Showing posts with label ransomware. Show all posts
Showing posts with label ransomware. Show all posts

Tuesday, July 11, 2023

How WFH Accelerated IT and Security Transformation at Global Publisher HBG

Transcript of a discussion on how the rapid shift to remote work accelerated the digital transformation of a New York-based publishing organization to reduce risk while preserving a highly creative and distributed culture. 

Listen to the podcast. Find it on iTunesDownload the transcript. Sponsor: Bitdefender.


Dana Gardner: Welcome to the next edition of the BriefingsDirect podcast series. I’m Dana Gardner, Principal Analyst at Interarbor Solutions, your host and moderator.



Our next security innovations discussion examines how the rapid shift to remote work has accelerated a rethinking of security and IT processes at a New York-based publishing organization.


Rearchitecting the security posture of a business means adjusting work patterns and IT in ways that both reduce risk and heighten performance. But the trick is to do so without alienating workers -- wherever they may be -- and maintaining strong productivity.


Here to share her story on how to digitally transform a traditional business structure, reduce risk factors, and preserve a highly creative culture is Heidi Holmes, Senior Director of Information Technology Services at Hachette Book Group (HBG) in New York. Welcome, Heidi.


Heidi Holmes: Thank you. It’s nice to be here and I’m looking forward to this.

Gardner: Let’s start by having you tell us about HBG and why you needed to significantly adjust your security objectives over the past couple of years.


Holmes: HBG is one of the world’s largest publishers. The United States branch is part of a larger global Hachette, and we have some very, very big authors, such as James Patterson and David Baldacci.



We literally print almost every kind of book you can think of. So, our company is highly creative, and very intelligent. On a personal note, it amuses me because at other IT organizations I’ve been with, I could send out an email and never think twice about it. But here, you send out an email and you’re going to be critiqued from every editor across the board. It’s amazing. Even the CEO, he spots things that aren’t quite in the right order. It’s awesome.

So, Hachette: We’re a pretty amazing company. I’ve been here since 2019. I came into a very different IT organization. The leadership in place was great, but around some of the security practices, we really had to mature, to grow our business, and to grow how we monitor, maintain, and secure everything -- from the PC all the way to the edge.


Gardner: It sounds like – being global and dealing with so many authors, editors, and artists – that you were already a fairly distributed organization. And then we all had the move to more remote work in 2020. How did that rapid shift impact your digital transformation journey?


Diversity strengthens security strategies


Holmes: In such a diverse organization, no two sets of tools are the same. Just in the IT organization, every group is unique. And we’re talking five to 20 people. We are an amalgamation because we’ve acquired many different companies over time.


For example, Orbit, which is our science-fiction department. They are amazing, but they operate in one way, whereas Little, Brown Books for Young Readers, which is all of our young readers’ literature, operates completely differently. It’s almost as though it’s IT for a ton of small businesses that operate within a large business structure. It’s pretty interesting.

Once people began working from home, then all their data lived in their laptops. How do you manage and secure that? This is where our new challenges arose. 

So, they were diversified to begin with. But when more people began working from home, supporting them all became even more critical. The traditional IT model was moat and castle. We had to protect ourselves by using the best firewalls. You can protect anything, but once you’re outside the castle, everything is looser.


Once people began working from home, then all of their data lived in their laptops. How do you manage and secure that? What do you do to get your arms around that? This is where our new challenges arose. If you’re used to the castle technology, you have to create high-speed connections to and from every office to access all of your data for home workers.


Gardner: So, you had constellations of different businesses and cultures – as well as legacies of different IT. To corral that together, you almost have to be a managed service provider (MSP) as an IT organization. Is that fair?


Holmes: I do manage the help desk infrastructure. We also serve up all of the data, all the data center services, and the cloud data management, as well as cybersecurity. From my position, we are set up to service different groups on different platforms and support a wide range of tools across the larger IT organization.


It’s amazing. We’ve taken those requirements and built the tools to service the overall organization. And some of them are complex. Then we come back in with the security and managing compliance around how users access data inside of the tools and how it’s all unique across each of those separate publishing entities. It’s fascinating.


Gardner: In addition to a focus on endpoint security to support a distributed and remote work force, you’ve also had to look at transforming IT.


A lot of times, people have architected their IT -- and then they add on security. Did you try to simultaneous engineer for security and IT productivity and digital transformation? Is there a new way of doing security from your vantage point given your responsibilities?


Security as speed bump, not roadblock


Holmes: Yes, there is a new way of doing security. When I entered, security was a bolt-on, after-the-fact approach. For example, they may have already built a tool. But have they tested it? Or an application. What has been done with them?


We were at the ground floor, as new projects were coming up, on security. The teams were coming to us from a cybersecurity standpoint and saying, “What’s the best way for us to secure this? How about outside software-as-a-service (SaaS) providers?” Things like that.


We needed to make sure that they filled out the security forms to make sure that their architecture and best practices matched with what we were looking for with security. But we found out early in the game that they weren’t compliant. They didn’t have security as their first thought. 

It’s more about balancing risks and building in security. As I tell everybody here, cybersecurity is about being a speed bump -- and not a roadblock. Everything we do should be about slowing down, so you don’t bottom-out your car. You want to keep going, not come to a full stop. There’s no productivity if we have to come to a complete stop. We need to keep moving. We’re getting there.


