Commvault Metallic tricks ransomware to protect data

Hunting with decoys

Other data protection companies have been using AI and machine learning (ML) for anomaly detection for some time, including Commvault, according to David Ngo, CTO of Metallic at Commvault.

Ransomware can take days or months to detonate after infiltrating a system. It tries to evade notice once it has breached a customer's environment, Ngo said. ThreatWise helps to discover it by laying a trap.

Adversaries can't tell [ThreatWise is] there, so when they poke at a decoy, it is a clear and undisputable sign that an organization is experiencing a cyber attack.

"Touching an asset here is like touching a tripwire," Ngo said. "The action triggers the detection, rather than types of patterns triggering the detection."

This SaaS-delivered deception technology for data protection is unique to Metallic, he said. Several vendors use AI and ML to detect anomalous patterns in behavior, while ThreatWise uses decoys to discover live attacks.

Deception technology like decoys is incredibly useful in detection, according to Jon Oltsik, senior analyst at ESG.

"Adversaries can't tell it's there, so when they poke at a decoy, it is a clear and undisputable sign that an organization is experiencing a cyber attack," he said.

Historically, deception technology has been thought of as overly complex for average organizations, Oltsik said. TrapX showed that it wasn't overly complex, but it could take time to change security professionals' minds.

Hitting a tripwire

If a bad actor comes in to exfiltrate data and grabs some of the ThreatWise decoys in the process, Ngo said, ThreatWise alerts the security team while kicking off forensics to analyze the threat.

"What's happening is an active attack," Ngo said. "The customer has to do something -- it is a real attack that is happening right then."

It isn't the normal quarantine process that happens in data protection, he noted. The data protection will also be ready if a recovery and restore is needed.

Data protection and backup are important for a production environment, Bertrand said, and bad actors are looking for ways to take the backup out. ThreatWise helps "protect the protector" through early detection while minimizing the possibility of something going wrong with the backup.

"It is great to quickly recover, but in a perfect world, you never want to have to recover," he said.

While industry experts agree that identifying an issue before it spreads is important, it raises the question of what these decoys can do within a system.

False alarms

The decoys from ThreatWise mimic real assets such as VMs, Ngo said. However, they don't use resources, nor do users need licenses to run them. IP addresses are the only thing needed to run the decoys.

"Nothing is actually sitting in production running. There is no additional load on the systems," Ngo said.

Security functions or security features on the storage won't trigger ThreatWise, as the two types of technology run separately from one another, he said. ThreatWise is a decoy because it looks like a normally running program, not a threat.

Deception technology has a low false positive rate, according to Oltsik. No one should be attempting to access the decoys for legitimate reasons, and doing so would tip off security that something is amiss.

Security will have some functionality baked into other technologies going forward, Oltsik said. This might blur the lines a bit in terms of ownership and management, but as ransomware attacks evolve, this blurring becomes necessary.

There are a number of ecosystem plays that are happening in the data protection and security space, Bertrand said. There are several data protection vendors partnering with cybersecurity vendors to add early detection.

"The traditional backup and recovery space is evolving and becoming not so much about disaster recovery, but more about cyber recovery," he said.