Transcript
Let's keep moving, right? For our next segment, once again, let's imagine we're in, wait, Washington, D.C. Can you do it? I think it's going to be easy, yeah. Here we are. And so now let's pull out our all security clearances, if you will, right? We're in the darkest of sites in the national security agency, let's say, running apps, data, a network isolated from the Internet. Imagine critical uptime systems now in the face of extreme cyber threats. This is the environment we're in today. And so if you start thinking about what are the issues here, right? What are we worried about? Like, how do we think about this? So one is, how do you protect a dark site, for example, right? Even simple things like upgrades and patches, things, how do we go and basically protect that? Ransomware detection and remediation. How do I go and identify threats quickly and find a remediation path? And then finally, how do I recover with minimal downtime, right? So that I've got basically considered uptime all of the time. And so we call this the air gap cyber resilience challenges that we're looking to address. Thomas, how do we address these? This is where the power of the platform shines through, okay? So air gap makes everything harder because you're literally disconnected from the Internet. So you have to have all your solutions running disconnected on their own, right? Yes. And so for this, we kind of stick to the NIST cybersecurity framework, identify, protect, detect and respond, recover. Nice. Protection, when it comes to Nutanix, is all about having layers of protection. You start with infrastructure, you add in virtual networks and VPCs, you nest in there your micro segmentation, which is new, by the way. That's new. You combine VPCs and micro segmentation with flow. And then you complement with your data protection with DataLens, right? When it comes to responding and detecting attacks, DataLens, we showed this last year, can detect something very fast and then recover the environment very quickly. For the full environment, beyond your data, you can use your snapshots. So again, let's go and look into this. It's an advanced demo. Please welcome Jason from the tech marketing team. There you go. All right, Jason. This is a beautiful one. So let's spend some time. Can you tell us more about the environment? Yeah, I'm excited to show people what we built. So imagine that we have an air-gapped environment and inside of that we're running a video surveillance system and it's generating and then processing these images and videos in real time. And it's running on top of the Nutanix cloud platform and it's backing up some of its data protected by a bunker site in a secondary location. All right, Jason. So we've got the app, we've got the storage, and then you can protect the inframe. Yeah, so let's take a look at how we protect this infrastructure. So I always like to start at the bottom up. So the infrastructure layer starting at the Prism security dashboard is where I love to start. So here we can monitor our STIG compliance as well as other security settings for the infrastructure platform and track that compliance to make sure that it's running on top of the platform and track that compliance over time as we make remediations. And that's again a differentiator, the fact that it was STIG compliant by default and we maintain it automatically. Next layer of protection? Yeah. So I always like to talk about the network layer next. So in this case, we're protecting it inside of a flow virtual networking VPC. So this is an isolated routing domain. So only the routes in and out that we desire. And then we're using flow network security next generation inside of that VPC for another layer. These are working together. We've also had flow network security next generation. So we're able to break up the policy components into one small policy that does the logging and another small policy that monitors the ports for this application. So this is a big deal, actually. So flow next gen allows you to nest your security policies inside your VPCs. By the way, for us, a VPC is your apps, but can be your storage because everything is software. Okay? So we can extend the VPC to everything that we care about. And this policy management is so much more scalable for large enterprise. Yeah. Absolutely. Combined policies and have multiple policies on the same entity. Yeah. People have been asking us for these more scalable policies, so I'm happy that we have them. All right. So in that VPC, we can also deploy data lens, correct? Exactly. So in that isolated VPC, we also have our files that we're running here and data lens. So let's take a look at this application, right? We're protecting it with our network security policy. So we allow some administrator ports in, and we can monitor and visualize all the traffic of this application. Now, we also have to back up the application VMs themselves. And for that, we're using these protection policies. So much like you've seen earlier, spot if you can see anything new or different in this particular backup policy. So what we have here is multi-cloud snapshot technology, and we're backing up to an object store at the remote location. So this gives us an immutable snapshot as an insurance policy just in case. So MST, we announced last year for the cloud use cases, but can now run on-premises to a Nutanix objects cluster. Exactly. So this application is also now generating a lot of data, right? So what do we do to protect the data? We have our upcoming on-prem data lens that is running inside this same environment, and we have a ransomware detection policy here on our file shares and in our objects as well. So if any malicious activity is detected, we could block that inside this protected