Gardner: Of course, if you have a security breach, that’s one way of coming to a full stop. You need to have a balance between reducing risk, but also maintaining productivity and creativity.


What have you learned the past couple years about those balances? Has it changed with the remote work? How does digital transformation give you the tools to have the insights to reach that balance better?


Holmes: One of the tools we use, and why I’m here, is Bitdefender. We’re looking at their dashboards all the time. We can see what’s commonly going on. The [endpoint detection and response (EDR)] tools are great for our digital transformation because they’re on every one of our computers, on all of our servers, monitoring and automatically blocking risks.


If Bitdefender sees lateral movements on the network, it will block and halt those or delete certain files. It’s really given us an advantage. It gives us the capability to look at what’s going on. Because if we see a large increase, then we can look into our other tools that complement Bitdefender and say, “What are we seeing on our firewalls? What are we seeing in our security information management (SIM) tool? What are we seeing on our email filtering? Do we see a coordinated attack or is this just a run-of-the-mill type of attack?”

If Bitdefender sees lateral movements on the network, it will block and halt those or delete certain files. It's really given us an advantage. ... Bitdefender helps us be proactive on what's going on. For us, it's been great.

Bitdefender helps us be proactive on what’s going on. For us, it’s been great.


Gardner: And being proactive means you want to react swiftly. Is there a way that you’ve adjusted to the remote workforce -- all of those laptops and home desktops -- rather than being  inside the moat? Is there a way for you to take the information you’re getting from your Bitdefender dashboards and be more actionable with it?


Holmes: Absolutely. If we see a large number of attacks, even if they’ve stopped, we can open up a help desk security ticket and reach out to the user. If the incursion seems to be trying to install something or to attack others in the environment, we can remotely deactivate that device. We just have them ship their laptop to us so we can take a closer look, and we ship them out a new one.


We don’t play games with anything in our environment. It’s better to stop it at the source and move on. But, yes, the tools give us the capability to get out ahead of it all. And we’ve developed a team that is constantly monitoring, seven days a week. Our dashboards look for any correlation, anything ahead, and then work with us to automate or alert us if something needs to be acted on more quickly.


Gardner: And, Heidi, how does your background as a network engineer help in your digital transformation and with security concerns? Have you been able to bring more of an architect’s perspective to how you’re modernizing your IT and security?


Architecting for change


Holmes: Yes, I have. For the past 20-plus years, I’ve worked as an architect, network engineer, and network security engineer. The biggest thing I’ve learned is to go back to the business risk. We understand what the business risk is, and how to mitigate or isolate that risk. But that also means understanding the business you’re working with.


Part of an architecture isn’t designing the fanciest, most secure tooling -- because that’s how you get the balance versus the speed bumps. You have to learn the business, learn about the people, know where their risks are, and then architect around that to say, “Okay, stage one is where we see in our transformation the need to move certain things to the cloud.”

Or, “Our most vulnerable systems need to be isolated because some of them might be near end-of-life and we can’t do certain things with them anymore. We’re going to move them over to something such as a different layer or to firewall them with intrusion prevention and monitor it that way. Maybe some of our websites are older and we need to do something with that.”

We might put some sort of a web application firewall (WAF) in front of it. But you have to lay it all out in stages. And the easiest way to architect and build is to know what the business needs. And then you start designing to have the least productivity impact while giving the most security. So, the biggest bang for your buck: “Let’s start there, let’s hit the quick wins while we’re still planning out the other things.”


And part of architecture is understanding that when you build a process and a project that it changes. It’s a constant re-evaluation. What are the latest tools? The tools from 2019 are not the same tools that I’m working in at this point. Because every year, every six months, every month, something else is out there offering a better way to do things.


For example, a zero-trust architecture was at first a little bit nebulous. Trust nobody and everybody’s like, “Why can’t we trust people?” That’s like, “Well, not everyone’s your friend and even the computer next to you isn’t your friend necessarily either.”


Gardner: Well, that’s a perfect transition to my next question. In an organization like Hachette Book Group, the goal is for people to communicate, collaborate, be creative, and be open.


When you come to them with a security mentality of, “You need to be very suspicious and zero trust-oriented,” that creates potentially a cultural conflict. How have you been able to get people’s buy-in on what you need? Behavior is such an important part of security. At the same time, you want to allow them to be as open as possible and share ideas as they are used to.


Make wide, yet light, security footprints


Holmes: The right mentality is to have the least visible footprint in the things that you’re communicating on, on any given computer. But you also have to trust the communication tools. The things that you use such as Zoom or Teams or something like that. Those are commonly known ports and IP addresses.


We don’t have to overthink it like 15 or 20 years ago, when I needed to know every port that the teams used and qualify that. Our security tools will automatically understand, and part of the artificial intelligence (AI) built into them, knows that these are okay communication methods and it’s fine for us to continue to communicate that way.


So, there’s an openness with video communication and collaboration with a level of security and staying away from custom-built tools to communicate. That will protect you because inherently, custom-built tools usually need extra updating and the people who develop them don’t always keep them up to date. That also will protect you in a zero-trust environment.


