Transcript
Let's start with a simple truth, cyberattacks are moving faster than ever. To that point, dwell time has been reduced to as little as one hour. Think about that, one hour. Meanwhile, organizations are taking days or even weeks to detect and respond to those attacks. Today, we're going to talk about how you can get clean data and confident recovery using Cohesity's threat protection capabilities. My name is Chris Hoff, Senior Product Marketing Manager here at Cohesity. And I'm Teresa Miller, Senior Director of Technical Marketing. Now, before we dive into our topic today, I have a question I want you to think about as Chris and I walk through everything here today. Why would you do threat hunting, threat scanning against your backup data instead of solely relying on your primary detection mechanisms? So from an enterprise challenge perspective, what our customers are telling us is that there are several considerations that factor into you making this decision. The first is defense evasion. Malware has one simple goal. It doesn't want to be detected, it's going to evade being found, which directly correlates to the next point of rapidly changing malware. Malware is going to evolve and change before your detection systems even stand a chance at detecting it. The third challenge I want to talk about is isolated network. So when you are being attacked and a cyber incident has unleashed on your environment, you're going to need to isolate either a small part, depending on what was impacted, or possibly the whole network. When you do that, you're likely going to be using forensics to discover what happened, but also there's a chance that you're going to be using that data as a recovery point. So you need clean data. We're going to unpack that a little bit more here in a little bit. And then the last challenge is hidden threats. So it is, just to reinforce, it's the ultimate goal of the malware or the attacker to not be detected. When we think about what Chris said earlier, dwell time could be as little as an hour, but it could actually be that those attackers are sitting in your network for months, and then your backup data has been impacted, and you can't get back to a clean state without having done some level of work to clean that data. So with Cohesity and the Cohesity Data Cloud, let's talk about pre-attack. In its most simplest form, what we can do from a prevention perspective against that backup data is we can do malware scanning, anomaly detection, as well as threat hunting based on indicators of compromise and hashes. Now let me turn this over to Chris, who's going to talk about post-attack. When a cyber attack happens, time isn't on your side. We need to make sure that we have the peace of mind that we're recovering clean data the first time. We can do that in multiple different ways. We can do either malware and anomaly detection based scanning, which allows us to find and pinpoint the threats within the data and remove them before they get put back into production. Now whether you're doing it pre-attack as part of a proactive threat hunting program or post-attack as part of your incident response process, we can operate in the same way in that we can create either full or incremental scans to find those threats faster. We create a hash of every file that we back up. And we can use that hash to compare it against known bad databases from leading vendors such as CISA or here at Cohesity Red Labs to determine whether or not a file is malicious. Taking it a step further, we can integrate with third-party threat feeds, the same feeds that you're using in your production data. As an example, we have an out-of-the-box integration with CrowdStrike Falcon's threat intelligence. The reason this is important to you is that we're enabling you to get early detection of your threats so that when you find out where the threats are, you can determine the scope or the blast radius of the attack, which allows you to have a better idea of what your response is going to look like. Using hashes and other threat intelligence feeds allows us to gain a better idea of the scope of an attack. The hash allows us to see how far a file might have spread and determine its propagation. Because hashes are a common form of telemetry, we can use them with our production tools such as our SIM or our EDR or our network threat intelligence tools to determine the larger scope of the threat. And this all leads to a better RTO because if we know where the threats are, we know when they started, we have an easier time of determining which snapshot that we can start recovery with. And that might be recovering directly into your production environment or it might be recovering into a clean room for further forensics. Either way, the net benefit of all of this is we're reducing your overall downtime so that you can keep your business up and running. So I want to go back to my earlier question that I asked all of you. So why would you scan or do threat hunting against your backup data? So I think we did a great summary of that today, but I also want to call out we're giving you global visibility into your data from an enterprise perspective that allows you to recover and be more resilient to attacks.