bubble. So Jason, so we're air-gapped. We have the VPCs, we have the micro-segmentation, we have data lens, we have the bunker site. You'd feel pretty secure in that context, but then you have to worry still about insider threats. Yeah. I mean, something bad could always happen here. So show us the flow if something was to happen and how much automation we can deliver in that use case. I'm glad you asked. So we have our ransomware protection policy here in data lens, and let's imagine that we have a malicious user named Loki who has maybe stolen some credentials and gained access to our file share. So we're going to trigger an alert in data lens, and we're going to block both his user account and his password, and his IP address, rather, so that he doesn't have access to the share. Okay. So I'm going to make an incident, so I need to let people know that something has happened. So I'm going to go to my notification section, and you could integrate here with SIEM and SOAR tools so that your security operations center could get this notification. But for this demo, I wanted to do something a little fancier. Yeah, I want to go beyond just the filer. Yeah, and I'm going to automate this. So I have a web hook here from my on-prem data lens calling to my on-prem Prism Central, and it's going to trigger a forensic response for me. So what does that mean? Let's show you in the playbook what's going to happen. So here we are going to quarantine our application at the primary site, since that's now suspect, and then we're going to kick off a recovery into that bunker site, into an isolated VPC from those immutable object snapshots, and that'll give our incident response team some time to work. And that's running into another VPC, again, completely isolated. Exactly. So now we have quarantine production, the apps and the data. We've set up the forensics environment completely isolated. By the way, the beauty of Nutanix, all of this could run on the same hardware that's running your objects cluster. That's very unique. And now I can have my forensics team doing their own investigation. How do we help here? Yeah, so the first thing we need to do, really, is figure out what happened. So we switch over to our bunker site. I've got that here noted in dark mode. And we have a forensic investigation plan that has cloned a copy of the workload into that bunker location. So now we have those VMs running. You can see the three of them here. And they're protected by two layers, again. One, they have that VPC for a totally isolated routing domain. And then second, we're putting a flow network security policy on them so that we're very sure that even east-west between these VMs, we won't have any traffic leaking between them. So let's come explore the VPC that these VMs are inside of and look at the security policy of that VPC. And what we see is we've set it up so our investigator workstation can look at a snapshot of those VMs, get in there, and tell us what happened. Awesome. And then DataLens can help you actually figure out what you can recover, too, correct? Exactly. So how do you figure out a known good state? So the investigator has access to the copy of the snapshots, the network security logs, and through DataLens, also the incident logs of everything that happened inside the file shares, too. So they tell us two interesting things in their investigation. First, this identity share has been compromised. We saw all those encryption events. And then our Identity 1 VM was suspect. So then we can identify the right snapshots and recover from there? So how do we recover? How do we get back into operation safely? So on the DataLens side, we can recover that quickly from a snapshot. So we have the last known good snapshot that we can just simply recover here. And now that starts a recovery of the file share. But we also need to take a look at that compromised VM itself. And so since we know the snapshot point in time, thanks to that isolated incident response, we can come to our recovery points and then just select that time, 8 AM here, when we know the intrusion started before. So we can go and revert to that known good point. And now our Identity VM is at a known good state. And there's just one last little thing. We're not quite done, right? You want to change? Yeah. Because our playbook was a little aggressive, it also quarantined that production application. So we need to come here to our virtual machines and unquarantine the production VMs. And so now our application is back online, thanks to the investigation that we were able to do inside of that isolated bunker site with VPCs, multi-cloud snapshot technology, and objects. Jason, this is one of the most advanced demos that anybody's done, that don't even question like 5,000 people in the same room. So thank you for leading us through this. Thank you. I just want to be clear, this is very, very hard to do without Nutanix, if not impossible. People spend months planning these things with different products. And here you get almost out of the box. The idea that you can do this now with a Nutanix cloud platform, that comprehensive cyber resilience, this is a new thing. So thinking about how you go and deploy this across your environments, I think, is really critical. Data lens in the same virtual network, for example, automatically setting up isolated air-gapped environments. And then quickly recovering using immutable snapshots with MST or directly to NUS or through snapshots. This idea, I mean, I'm blown away by this demo, I've got to say, right? So it's hard to do. When we said we're going to go do this, I was sweating, like, OK, it's going to be tough. But it's nice. And it just works. That's the beauty of it. Air-gapped cyber resilience. What do you think? Yeah?