But honestly, it’s gotten so much easier with zero trust … because Bitdefender is fantastic for that. It’s always monitoring. The AI is telling us as it’s looking at patterns instead of always at a specific port where you can lock people down and isolate them. So, it can see a lot of the lateral movements, you can see different firewall rules that are not industry-standard and as attacks try to pass through. It’s the only real way to go.

Gardner: You’re describing what people have come to think of as what a security operations center (SOC) as a service could be. Is that how you’re starting to view something like Bitdefender? Or is that a place you’d like to see it go, of where you have a SOC as a service benefit all the time and everywhere?


Holmes: Well, that would be fantastic. And we have spoken to Bitdefender about this. From my past experience, I’ve worked with SOCs, did a little bit of management of SOCs, and brought that into a new organization.


What you see a lot of times is they give you a lot of data. And traditionally, any SOC will overwhelm you with 3,000 alerts and events in a day. And you have a team of three and you’re hiring a SOC to help you. But instead, your team of three needs to remediate all of these things, otherwise they’ll keep showing up, and the SOC’s going to keep reporting and then it becomes completely useless to you.

Bitdefender is using more AI to filter out the things that are less meaningful. It's no longer every single thing that comes across your dashboard. That helps you dive in quicker when there's a problem. 

The modern SOCs, and a lot of what I understood from the Bitdefender side is, they’re using more AI to filter out the things that are less meaningful. It’s no longer every single thing that comes across your dashboard. That helps you dive in quicker when there’s a bigger problem. A SOC can become a benefit instead of a hindrance to a small team because the teams are always already trying to remediate their problems. They only need to know about the things that are brand new major holes because patching everything else should take care of the rest.


Another thing I wanted to mention on SOCs: Back to our transformation, when I mentioned the SIM tools, and having the different dashboards, it takes a while to bring a security team up to speed on what they should be watching for. That’s about identifying what’s meaningful to you. And then to fix the problems they’re finding from doing the scans. The last few years, we’ve been training security staff to do just that. When a SOC comes into play now is when the team is already expert at security and then everything is meaningful. Sometimes you can take the jump to a SOC too fast.


Gardner: A lot of what we hear in the marketplace now is that people are resisting tool sprawl. Too many security tools are not a good thing. They also want tools that will integrate, that play well together.


How are you looking at that balance between having the right number of tools, but also tools that are integrated well in advance?


Just say ‘no’ to tool sprawl


Holmes: I literally just said “no” this week to a couple of security tools because it was just more sprawl. We need to use our tools right. Tools should be useful. They should give you information you don’t already know, or they should coordinate multiple things into one tool so that you can easily discern where a problem is.


So, if a tool doesn’t have multiple uses and it’s not cost-effective, then we don’t want it. There has to be a very specific reason to look at it. Also, every tool needs to be easy to use because we can’t send somebody to three weeks of training. We can’t train a second person for when the first person goes on vacation.


And it has to be automated, it has to be able to page us if it hits certain thresholds. All of that needs to be set up very quickly. Because when we take holidays, there are always less eyes on dashboards. And we still need to know if something’s going on. We need to get paged, woken up, and brought back to the dashboard.

So that’s what we’re looking for. The tool sprawl: Everybody has a tool that they want to sell you -- everybody. It needs to work for on-premises, and it also needs to work in the cloud. It needs to give us all of the information we need. It needs to work in your home to tell me what’s going on in your laptop there. That’s what we need from our security tools.


Gardner: Whenever you ask folks to qualify and quantify how their security is working, the number one response is, “Well we’re not getting hacked, so that’s good.” But because you’re involved with not just security but IT and digital transformation, there’s probably more ways that you can measure the effectiveness of your security approach in terms of productivity, team collaboration, and how your IT support group is able to please your end-users.


Do you have specific ways of looking back and saying, “We made good choices, and we can prove it by blank?” How do you measure your success in digital transformation and security?


Holmes: As far as the users go with collaboration, the easiest way for us to tell is the number of help desk tickets we get. If the users aren’t calling us because they can’t work on their computer -- either because they’ve had an attack or because they just can’t use it because it’s still in lock down -- that’s a good measure.


And if we’re not seeing a proliferation of viruses and malware in our environment then those metrics are great for us, too. We’re constantly watching them, we’re updating them, and we’re reporting all those metrics to our senior leadership in the company. So, it’s been amazing.


Gardner: Let’s briefly look at costs. We’re also seeing many organizations that need to do more with less. Is there a way for you to balance the economic side of the equation with these metrics of success?


Holmes: With the metrics for success, if we purchase tools that help us get ahead of a problem and we don’t have any downtime or a loss of productivity, that is our number one way of evaluating that. So, know your risk, your way of knowledge, and the tools. Tools must do multiple things, be easy to use, and be cost effective.


That’s huge for us because I don’t have to hire extra people, which is cost. I don’t have to have extremely skilled people. I can weigh the cost and the amount that we’re spending in our security and IT budgets and say, “We are doing the right things for our people with the right level of protection and our downtime is in individual users -- not systems.”


That’s how we measure it. Productivity; not lost time. The ability to shift if there is a problem. And that gets back to the training. For example, we recently had a security incident. It turned out to be something from something very old, more than 10 years old, that was transferred to our environment, and we found it with our tools. We shut down a portion of the network and -- because of the training – we only lost about two hours while we investigated it.

