danny. - Now I'd like to shift over to Gil Vega, our Chief Information Security Officer, who is having a discussion with Sue Gordon, the former Principal Deputy Director of National Intelligence, serving under Presidents Barack Obama and Donald Trump.
Gil, over to you. - Great, well, we're here with Sue Gordon, who's a titan of the intelligence community and government service, having served in the CIA for 27 years. What can you tell the audience about your career? - For me to live a life of purpose that is also interesting, was a dream. And because of the range of experiences that the CIA allowed, I got to do a bit of analysis, a bit of building systems, a bit of information technology, a bit of analytic tools.
I was at the beginning of really the cyber revolution and then just kind of moved through it in the most, the best career. I had no right to it, but I'm grateful for it. - So Sue, that brings me to what I think is one of the most important components for cybersecurity today, and that is this idea of public/private partnership and the idea that governments and private industry need to work more closely together. What are your thoughts? - When the world became digitally connected, these physical barriers, including those that we created, that we believed in, were obliterated.
And so now adversaries are going to private companies. The government can't go into those, we don't, that's not the way our system prefers to work. And companies are working globally and have access to a lot of data things happening. So we've gotta both share data and we are in a shared purpose of security and we have to do that together.
So I don't think there's any way that we get to a future that is cyber secure without both the public and private entities and their value propositions coming together to find some solutions. And I guess I would throw into this the private citizen. You know, we a lot of times miss that disinformation is a part of a cyber threat. And I would say that cyber threats are really an assault on trust. And trust is so much more important to free and open societies than it is to authoritarian, and our adversaries know this.
So making us not believe in our systems, not believe in our information, is one of the things they're trying to achieve. And again, this is a shared purpose we have to have. - That's a really interesting point. Let me shift a little bit to this idea of the federal government taking a leadership role. You've been around Veeam a little bit, you've been around other companies that have tried to achieve certain levels of certification or achieve enhancements to their programs so that we can be a trusted supplier of the DOD, what are your thoughts on what Veeam has done as a company and what other companies have done to establish that trust with the National Security apparatus of the United States? - So I hope we share the story of Veeam, because I think the way it is interacted with the government in a really interesting way. Number one is the company thought it was doing the right things, right? Before the government got involved, the company thought it was doing the right things.
And then the government has a particular view of risk, it's a different view and it introduced some requirements on the company. What Veeam did, seriously, I think your leadership just did such a good job on this, is not just either reject out of hand the requirements by saying they're not the right ones, nor did you all just follow exactly what they wanted. In my estimation, what your leadership team did, was say, "I'm gonna understand the intention. I understand what your concerns are, I'm not gonna fight 'em off," which is a really tempting thing to do. "We're gonna look at what you're trying to have us achieve, what you need us to be, and we are going to then propose to you a set of actions that we believe will demonstrate that one, we are a serious partner, that we own the risk in the same way the government does and we think we can come up with creative solutions."
And I think if you look at that story, the results you've had with the government, the trust that you have engendered with your partners now, it is because the approach you took. I think it's a great model. It's not an easy model.
Compliance is sometimes easier and rejection is easy, but I think this, what you are able to do is to put into play a company and a capability that will serve society well and a capability that will serve society well and it is a trusted partner of the government's interest and that is like nirvanic in terms of the outcome you want. - Well I wanna thank you, Sue, for your perspective. It was fascinating and really interesting to hear about your government service. And thank you so much for supporting VeeamON's Resiliency Summit.
We hope to see you again. Back to you, Danny. - We've heard of the features and the sheer importance of cyber resiliency in today's world.
Now let's transition to Misha Rangel, Director of Portfolio Marketing, who is with the CISO of Markel Insurance, who is here to discuss how the security world is collaborating with IT more than ever in today's fight to stay resilient. Misha, over to you. - Cyber threats are pervasive. No company is immune to them. Hospitals, school districts, banks, and even casinos are landing on the front page of the paper as victims of cyber attacks are losing millions of dollars.
There are some patterns we can learn from companies that are able to quickly recover from cyber attacks. And we're so excited to have with us here today, a thought leader on the topic. I'm very happy to introduce Patti Titus.
She's the Chief Privacy and Information Security Officer for Markel Insurance, a global insurance provider based in the United States. Patti, thank you so much for joining us today. - Thank you so much for having me. I'm so happy to be here. - Yeah, well, let's just start off by telling me a little bit about your role at Markel. - So I have been the chief privacy and chief information security officer for almost eight years, just a little shy, built a team from the ground up.
So it was very exciting to be able to look at a set of controls and then implement them, working super close with IT and other leadership organizations within Markel. - That's great. So it sounds like you work with a lot of different IT partners in your role.
So how do you help all of these teams prepare for the inevitable cyber attack? - You know, it's really important that you recognize that security's a team sport and we can't do it by ourselves. We rely heavily on IT. All of the risk management functions, crisis communications, there's such a huge swath of people that need to be involved in preparing for and building that muscle memory that we all need to be able to make sure we know what we're supposed to do in a crisis, and that we all understand our part, but to also be prepared to take on other roles if people might be on vacation, might not be available. So it's really important to get the team together, have conversations, and be ready for anything, so to speak.
- Absolutely, and, you know, when you're planning with your teams and running through scenarios and tabletops, you know, many times security teams, they wanna do it in a vacuum, you know, how do you really encourage and help other teams collectively participate in the planning process? - I think it's important that everybody understands the different roles that they have to play. So having very well thought out processes and procedures, rol
2023-11-28 20:29
