Transcript
Hello everyone, my name is Shelley Calhoun-Jones and I'm a Technical Marketing Director at Cohesity. Today, I'm excited to introduce enhancements to Threat Hunting in Cohesity Alta View. This feature automates threat hunting in backups and enhances cyber recovery by preventing malware reinfection during restoration. In this video, we'll examine a security event and demonstrate how to use this feature to understand the impact of an attack. We'll also explore a new automated capability that enables you to search daily feeds for malicious file hashes published by reputable third parties such as CISA and Malware Bazaar. Let's get started. The Cyber Resiliency Dashboard provides an overview of your Cohesity Alta environment. It allows you to monitor the risk score of your data centers or a specific data center. A higher risk score could indicate the presence of a security threat. In the event of an active threat, you can quickly identify high-risk locations to expedite your investigation. You can also view misconfigurations and recent changes corresponding to the event's timeline. The dashboard lets you correlate suspicious activities and assess whether malware is spreading across systems. You can also categorize assets by risk severity, helping you prioritize responses for those classified as high-risk. By correlating these various data points, you can effectively track the progression of a security event, evaluate the impact, and respond swiftly. Let's take a look at an example from the Malware Impact Analysis section. Malware Impact Analysis provides a visual representation of data centers, primary servers, and assets, highlighting the impact of malware on them. This information is critical because once ransomware infiltrates an infrastructure, it spreads rapidly and intentionally expands the attack's reach. This feature allows you to identify the affected assets and minimize the overall impact. In this example, an infected server is represented by a red bubble. A connected web displays all of the machines involved, which can help your security team reduce the blast radius. On this screen, we can see details about the asset, including the how, when, and where backups were taken. The policy represents the workload that is being backed up. For example, you may want to have a specific policy for your Active Directory servers or a database workload. Cohesity NetBackup can also detect data anomalies during an asset's backup and send this information to Cohesity AltiveView. For instance, events related to encryption may indicate ransomware activity on a system. We can adjust the time range to identify when the event was first detected. You can also add protection and choose the users you want to allow to manage the asset. You'll also notice a recovery points tab, but you may still be gathering evidence if you're dealing with an active security event. Let's return to the Cyber Resiliency Dashboard and examine some other ways to use Cohesity AltiveView for threat hunting. The Malware Detection section can be used for tracking infected hosts and file hashes. File hashes can detect malware and custom files in backup images. They serve as unique digital fingerprints for files and you can compare them to malware hashes from threat intelligence feeds to determine if a threat is in the environment. You can also use them to understand how the threat is spreading and isolate infected systems. From this screen, we can search for a specific file hash or upload a CSV file from my system. We talked earlier about how custom hashes could be used when dealing with an active threat event, but they can also help from a compliance perspective. Custom hash uploads create an audit trail, proving due diligence in incident handling. You can use this information to tighten your security policies. Here's an example of what to include when uploading a CSV file. Also note that you have the ability to search for a specific hash using the search option. You can also enable daily searches of file hashes using CISA, open source feeds like Malware Bazaar, and uploaded hashes. If a malicious file is found in your backup images, the associated assets or clients are marked as malicious. Another new feature for threat hunting is Anomaly Detection. We took a look at this feature when describing Blast Radius, and it uses real-time entropy detection to identify ransomware. This feature leverages AI and machine learning capabilities to assess the randomness or unpredictability of data within a file. Real-time entropy detection works alongside file hash detection by identifying new and unknown ransomware variants based on their behavior. While hash detection focuses on blocking known threats. Together these features provide proactive and reactive defense, ensuring early detection of anomalies and rapid containment, even when confronted with new threats. One advantage is that when an anomaly is detected, it triggers a malware scan. If malware is found, the IOC is submitted into Cohesity Altiview to execute a search across the enterprise and limit the blast radius. The scan provides indicators of compromise related to file-based hash scanning. IOCs are pieces of evidence that indicate malicious activity. For example, a ransomware note in a readme.txt file that demands payment in Bitcoin serves as an IOC. You can use this information when addressing an active security incident or documenting what occurred during the lessons learned phase. This completes the demonstration. We explored recent enhancements to threat hunting in Cohesity Altiview. This feature automates threat hunting in backups and improves cyber recovery by preventing malware reinfection during restoration. Thanks for watching.