A couple years ago, we would have had vice presidents down our throats saying, “Why can’t we do this?” But because we’ve trained our team so well, it was literally, “Okay, let us know when it’s available again. We want to support you. We’ll work on something else.” It was great.


So, it’s all about having the tools, the costs managed, and being able to measure all of our training and practices around the knowledge and people that are behind us. They want a secure environment, and they’re willing to pause if they need to for a little bit while we look at things.


Gardner: You had a speed bump, not a car crash. So that’s a really good indicator.


Holmes: Yes, it was great.


Gardner: Before we end, let’s look to the future. I’ve heard a few words from you, Heidi, like “automation,” “AI,” and “SOC as a service.” What new challenges do you foresee, and what are the best tools or approaches for you to meet them proactively?


Detection advances to patterns


Holmes: The problem is, we don’t know what we don’t know or what the next security problem will be. You need to be prepared for everything. You need to stay ahead as a leader in this field and just listen, watch the articles, and be prepared to pivot when things happen.


The AI and the new tools are great because they are looking for patterns. It’s not like the old days where I would just look for a signature. So, somebody would do something that applies a specific signature, and it could only catch that. It’s now looking for the pattern and then correlating the pattern. As a result, we’re getting many less false positives because it doesn’t look for just one minor anomaly. It looks for a pattern of anomalies, and then it might immediately block it.


There may still be some false positives because of the old applications out there.

We love the tools we use, such as the Bitdefender console. It delves into so many things. I personally look at the executive dashboard on a regular timeframe because out of all of our tools, it is one of the best and easiest to drill into. 

We love the tools that we use, such as the Bitdefender console. It delves into so many things. I personally look at the executive dashboard on a regular timeframe because out of all of our tools, it is one of the best and the easiest to drill into. I can say, “Wait, there’s a spike in viruses.” I click on it even though they’re blocked. It shows right there on the line if any of them got through. Then we can raise the flag, even though it’s already been blocked. But who is affected and where? I can click, and it shows me the actual machines, and it shows me what it was trying to do.


That’s the best way to stay ahead. That is part of the automation; it is automatically blocking. So, our firewalls automatically block, or quarantine, or do whatever needs to be done. We get automated alerts that ring our cellphones, that send us messages depending on what it is, and we have bridges. We also have automated [processes] where we can automate traditional patching or fight zero days [attacks] or anything that comes up. We have that all scheduled to go. So, that’s not a manual process anymore.


Gardner: Heidi, before we sign off, for those who are also going on a journey where they want to change the way they’ve done security, where it becomes simultaneous to and maybe even in advance of IT decision-making or IT architecting, what advice do you have for them now that you’ve gone through this? What words of advice do you have for people who can make security part-and-parcel with their digital transformation activities?


Start where you are, then dig deeper


Holmes: Get to know your business. Learn. Learn what your business is doing. Then, while you’re learning, start with the fundamentals. What are you doing well in your business right now or in your security?


Do you have good malware protection? Firewalls on your laptops? Things like that. Start with your servers, with your laptops, every device in your environment. That’s an easy place to start. Make sure your patching is up to date.


And then you can start looking a little bit deeper. Vendors -- understand what your vendors are doing. Just because it’s in the cloud doesn’t mean it’s secure. It is not the same thing. You need to understand where you’re putting your data, and what your people are doing. And that goes back to learning the business. 

Lastly, shadow IT. Because everything can go to the cloud, every business is going to try, and every department is going to try, to find their own tool in the cloud. But they won’t necessarily vet it the way your IT security organization will.


So, get to know the business, gain their trust, and help them by giving them speed bumps and not roadblocks. That’s my advice.


Gardner: Well, I’m afraid we’ll have to leave it there. You’ve been listening to a sponsored BriefingsDirect discussion on how the rapid shift to remote work accelerated a rethinking of security and IT processes at a New York-based publishing organization.


And we’ve learned how Hachette Book Group digitally transformed a traditional business structure successfully, reduced risk factors, and preserved a highly creative culture.


So, please join me now in thanking our guest, Heidi Holmes, Senior Director of Information Technology Services at Hachette Book Group. Thanks again. 

Holmes: Thank you. It’s been great talking with you.


Gardner: I’m Dana Gardner, Principal Analyst at Interarbor Solutions, your host and moderator for this ongoing series of BriefingsDirect discussions. A big thank you to our sponsor, Bitdefender, for supporting these presentations.


Also, a big thank you to our audience for joining us. Please pass this on to your IT and security communities, and do come back next time.


Listen to the podcast. Find it on iTunesDownload the transcript. Sponsor: Bitdefender.


Transcript of a discussion on how the rapid shift to remote work accelerated the digital transformation of a New York-based publishing organization to reduce risk while preserving a highly creative and distributed culture. Copyright Interarbor Solutions, LLC, 2005-2023. All rights reserved.


You may also be interested in:

Tuesday, October 29, 2019

How Unisys and Dell EMC Together Head Off Backup Storage Cyber Security Vulnerabilities

A discussion how backup storage needs to be made safe and secure, too, especially if companies need to quickly right themselves after an attack.

