In an effort to alert companies to ransomware attacks while they're happening, Catalogic Software released GuardMode this week in DPX 4.8.1, the latest version of the company's enterprise data protection product.
GuardMode, available to customers at no additional cost when they upgrade to DPX 4.8.1, uses threshold monitoring, pattern detection and honeypots to identify potential ransomware attacks, pinpoint what files are affected and restore just the affected files to reduce data loss.
Catalogic's new feature is part of a trend among data backup vendors to provide earlier ransomware detection and data backup veracity. GuardMode is in line with what others such as Cohesity, Veeam and Rubrik already provide, according to Krista Macomber, senior analyst at Evaluator Group.
"We're seeing that data protection has to evolve to help detect cyber attacks and to help to prevent them as well," she said. "Catalogic is taking a step forward with the platform to be able to address those requirements."
A closer look at GuardMode
Traditionally, it takes companies seven to eight days to catch a ransomware attack, and, because they don't have the tools to pinpoint which files or how many files are affected, they roll back all systems, resulting in unnecessary data loss, according to Sathya Sankaran, COO at Catalogic.
Catalogic now provides a more discriminate capability by monitoring not only daily data changes on the block level but also changes on the file level before a backup is created, which may include, for example, changes to file extensions indicative of a ransomware attack.
"We can collect these heuristic patterns [on a file] by simply being in the monitoring pipeline," Sankaran said.
When unusual behavior is detected, GuardMode runs the anomaly against more than 4,000 known ransomware strains, collected using a Windows File Server Resource Manager. If GuardMode finds a match, it notifies the backup admin of the suspicious behavior.
Catalogic automatically updates GuardMode's list of known strains as new variants are added to the collection. But before pushing the update out to customers, Catalogic manually authenticates the changes.
Macomber said this aspect of GuardMode, in particular, helps to differentiate Catalogic's offering from others.
"It pushes that list out proactively to administrators, and … they don't have to worry about whether it's up to date," she said. "That's especially important considering how volatile the threat landscape is and how much these attacks are evolving."
For unknown ransomware variants, GuardMode uses honeypots, or files filled with decoy data, to trap bad actors.
"Your plan A is to check against a known database," Sankaran said. "Your plan B is, even if they fall through that database, we have a way to capture it."
Currently, GuardMode works on Windows file systems. Catalogic will expand GuardMode to Linux file systems, which Sankaran said is due out during its regular release cycle in four to six months. The company also plans to introduce SIEM integrations, a double detection feature for more granularity, as well as machine learning and guided recovery capabilities to the product.
Where data protection and security meet
Macomber expects the trend of providing ransomware detection tools in data backup and protection products to continue. Ransomware detection and recovery are now a board-level concern, placing added pressure on IT operations to perform quickly and creating an incentive for vendors to build tools to help them do that, she said.
Data protection is its own thing, and security is its own thing, but in order to address ransomware, you need to address both processes.
Johnny YuResearch manager, IDC
Putting tools like these into the hands of the backup admin also pushes the storage team to be more proactive in a company's cybersecurity strategy, according to Johnny Yu, research manager at IDC.
"Data protection is its own thing, and security is its own thing, but in order to address ransomware, you need to address both processes," Yu said. "So you need to weave security practices into data protection and data recovery processes."
That's how Catalogic's Sankaran described GuardMode, as a data backup feature layered with security elements. Because it's integrated into the data recovery process, GuardMode not only monitors changes in data and can alert the backup admin to suspicious behavior, but it can also take the next steps to help a company recover in a way that endpoint detection tools such as Microsoft Defender can't.
"These [endpoint detection] solutions … are optimized to give you the red alert to all your security players but without actually telling you how to get back your important data set," he said.
While some data backup vendors may be adding a security label to their products, Catalogic is remaining firm in its focus on the backup admin.
"What we're trying to really do is assist the storage and the backup team to give them the tools themselves to do their jobs," said Mike Miracle, Catalogic's chief strategy officer.
DPX vPlus
Catalogic also unveiled DPX vPlus this week. The offering provides data protection for Microsoft 365, as well as open virtualization platforms such as RHV/oVirt, Acropolis, XenServer, Oracle VM and KVM.
"DPX vPlus is really about protecting all of these workloads outside of the traditional VMware hyper[visor] market leaders," Sankaran said.
DPX vPlus licenses are extra cost components, given it can be a standalone product; the licensing for vPlus is based on worker nodes or user count, according to the company.
