Druva has forged an API integration with FireEye Helix to show IT security teams who is accessing and performing backup tasks.
Joint customers using Druva InSync for endpoint and cloud application backup and FireEye Helix for security can use the integration to combat ransomware attacks. By extending FireEye's visibility into Druva, the vendors allow security admins to monitor backup and restore activities through Helix's interface. Preset rules and alerts help identify when something is amiss, such as abnormal data restoration, unauthorized login attempts, password changes and admin attempts to download data. This allows admins to react to potential data breaches or theft, whether from a ransomware attack or an insider.
Naveen Chhabra, senior analyst at Forrester Research, said bridging the gap between security and data protection needs to happen at the technology level and the administrative level to keep companies safe from modern threats. One of the challenges of recovering from a ransomware attack is identifying which backup point to restore to. Some ransomware is insidious enough to lie dormant after intrusion and wait for backups to replicate it, compromising all future copies. With proper monitoring, IT security would be able to identify the point of intrusion and advise system admins to restore backups from before then. However, Chhabra said oftentimes, security and backup admins aren't talking to each other enough.
And even if they were, scale becomes a problem. Chhabra said technology has to step in with tools that can recover hundreds or thousands of compromised VMs in an automated, organized manner. Information between backup and security tools need to be shared intelligently in order to build a workflow of identifying which VMs need to be restored and which copies are "clean" and safe to restore from.
"The challenge now is recovery at scale. Looking at this holistically is always welcome," Chhabra said.
Prem Ananthakrishnan, vice president of products at Druva, said ransomware attacks on backups have increased since the COVID-19 pandemic. More people working remotely provides greater opportunities for criminals to steal credentials or gain unauthorized entry to backups. Aside from cybercriminals trying to take out an organization's last line of defense, Ananthakrishnan said insider threats have also increased. A slow economy and the fear of layoffs can drive employees to go rogue, leading to data theft or malicious deletion.
"From the volume of support cases we get, we are seeing an increasing trend where customers suspect people were trying to break into their backup system," Ananthakrishnan said.
"Threats are shifting to at-home workers," added Sean Morton, vice president of customer experience at FireEye.
Morton said from a security standpoint, the coronavirus and the resulting increased remote work was already expanding the attack surface for cyber intrusion. However, after three months or more of mandated isolation and slowed business, morale across many organizations has decreased. Organizations are now experiencing a greater risk of data leakage from within than before.
Ananthakrishnan said security admins have always struggled with quickly getting incident info when it comes to backup. Druva is a backup product and would therefore be under the purview of a backup admin. Even though the software is logging and tracking its activities, it's unusual for a backup admin to constantly monitor that information for anomalies. With this integration, Druva feeds that information directly to a security admin using FireEye Helix. Ananthakrishnan said Druva is exploring similar levels of integration with its other security partners.
Data protection vendor Arcserve has similarly partnered with security vendor Sophos to provide security for backups, while other vendors such as Acronis combine the two within their own offerings.