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: Unisys.

Dana Gardner: Hi, this is Dana Gardner, Principal Analyst at Interarbor Solutions, and you are listening to BriefingsDirect. New threats to data security are emerging all the time. Bad players constantly seek new ways to get at and exploit sensitive data sources.

This next BriefingsDirect data security insights discussion explores how data, from one end of its life cycle to the other, needs new protection and a means for rapid recovery.

Stay with us as we examine how backup storage especially needs to be made safe and secure if companies want to quickly right themselves from an attack. To learn more, please welcome Andrew Peters, Stealth Industry Director at Unisys. Welcome, Andrew.

Andrew Peters: Thank you.

Gardner: We’re also here with George Pradel, Senior Systems Engineer at Dell EMC. Welcome, George.

George Pradel: Hi, Dana. Thanks for having us.

Gardner: Andrew, what’s changed in how data is being targeted? How are things different from three years ago?

Peters: Well, one major thing that’s changed in the recent past has been the fact that the bad guys have found out how to monetize and extort money from organizations to meet their own ends. This has been something that has caught a lot of companies flatfooted -- the sophistication of the attacks and the ability to extort money out of organizations.

Gardner: George, why does all data -- from one end of its life cycle to the other --now need to be reexamined for protection?

Pradel: Well, Andrew brings up some really good points. One of the things we have seen out in the industry is ransomware-as-a-service. Folks can just dial that in. There are service level agreements (SLAs) on it. So everyone’s data now is at risk.

Another of the things that we have seen with some of these attacks is that these people are getting a lot smarter. As soon as they go in to try and attack a customer, where do they go first? They go for the backups. They want to get rid of those, because that’s kind of like the 3D chess where you are playing one step ahead. So things have changed quite a bit, Dana.

Peters: Yes, it’s really difficult to put the squeeze on an organization knowing that they can recover themselves with their backup data. So, the heat is on the bad guys to go after the backup systems and pollute that with their malware, just to keep companies from having the capability to recover themselves.

Gardner: And that wasn’t the case a few years ago?

Pradel: The attacks were so much different a few years ago. They were what we call script kiddie attacks, where you basically get some malware or maybe you do a denial-of-service attack. But now these are programmatized, and the big thing about that is if you are a target once, chances are really good that the thieves are just going to keep coming back to you, because it’s easy money, as Andrew pointed out.

Gardner: How has the data storage topology changed? Are organizations backing up differently than they did a few years ago as well? We have more cloud use, we have hybrid, and different strategies for managing de-dupe and other redundancies. How has the storage topology and landscape changed in a way that affects this equation of being secure end to end?

The evolution of backup plans 

Pradel: Looking at how things have changed over the years, we started out with legacy systems, the physical systems that many of us grew up with. Then virtualization came into play, and so we had to change our backups. And virtualization offered up some great ways to do image-level backups and such.

Now, the big deal is cloud. Whether it’s one of the public cloud vendors, or a private cloud, how do we protect that data? Where is our data residing? Privacy and security are now part of the discussion when creating a hybrid cloud. This creates a lot of extra confusion -- and confusion is what thieves zone in on.

We want to make sure that no matter where that data resides that we are making sure it’s protected. We want to provide a pathway for bringing back the data that is air gapped or via one of our other technologies that helps keeps the data in a place that allows for recoverability. Recoverability is the number one thing here, but it definitely has changed in these last few years.

Gardner: Andrew, what do you recommend to customers who may have thought that they had this problem solved? They had their storage, their backups, they protected themselves from the previous generations of security risk. When do you need to reevaluate whether you are secure enough?

Stay prepared 

Peters: There are a few things to take into consideration. One, they should have an operation that can recover their data and bring their business back up and running. You could get hit with an attack that turns into a smoking hole in the middle of your data center. So how do you bring your organization back from that without having policies, guidance, a process and actual people in place in the systems to get back to work?

Learn More About Cyber Recovery
With Unisys Stealth
Another thing to consider is the efficacy of the data. Is it clean? If you are backing up data that is already polluted with malware, guess what happens when you bring it back out and you recover your systems? It rehydrates itself within your systems and you still have the same problem you had before. That’s where the bad guys are paying attention. That’s what they want to have happen in an organization. It’s a hand they can play.

If the malware can still come out of the backup systems and rehydrate itself and re-pollute the systems when an organization is going through its recovery, it’s not only going to hamper the business and the time to recovery, and cost them, it’s also going to force them to pay the ransoms that the bad guys are extorting.

Gardner: And to be clear, this is the case across both the public and the private sector. We are hearing about ransomware attacks in lots of cities and towns. This is an equal opportunity risk, isn’t it?

Peters: Malware and bad guys don’t discriminate.

Pradel: You are exactly right about that. One of the customers that I have worked with recently in a large city got hit with a ransomware attack. Now, one of the things about ransomware attacks is that they typically want you to pay in bitcoin. Well, who has $100,000 worth of bitcoin sitting around?
If you have a government attacked, one of the problems is that chaos ensues. Police officers in their cars were not able to pull up license plates on the computer to check on cars they were pulling over.

But let’s take a look at why it’s so important to eliminate these types of attacks. If you have a government attacked, one of the problems is that chaos ensues. In one particular situation, police officers in their cars were not able to pull up license plates on the computer to check on cars they were pulling over, to see if they had a couple of bad tickets or perhaps the person was wanted for some reason. And so it is a very dangerous situation you may put into play for all of these officers.

That’s one tiny example of how these things can proliferate. And like you said, whether it’s public sector or private sector, if you are a soft target, chances are at some point you are going to get hit with ransomware.

Secure the perimeter and beyond 

Gardner: What are we doing differently in terms of the solutions to head this off, especially to get people back and up and running and to make sure that they have clean and useable data when they do so?

Peters: A lot of security had been predicated on the concept of a perimeter, something where we can put up guards, gates, and guns and in a moat. There is an inside and an outside, and it’s generally recognized today that that doesn’t really exist.

And so, one of the new moves in security is to defend the endpoint, the application, and to do that using a technology called micro-segmentation. It’s becoming more popular because it allows us to have a security perimeter and a policy around each endpoint. And if it’s done correctly, you can scale to hundreds to thousands to hundreds of thousands, and potentially millions of endpoint devices, applications, servers and virtually anything you have in an environment.

And so that’s one big change: Let’s secure the endpoint, the application, the storage, and each one comes with its own distinct security policy.

Gardner: George, how do you see the solutions changing, perhaps more toward the holistic infrastructure side and not just the endpoint issues?

Pradel: One of the tenets that Andrew related to is called security by obscurity. The basic tenet is, if you can’t see it’s much safer. Think about a safe in your house. If the safe is back behind the bookcase and you are the only person that knows it’s there, that’s an extra level of security. Well, we can do that with technology.

So you are seeing a lot of technologies being employed. Many of them are not new types of security technologies. We are going back to what’s worked in the past and building some of these new technologies on that. For example, we add on automation, and with that automation we can do a lot of these things without as much user intervention, and so that’s a big part of this.

Incidentally, if any type of security that you are using has too much user intervention, then it’s very hard for the company to cost-justify those types of resources.

Gardner: Something that isn’t different from the past is having that Swiss Army knife approach of multiple layers of security. You use different tools, looking at this as a team sport where you want to bring as many solutions as possible to bear on the problem.

How have Unisys and Dell EMC brought different strengths together to create a whole greater than the sum of the parts?

Hide the data, so hackers can’t seek

Peters: One thing that’s fantastic that Dell has done is that they have put together a Cyber Recovery solution so when there is a meltdown you have gold copies of critical data required to reestablish the business and bring it back up and get into operation. They developed this to be automated, to contain immutable copies of data, and to assure the efficacy of the data in there.

Now, they have set this stuff up with air gapping, so it is virtually isolated from any other network operations. The bad guys hovering around in the network have a terrible time of trying to even touch this thing.
Learn More About Dell EMC PowerProtect
Cyber Recovery Solution
Unisys put what we call a cryptographic wrapper around that using our micro-segmentation technology called Stealth. This creates a cryptographic air gap that virtually disappears that vault and its recovery operations from anything else in the network, if they don’t have a cryptographic key. If they have a cryptographic key that was authorized, they could talk to it. If they don’t, they can’t. So any bad guys and malware can’t see it. If they can’t see, they can’t touch, and they can’t hack. This then turns into an extraordinarily secure means to recover an organization’s operations.

Gardner: The economics of this is critical. How does your technology combination take the economic incentive away from these nefarious players?

Pradel: Number one, you have a way to be able to recover from this. All of a sudden the bad guys are saying, “Oh, shoot, we are not going to get any money out of these guys.”

You are not going to be a constant target. They are going to go after your backups. Unisys Stealth can hide the targets that these people go after. Once you have this type of a Cyber Recovery solution in place, you can rest a lot easier at night.

As part of the Cyber Recovery solution, we actually expect malware to get into the Cyber Recovery vault. And people shake their head and they go, “Wait, George, what do you mean by that?”

Yes, we want to get malware into the Cyber Recovery vault. Then we have ways to do analytics to see whether our point-in times are good. That way, when we are doing that restore, as Andrew talked about earlier, we are restoring a nice, clean environment back to the production environment.

Recovery requires commitment, investment 

So, these types of solutions are an extra expense, but you have to weigh the risks for your organization and factor what it really costs if you have a cyber recovery incident.

Additionally, some people may not be totally versed on the difference between a disaster recovery situation and a cyber recovery situation. A disaster recovery may be from some sort of a physical problem, maybe a tornado hits and wipes out a facility or whatever. With cyber recovery, we are talking about files that have been encrypted. The only way to get that data back -- and get back up and running -- is by employing some sort of a cyber recovery solution, such as the Unisys and Dell EMC solution.

Gardner: Is this tag team solution between Unisys and Dell EMC appropriate and applicable to all kinds of business, including cloud providers or managed service providers?

Peters: It’s really difficult to measure the return on investment (ROI) in security, and it always has been. We have a tool that we can use to measure risk, probability, and financial exposure for an organization. You can actually use the same methodologies that insurance companies use to underwrite for things like cybersecurity and virtually anything else. It’s based on the reality that there is a strong likelihood that there is going to be a security breach. There is going to be perhaps a disastrous security breach, and it’s going to really hurt the organization.
Plan on the fact that it's probably going to happen. You need to invest in your systems and your recovery. If you think you can sustain a complete meltdown on your company and go out of operations for weeks to months, then you probably don't need to put money into it.

Plan on the fact that it’s probably going to happen. You need to invest in your systems and your recovery. If you think that you can sustain a complete meltdown on your company and go out of operation for weeks to months, then you probably don’t need to put money into it.

If you understand how exposed that you potentially are, and the fact that the bad guys are staring at the low hanging fruit -- which may be state governments, or cities, or other things that are less protected.

The fact is, the bad guys are extraordinarily patient. If your payoff is in the tens of millions of dollars, you might spend, as the bad guys did with Sony, years mapping systems, learning how an operation works, and understanding their complete operations before you actually take action, and in potentially the most disastrous way possible.

So ergo, it’s hard to put a number on that. An organization will have to decide how much they have to lose, how much they have at risk, and what the probability is that they are actually going to get hit with an attack.

Gardner: George, also important on this applicability as to where it’s the right fit is that automation and skills. What sort of organizations typically will go at this and what skills are required?

Automate and simplify 

Pradel: That’s been the basis for our Cyber Recovery solution. We have written a number of APIs to be able to automate different pieces of a recovery situation. If you have a cyber recovery incident, it’s not a matter of just, “Okay, I have the data, now I can restore it.” We have a lot of experts in the field. What they do is figure out exactly where the attack came from, how it came in, what was affected, and those types of things.

We make it as simple as possible for the administration. We have done a lot of work creating APIs that automate items such as recovering backup servers. We take point-in-time copies of the data. I don’t want to go into it too deeply, but our data domain technology is the basis for this. And the reason why it’s important to note is because the replication we do is based upon our variable-length deduplication.

Now, that may sound a little gobbledygook, but what that means is that we have the smallest replication times that you could have for a certain amount of data. So when we are taking data into the Cyber Recovery vault, we are reducing what’s called our dwell time. This is the area where you would have someone that could see that you had a connection open.
Learn More About Cyber Recovery
With Unisys Stealth
But a big part of this is on a day-to-day basis, I don’t have to be concerned. I don’t have a whole team of people that are maintaining this Cyber Recovery vault. Typically, with our customers, they already have the understanding of how our base technology works and so that part is very straightforward. And what we have is automation, we have policies that are set up in the Cyber Recovery vault that will, on a regular basis, hold the data, whatever is changed from the production environment, typically once a day.

And a rule of thumb for some people that might be thinking, this sounds really interesting, but how much data would I put in this? Typically we’ll do 10 to 15 percent of a customer’s production environment, that might go into the Cyber Recovery vault. So we want to make this as simple as possible, we want to automate as much as possible.

And on the other side, when there is an incident, we want to be able to also automate that part because that is when all heck is going on. If you’ve ever been involved in one of those situations, it’s not always your clearest thinking moment. So automation is your best friend and can help you get back up and running as quickly as possible.

Gardner: George, run us through an example, if you would, of how this works in the real-world.

One step at a time for complete recovery 

Pradel: What will happen is that at some point somebody clicks on that doggone attachment that was on that e-mail that had a free trip to Hawaii or something and it had a link to some ransomware.

Once the security folks have determined that there has been an attack, sometimes it’s very obvious. There is one attack where there is a giant security skeleton that comes up on your screen and basically says, “Got you.” It then gives instructions on how you would go about sending them the money so that you can get your data back.

However, sometimes it’s not quite so obvious. Let’s say your security folks have determined there has been attack and then the first thing that you would want to do is access the cyber recovery provided by putting the Cyber Recovery vault with Stealth. You would go to the Cyber Recovery vault and lock down the vault, and it’s simple and straightforward. We talked about this a little earlier about the way we do the automation is you click on the lock, that locks everything down and it stops any future replications from coming in.

And while the security team is looking to find out how bad it is, what was affected, one of the things the cyber recovery team does is to go in and run some analysis, if you haven’t done so already. You can automate this type of analysis, but let’s say you haven’t done that. Let’s say you have 30 point-in times, so one for each day throughout the last month. You might want to check and run an analysis against maybe the last five of those to be able to see whether or not those come up as suspicious or as okay.

The way that’s done is to look at the entropy of the different point-in-time backups. One thing to note is that you do not have to rehydrate the backup in order to analyze it. So let’s say you backed it up with Avamar and then you wanted to analyze that backup. You don’t have to rehydrate that in the vault in order to get it back up and running.
Once that’s done, then there’s a lot of different ways that you can decide what to do. If you have physical machines but they are not in great shape, they are suspect in that. But, if the physical parts of it are okay, you could then decide that at some point you’re going to reload those machines with the gold copies or very typical to have in the vault and then put the data and such on it.

If you have image-level backups that are in the vault, those are very easy to get back up and running on a VMWare ESX host store, or Microsoft Hyper-V host that you have in your production environment. So, there are a lot of different ways that you can do that.

The whole idea, though, is that our typical Cyber Recovery solution is air-gapped and we recommend customers have a whole separate set of physical controls as well as the software controls.

Now, one of those steps may not be practical in all situations. That’s why we looked at Unisys Stealth, to provide a virtual air gap by installing the pieces from Stealth.

Remove human error 

Peters: One of the things I learned in working with the United States Air Force’s Information Warfare Center was the fact that you can build the most incredibly secure operation in the world and humans will do things to change it.

With Stealth, we allow organizations to be able to get access into the vault from a management perspective to do analytics, and also from a recovery perspective, because anytime there’s a change to the way that vault operates, that’s an opportunity for bad guys to find a way in. Because, once again, they’re targeting these systems. They know they’re there; they could be watching them and they can be spending years doing this and watching the operations.

Unisys Stealth removes the opportunity for human error. We remove the visibility that any bad guys, or any malware, would have inside a network to observe a vault. They may see data flowing but they don’t know what it’s going to, they don’t know what it’s for, they can’t read it because it’s going to be encrypted. They are not going to be able to even see the endpoints because they will never be able to get an address on them. We are cryptographically disappearing or hiding or cloaking, whatever word you’d like to use -- we are actively removing those from visibility from anything else on the network unless it’s specifically authorized.

Gardner: Let’s look to the future. As we pointed out earlier in our discussion, there is a sort of a spy versus spy, dog chasing the cat, whatever you want to use as a metaphor, one side of the battle is adjusting constantly and the other is reacting to that. So, as we move to the future, are there any other machine learning (ML)-enabled analytics on these attacks to help prevent them? How will we be able to always stay one step ahead of the threat?
Peters: With our technology we already embody ML. We can do responses called dynamic isolation. A device could be misbehaving and we could change its policy and be able to either restrict what it’s able to communicate with or cut it off altogether until it’s been examined and determined to be safe for the environment.

We can provide a lot of automation, a lot of visibility, and machine-speed reaction in response to threats as they are happening. Malware doesn’t have to get that 20-second head start. We might be able to cut off in 10 seconds and be able to make it a dynamic change to the threat surface.

Gardner: George, what’s in the future that it’s going to allow you to stay always one step ahead of the bad guys? Also, is there is an advantage for organizations doing a lot of desktops-as-a-service (DaaS) or virtual desktops? Do they have an advantage in having that datacenter image of all of the clients?

Think like a bad guy 

Pradel: Oh, yes, definitely. How do we stay in front of the bad guys? You have to think like the bad guys. And so, one of the things that you want to do is reduce your attack surface. That’s a big part of it, and that’s why the technology that we use to analyze the backups, looking for malware, uses 100 different types of objects of entropy.

As we’re doing ML of that data, of what’s normal what’s not normal, we can figure out exactly where the issues are to stay ahead of them.

Now an air gap on its own surface is extremely secure because it keeps that data in an environment where no one can get at it. We have situations where Unisys Stealth helped with closing the air gap situation where a particular general might have three different networks that they need to connect to and Stealth is a fantastic solution for that.

If you’re doing DaaS, there are ways that it can help. We’re always looking at where the data resides, and most of the time in those situations the data is going to reside back at the corporate infrastructure. That’s a very easy place to be able to protect data. When the data is out on laptops and things like that, then it makes it a little bit more difficult, not impossible, but you have a lot of different end points that you’re pulling from. To be able to bring the system back up -- if you’re using virtual desktops, that kind of thing, actually it’s pretty straightforward to be able to do that because that environment, chances are they’re not going to bring down the virtual desktop environment, they’re going to encrypt the data.
Learn More About Dell EMC PowerProtect
Cyber Recovery Solution
Now, that said, one of the things when we’re having these conversations, it’s not as straightforward of a conversation as ever. We talk about how long you might be out of business depending upon what you’ve implemented. We have to engineer for all the different types of malware attacks. And what’s the common denominator? It’s the data and keeping that data safe, keeping that data so it can’t be deleted.

We have a retention lock capability so you can lock that up for as many as 70 years and it takes two administrators to unlock it. That’s the kind of thing that makes it robust.

In the old days, we would do a WORM drive and copy stuff off to a CD to make something immutable. This is a great way to do it. And that’s one way to stay ahead of the bad guys as best as we can.

Gardner: I’m afraid we’ll have to leave it there. You have been listening to a sponsored BriefingsDirect discussion on how data from one end of its lifecycle to the other needs protection and a means for rapid recovery.

And we’ve learned how a solution from Dell EMC and Unisys helps protect storage including backup data and further assists companies in making themselves whole again after an attack -- when they’ve taken the proper precautions.

Please join me in thanking our guests, Andrew Peters, Stealth Industry Director at Unisys. Thank you, Andrew.

Peters: Thank you.

Gardner: And George Pradel, Senior Systems Engineer at Dell EMC. Thank you so much, George.

Pradel: Thanks, Dana.

Gardner: And a big thank you as well to our audience for joining this BriefingsDirect Data Security Insights Discussion. I’m Dana Gardner, Principal Analyst at Interarbor Solutions, your host throughout this series of Unisys-sponsored BriefingsDirect discussions.

Thanks again for listening. Please pass this along to your community and do come back next time.

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: Unisys.

A discussion how backup storage needs to be made safe and secure, especially if companies need to right themselves from an attack. Copyright Interarbor Solutions, LLC, 2005-2019. All rights reserved.

You may also be interested in: