Ep#140 The Evolving Ransomware Threat with Cohesity

June 15, 2023

Episode Summary

Introducing the Jon Myer Podcast: "The Evolving Ransomware Threat" In the latest episode of the Jon Myer Podcast, titled "The Evolving Ransomware Threat," we delve into the pressing issue of cyber threats and their impact on organizations. Join us as we engage in an insightful conversation with Vic Camacho and Jed Wallace from Cohesity, renowned experts in the field of cybersecurity.

In this episode, we address some of the most significant cyber threats facing organizations today. We explore the ever-evolving landscape of ransomware attacks, which have become one of the most prominent and disruptive threats. From high-profile data breaches to critical infrastructure disruptions, these attacks have the potential to cripple businesses and institutions worldwide.

Our conversation also delves into the key challenges organizations face in defending against cyber threats and how they are responding to these challenges. We examine the need for robust cybersecurity measures, employee education and awareness programs, and the importance of proactive incident response plans. Vic and Jed share their expertise on how organizations can stay one step ahead of cybercriminals and protect their sensitive data from falling into the wrong hands.

Furthermore, we discuss the current state of ransomware attacks and the growing threat they pose to organizations. Our guests shed light on how organizations are preparing to tackle these attacks head-on, emphasizing the significance of data backup and recovery strategies, advanced threat detection systems, and comprehensive incident response protocols. We explore the role of industry collaboration and regulatory frameworks in enhancing cybersecurity practices and fostering a united front against cyber threats. Throughout the episode, we explore how organizations are leveraging technology and other resources to defend against cyber threats. Vic and Jed highlight some of the most effective strategies for mitigating the risks posed by these threats, such as implementing multi-layered defense systems, conducting regular security audits, and fostering a culture of cybersecurity within organizations. Tune in to "The Evolving Ransomware Threat" on the Jon Myer Podcast to gain invaluable insights from Vic Camacho and Jed Wallace, and equip yourself with the knowledge and tools necessary to navigate the ever-changing landscape of cyber threats.

Are you looking to elevate your brand through compelling and highly professional video content? Myer Media has the solution for you, from start to finish we offer complete video creation services that include Customer Case Studies, Creative Content, Podcasting, and more.

To learn more CLICK HERE:

Vic Headshot

About the Guest

Vic Camacho

Vic Camacho has more than 25 years of experience in the IT industry. He has held various roles ranging from Systems Architect to Field CTO. Prior to Cohesity, he spent time at HyTrust and VMware along with a start-up. When not speaking about tech, he enjoys spending time with his family and helping others realize their health and wellness goals.

Jed - Headshot

Jed Wallace

Jed Wallace, spent the last 20+ years progressing through his career at medium to large-scale enterprises, primarily in the financial services and state/local governments.

#aws #awscloud #finops #cloudcomputing #costoptimization

Episode Show Notes & Transcript

Host: Jon

Hi everybody and welcome to the Jon Myer podcast. Today's topic is the evolving ransomware threat and how to keep your data secure. We're joined by two guests from Cohesity. Our first guest is Jed Wallace, a staff technologist, and our second one is Vic Camacho, a principal technologist. You know what? Jed has spent the last 20-plus years progressing through his career at medium to large-scale enterprises and primarily in the financial services and state and local governments. While Vic has more than 25 years of experience in the IT industry, he has held various roles ranging from system architecture to field C T O. Please join me in welcoming Jed and Vic to the show. Jed Vig, long time.

Guest: Jed

Yeah, it's been a minute, huh? It's good to be here again.

Host: Jon

Yeah, I think the last time we got a chance to get together, we were living in Vegas. We sat down, we had a nice discussion within the Vira during reinvent that was going on, and we were talking somewhere similar, along the same topic, but this is a little bit more in-depth.

Guest: Vic

Yeah, absolutely. I think the last conversation we had was it was a little bit more focused, a little bit focused on cybersecurity, but we were all over the map, right? Because there's so much to talk about. Yeah. It made sense to kind of focus on just one element just because it's still heavy in the news. So we figured that'd be a good way of going.

Guest: Jed

And Jon's favorite term, rack 'em and stack 'em. We were talking about some administration and the good old days.

Host: Jon

I'm going to avoid that for just a little bit or try to, you are, keep that out of this podcast, but I cannot guarantee anything because you're, you're going to bring back some of those fond memories. Today's topic is the evolving ransomware threat, and from Cohesity's standpoint, we have Vic and Jed to give us some of their insights and some of their expertise on the topic. Vic, I'm going to start with our very first question to kick things off what do you see as some of the most significant cyber threats facing organizations today?

Guest: Vic

Oh, that's a great question. So I mean, I think at least for everyone on this podcast, everyone knows it's still ransomware, right? It's in social media, it's on the news outlets. It's being talked about with reputable cybersecurity outlets that report on this. And the number one threat is still ransomware. There are other cyber threats, but ransomware is still top of mind for good reason, they're still having success. And so when you have success and some of those are big payouts, you tend to go with what works. And so ransomware is still the number one threat that exists today for organizations.

Host: Jon

Jeff, are you still seeing the same thing? Are you seeing as ransomware one of the biggest threats to organizations still today too?

Guest: Jed

Yeah, a hundred percent. And I think ai, yeah, I'm going to bring it up early. AI is everywhere. It's the new cloud. Everybody's using the term generally, but they're not using it properly, but now anybody can go and get ransomware code from an AI and just start working their magic. So I foresee we talk about state sanction attacks from say, overseas, but what about the random kid who now has access to high old sophisticated AI who just says, Hey, can you give me a ransomware code? And then boom, there they are, they're ready to go and they don't need to know much. It's almost like ransomware for dummies. So I think that's going to probably eventually overtake some of the more organized threats we see.

Guest: Vic

You mentioned a good thing with ai. So I attended RSA, right? I was working the show, but I got to attend some sessions and they had this panel come up and this one gentleman in particular was talking about how AI can be used for good, but it can also be used for bad. So threat actors are using it. And he had had a conversation, and I believe this is what's chat G P T, but they were asking what he asked Chad, G B T was, Hey, can you look at this coat snippet and tell me where some vulnerabilities are at? And so it came back and said, yeah, here, here's where it could potentially be a vulnerability. And it was using stack overflow on it, a particular piece of that code. And from that, he was able to say, well, what could I write to compromise this?

Guest: Vic

And when chat G P T first came out, it would say it would just would give you the code. But now that it's evolved, it's saying, well, this kind of sounds like ransomware, that it was not going to provide that. And so this is a conversational thing going back we're like, well, no, I'm not doing that for that. I just want to ensure that I understand, where I can kind of shore this up. And so G P T and he's putting these ex excerpts, right, came back. Well, in that case then this is how you would potentially do it. And so it was just kind of like, okay, now I know how I can take advantage of this vulnerability, Vic,

Guest: Jed

I don't know. My goodness,

Host: Jon

I can see this. Oh, I can see where this could go wrong in so many ways. Now wait a second. I didn't know I could ask Chad g p t about my ransomware code. Yes. First of all, now you're putting, oh, we're way going to get way off a topic here, but this is just unbelievable thinking about how the generator of ai, I can put in this code and say, where're some of my ransomware? Great, let me take this and now let me go see if I can do it. That's on the good actors. But now you have bad actors who will do the same thing and be like, how can I make this vulnerable? How can I get in there? But isn't it, you are also dropping code, production code into chat G P T, which is now they're taking that code and they're looking

Guest: Jed

At and owning

Host: Jon

It. They're going to be part of their algorithm,

Guest: Jed

They own it. Now we just read that it's supposed to be proprietary to that company, whoever it is, X, Y, or Z, and they throw in that code in there to see if there are any errors. And lo and behold, you they, oh, now just now gave up ownership. You just gave

Host: Jon

'em your production code. How That's right. How do you even stop against that?

Guest: Vic

Well, I mean, again, you know, vet employees out, and typically they're good people, but you do have threat actors out there that will take advantage of that. And so the session that I was watching pretty much was what can you do about it? And the gentleman threw up his hands in the air and said, you can't, right? All you can do is create this cybersecurity awareness around now with artificial intelligence and be aware of what it can do. So essentially it's going to be, Hey, you have code here, don't put it in here. Because now they own it. And so it's huge and it's all it in there, but people want to use the technology so they just kind of blow, right? How many times have we just gone right through the plan, right? It's like get the scroll to the bottom, clicking on

Host: Jon

Whoa, whoa, wait a second. I read the thing from top to bottom. I'm

Guest: Jed

All 3000 pages of it, Jon,

Host: Jon

I always read the Microsoft one. It's about 10 times I got to click

Guest: Jed

That you give 'em your firstborn. It's all the stipulations in there.

Guest: Vic

Yeah. So I mean, in terms of that though, I mean, you know, have to be prepared. You still have what I call the simple checks and balances that you can still put in place. You still have to follow zero trust principles and employ zero trust architecture. And even if you do all of that, you have to be able to detect for that, that kind of malicious code like ransomware A as an example. So the best you can prepare for the worst and hope for the best. But when you talk about AI and putting that code up there, you know, have to be smarter than that. And so I can see that there's going to be a whole other aspect. If you think through this, there's going to be a whole other aspect where compliance and legal, now they're going to have some other things to work on because of ai. It's going to be it. It's transformative, but it can be used for both good and bad. But

Guest: Jed

Doesn't that really kind of lead us to the topic of knowing your data, knowing what's sensitive and what's not starting the starting point for, I think anyone is knowing what data your organization has and who's accessing it. And if there's PII in that data, I think that's for any organization that might be the first part of any kind of audit or anything, or how you want to move forward in a security posture knowing what data you have.

Guest: Vic

Well, yeah, and when you think about the rate that data is growing, right, much of it is still a lot of unstructured data. It counts for, it accounts for 85% and it's going at an exponential rate. And that data can live anywhere. It can live within your on-prem data centers, like traditional data centers. It can live at the edge like your remote office and branch offices. And of course, it can live in the cloud.

Guest: Jed

What's that fancy term you use? What's the fancy term you use? Vic Silos.

Guest: Vic

Yeah, exactly. So now you have these data silos everywhere and you have to manage that. And so managing the data is key, but knowing what kind of data you have is just as important, especially if you are a healthcare organization or you're in retail, all of those types of industries, they fall, they have to adhere to certain regulatory apply compliance. And so if you don't know where that data's at, then how could you possibly protect it? So you have to know where that's at and that's where things like data classification come into play. And Jed, about data classification too. I mean you being that you worked in government. Yeah, I mean there's a lot of sensitive data there. Constituents,

Guest: Jed

Elections,

Guest: Vic

Elections.

Guest: Jed

I mean you talk about, that's been in the news for the past six, seven years. Voter data, voter rolls, the D N C R N C, all that other good stuff.

Host: Jon

Okay, we're getting a little political, I'm going to steer us away from the political time. No, I'm just kidding. Ok. All right. I know we're talking ransomware, but you're talking about obviously understanding your data, where your data is, and what it is. I want to understand what are some of the biggest threats that organizations are facing today with ransomware and how they're protecting it. But before I jump to that, I got a couple of comments on generative AI and understanding and educating. Right now everybody goes through training or we will be going through training for generative AI and understanding the process of putting it in there and understanding that the data leaves it. And you're all dependent upon the people to understand your employees, to understand why they are not doing anything maliciously intent. They are doing something without realizing that they're given this data out there. But you have to depend upon people, which goes into social engineering, which goes into probably one of the biggest threats to organizations, whether they realize it or not. Vic, what do you think?

Guest: Vic

Well, I mean, these Phish attacks today are so sophisticated and they are starting to use AI to determine what a person's interests are, and their likes to compromise their credentials. I mean, these phish attacks are, they look legit. They used to look legit three, or four years ago. Now with ai, they are so much more succinct in what a person will click on, what are their interests, that it becomes almost, it, it's like, what's the term? Like Pavlov's dog, they are just used to clicking on a certain type of information. And so all you got to do is send that out. And so organizations, we have to be a hundred percent all the time. A threat actor only has to be perfect once, and you just said this right now, Jon, people are going to be the weak link in the cybersecurity chain. It's always going to be us. We're prone to errors and judgment. And so all it takes is one click. When you click on one link that sends out the pink, pink slip notification, the pink slip.

Host: Jon

I want to give you a chance to comment. I don't want to say people are the weakest link, but in reality that is very true. And I got a couple of comments, but Jed, I want to get your feedback on what Vic is saying about how AI is enhancing some of these phishing attacks.

Guest: Jed

Yeah, I agree with Vic. It's only going to make it more complicated to look at an email and say, okay, we're getting training now, and in the past few years ago, we were getting training to look at the email address. Does it have some weird characters in it? Does it look like it's coming from a valid sender? Those things are starting to bypass those with more complicated tool sets that they're able to use. So, it's hard to keep up, but I think, as Vic said, you got to do your best to try to detect these problems before they cost you a lot of money. So

Host: Jon

I think Vic said it clearly that we have to be right 100% of the time, while a threat actor only has to be right once that one click comes up. Vic, I'll tell you a little about something that I learned the other day with generative ai, and I use it daily. I play around with it, I test some things out and I make sure that the data are not going in there, but I was talking with my daughter and how they're taking somebody's voice and giving you a call and saying, Hey, mom, help me. This is on. And it sounds like you're a kid. At that point, I realized we all needed a safe word that nobody uses. If we don't post anywhere, we don't share anywhere. Oh, really? Something's wrong. What's the word? And if they don't know the word, I mean it could go both ways, but in emotion, you're just trying to be safe and secure. It's one more step. It's like multifactor authentication. It's one more step to prevent them from actually impersonating you.

Guest: Vic

Yeah, I mean, that's a great point. So that session that I attended, they talked about that, the lady that came out and talked about that experience, she is in the cybersecurity industry, and she talked about using that. And so she was talking about just what you just mentioned, Jon, is using, simulating somebody's voice. You've already seen it on Instagram and social media where they're taking that voice pattern and matching it and then adding it to the video. And it sounds just like the person, but I, I'm going to move over to Jed here because we are, we're former military as well. So when you say the safe word, the word of the day, that's a great technique. What do you think?

Guest: Jed

I think my thought, my train of thought went slightly negative. The fact that Jon's bringing this up, and I'm like, inherently, security is an inconvenience for everybody, isn't it? So the fact that they're going to be targeting people even more now, and we have to have even more security implementations, like safe words and stuff is just, I'm just thinking, where does this stop? I mean, our poor children in 20 years, where are they? What are they going to have to put up with? Because in 20 years, AI is, it's, it's not going to be anything like we're talking about right now, right? It's going to be a whole different other animal in 20 years from now. I can't even envision what it's going to be, but I think it's just a sad state of affairs. I don't mean to go to the dark side, but I know that it could be used for good. There are good people out there, but of course, there's always going to be the bad actors. So,

Host: Jon

Well, of course, there are always going to be those bad people, but the good has to, be overcome. You have to have that training, you have to do that. But going back to my original question what are some of those biggest threats that are seeing, and then how can we stop them? What are some things that we can do against it?

Guest: Vic

Well, I mean, it's always going to start with cybersecurity awareness. So you mentioned training, right? Having periodic training to keep it fresh in people's minds, in IT staff, in your users' minds, is going to go a long way because I sometimes have to revisit some kind of education or some kind of doc to bring those things back up to mine because we forget, you know, just go with your daily duties, your daily jobs every day, and you forget about these little things that can land you in hot water, for lack of a better term. But cybersecurity, starts with cybersecurity awareness, properly training everybody, and keeping it top of mind. It's certainly a lot, and I said this earlier, it goes back to some of the fundamentals, ensuring that you have, if you're following zero trust principles, and that some of those could be segmenta, micro-segmentation of your network as one, ensuring that you have really strong role-based access controls, that you're not using a simple password, username, and password because we already know that those are easily compromisable. So implement some type of MFA multifactor communication, multiple

Guest: Jed

Copies of your backup. So

Guest: Vic

Multiple copies of your backup in different

Guest: Jed

Regions.

Guest: Vic

Absolutely. So Jed, you just touched on it and I know you can talk about this too, and that is right. Data protection is huge because if they compromise your data, your local environment and you don't have an effective backup strategy and a strategy up for your backups as well, and that would come in the form of data isolation, because if you do become compromised locally and your local and backup copies become compromised, then what happens? You need a clean copy of your data that you can recover from. And today a lot of that is your tape backups that are stored offsite. And so you can also do storing your backups in the cloud in an immutable fashion so that if ransomware ever did get in, there's nothing that it can do. It's a read-only file, right? And so you can take these steps, I call 'em precautions, but they're extra steps to protecting your data, securing your data.

Guest: Vic

And a lot of that is with encryption. A lot of that is keeping it far, far, and away from the rest of your on-prem environment so that if you do become compromised, you are not going to be affected and you can avoid paying the ransom because you can recover. So for me, I think those are some of the key things that we can do in any environment. So as an IT leader, I would be looking at having a strong play, whether defined have IT doc well documented, and then at that point it's just about looking intelligently for threats. You have to implement some form of a system, some mechanism that can intelligently look, and this is where you can use AI and ML for good where you're detecting indicators of compromise for ransomware using intelligent machine learning, and threat detection to be able to do that, right? Because looking for anomalies the old way W was a good first pass at it, but using AI to help you, it's going to be much more efficient than any person can, and they could do it at scale. And having that in place is going to go a long way. Being able to protect is great. Being able to detect early is better and being able to So

Guest: Jed

Analyzing it,

Guest: Vic

Right? Exactly. Yeah,

Guest: Jed

I agree. Having those, you could see companies now, they're trying to bake these things into backup software, and data protection software. They're baking in these tools so that people have them and they feel comfortable with them, as opposed to tying into someone else's service. This is it. This is within the platform you're using. We're not connecting out to another service to say scanner to do this kind of thing. But again, I'm not knocking partnerships you have to have partnerships for certain things, but as I said, you know, got to be able to detect these things, and analyzing your data is I think key,

Guest: Vic

Understanding where the data's at.

Host: Jon

So let me ask you this question real quick. So everybody we're talking with Jed Wallace and Vic Camacho from Cohesity. Our topic today is the evolving ransomware threat and how to keep your data secure. Jed, you were talking about multiple copies of your backups security, Vic mentioned security and roles and everything. At what point do you get that you're doing so much that there's so much overhead? What are the trade-offs to doing this? I understand that if you don't do these things, you're compromising security, but there's a point where you have to have a balance of not only the security aspect of it but running your business.

Guest: Jed

Well, I would ask the question, what costs more? Having the proper tools in your network is paying a ransom, Vic, what do you think?

Guest: Vic

Well, it does, right? I mean, I'm not recalling top of my mind right now what the average cost of a breach ransomware breach is, but it is astronomically much more than it would be to put the systems in place to avoid and mitigate. And that's what we're talking about, mitigating risk wherever and whenever you can. Because if you don't have an effective cybersecurity strategy in place, then you're opening yourself up for a breach. And that can have catastrophic consequences, especially if you're a medium to small size business and getting breached. Many of these organizations, they're not going to be able to meet the demand of ransomware, of a ransom in the first place. And I think it's it, to your point, Jed, it comes right down to Wayne. If we get breached then and putting this thing in place, if it can mitigate that, then which, and I would take the lower of the risks. So you're mitigating the risk, and that's what business is at the end of the day, mitigating

Guest: Jed

It's dollars and cents

Guest: Vic

And putting yourself in the best possible position for success for your business. I mean, cybersecurity is just part of that now. It has been

Guest: Jed

Is dollars and cents, dude. I mean, when at the end of the day we're talking about business and we're talking about a hundred thousand dollars verse, several million dollars. I mean, it's kind of a no-brainer to me to this day and age to have the proper tools in place to analyze your data, protect your data, and keep you out of those situations.

Host: Jon

Okay, so let me ask you this question. In it used to be that we were hearing about ransomware a couple of times a year. I feel we don't hear much about it now. Is it not happening? Is it happening so often that we're just kind of used to it? Or is there something bigger out there that's happening that we're not aware of that we need to start inventing for? Do we need to start protecting against it?

Guest: Vic

Well, it's kind of both. So I think it's been in the news so much that to some degree perhaps we've become desensitized to it. Like,

Guest: Jed

Oh, we're numb. Yeah,

Guest: Vic

We're a little bit numb to it, so we're a little desensitized to it. But you know, now you have state-sponsored attacks, not just threat actors here at home. Now you have state-sponsored attacks. And not to get political, Jon, I know we try to steer away from that kind of topic, but the reality is that the geopolitical climate today is having a direct effect here in the US and other countries abroad where state-sponsored attacks are being conducted because certain nations are supporting Ukraine as an example.

Guest: Jed

That's the new arms race. It really

Guest: Vic

Is. And so I actually

Host: Jon

Agree with you, I agree with you that it's no longer soldiers on the ground. It's all the attacks are happening from a distance and they're at a larger and more massive scale. And the state-sponsored attacks are just one of many things that are being happening.

Guest: Vic

And so when you talk about state-sponsored attacks, now you're talking about government. And so in February of 2022, CSA or the Cybersecurity

Guest: Jed

Security Agency

Guest: Vic

And inf Infrastructure Security Agency, CSA came out with their Shields Up initiative because they were going based on real live intel actionable intelligence that these things were going to happen. They had already seen this influx. So they attempted to help organizations and private enterprises put up certain cybersecurity measures to help mitigate against that because it was coming and it is coming. But those are some of the new threats that, well, I mean not,

Guest: Jed

And

Guest: Vic

I'll call it. So those exist now,

Guest: Jed

I dealt with Homeland Security, and you could take part in it, and this was no small thing, they would deploy sensors in your data center. And so you would have that, it wasn't I d s, it was I p s, so it was, or excuse me, it was I d s intrusion detection. So they would scan all the incoming and outgoing data. Now, yes, I know a lot of people, don't want someone else's sensors in their network, but when you're talking about say, election security, it's a no-brainer, right? Because you're responding, you're responsible for the public's data, so you have to keep it secure. So this is more of an interagency cooperation type deal. So sometimes you don't see that because we go bring it back to silos again, there's like a thousand different agencies within the United States that are trying to mitigate these attacks. And sometimes I think there could be more cooperation and more of a consolidated effort, but that's just my opinion. So

Host: Jon

I think you need to be good stewards of the data, whether it's yours or somebody else's, and realize that you need to protect it at all costs and what's going to happen with it. Vic, when we were talking about the cost of a jet, you even indicated, can you afford the cost of a ransomware attack versus the software, the stuff that you can protect it. Here's what happens. Everybody assumes they're not going to get hit. I'm not going to spend the hundred thousand and a million to protect all these things. I'm not. Yeah, you know what? I'm going to be okay. That guy over there is going to get hit. When in actuality, if it's going to happen, it's when it's going to happen. It's only a matter of time.

Guest: Jed

Yeah, absolutely.

Guest: Vic

Go ahead.

Guest: Jed

I hate to say it, but bringing it back to the sister or the cyber defense or Homeland Security, they have all kinds of grants out and everything for smaller organizations and everything to help them secure their networks. So there's no lack of funds or help out there. They're willing to help you if you ask for it. I think the problem that I've seen is that people aren't willing to take on that help because I don't want people touching my network or I don't know if it's a pride thing, I don't know. But

Host: Jon

Is that help costly to implement? They have to redo their entire architecture and their implementation. They have to understand that. I think that just the wheels of progression move too slowly in some instances. Agree, a smaller small company will be able to do it more efficiently than a larger company. I know about a month ago, a month and a half ago, there was a hospital that was hit by a ransomware attack. Imagine that you're sitting in the hospital and you can't get to your medical records. You can't access them until they pay the ransomware for it, and you don't even know if they're going to unlock it after you do it.

Guest: Jed

Yeah, we're always talking about the inefficiencies of the healthcare system. Please digitize my records, digitize my records, and then here we are. So

Host: Jon

I wish I had a paper copy then. Yeah,

Guest: Jed

Exactly.

Host: Jon

Oh

Guest: Vic

Yeah, yeah, that's right. I mean, not only do hospitals have to contend with the ransom, but they also, I mean, this is patient healthcare. This is patient data that is directly tied to a patient's care, and that's what they do. And so I could see that this has life or death implications in some cases. And you know, to certainly don't want to give the wrong medication. And so when you think about it in those terms from a healthcare stance, you want to have a strong cybersecurity mechanism in place, have it documented, have it in place, practice it, what would happen if A, B, and C happened? And again, it comes back to being prepared and aware.

Host: Jon

Vic, what does a strong cybersecurity practice look like though?

Guest: Vic

It depends. It can be different for different organizations depending on the kind of use cases they have. If I can put my architecture back, my architect hat back on, but some organizations already have some part parts and bits of it, and it's just a matter of fulfilling, and filling in the other parts of it. So maybe they have IDs or ips, but maybe not a strong data protection solution. In this case, they do get hit and they need to be able to recover. So that question is very broad. And so I think it would depend on what industry they sit in, what kind of data, understanding where their data is located and having that in place and practicing it are two very different things. And yeah, it does take cycles away from their normal day jobs or what their normal activities are, but what are the consequences if you don't? And so I take it back to what Jed said, it, it's going to be more costly. It's going to be more time-consuming. And so you have to weigh what's, what's the lesser of two evils here. And I would venture, if I were to venture a guess, it would be let's put these things in place so that we don't fall victim and work harder. If something like that does happen,

Guest: Jed

And I could speak to the fear that ransomware attacks can put in the organizations, they can tend to overreact. And then they put every solution into their network under the sun. And I've seen it done. And it's not necessarily a good thing because now you have half a dozen security products in your network and sometimes they don't have the staff to manage these things. I mean, it's different when you're a giant corporation or organization. We won't name any names, but it's a different thing when you're small to medium-sized businesses that don't have these dedicated security analysts to analyze alerts coming into the SIM or things like that. They don't. But there are things out there that they can do. And I think having current date-tested data protection,

Host: Jon

I love how he's

Guest: Jed

Tested, tested test, oh,

Host: Jon

That could open up a whole bunch of ones. I implemented all this stuff, but I don't even really know if it works. But I did implement it and I checked the box.

Guest: Jed

So I mean, just having solid data protection in place, which includes simple backups, it includes backups UPS in at different sites, whether that's a copy of your immutable, read-only copy in the cloud or on tape or whatever floats your boat, that's fine. And also, I think another thing that we fail to talk about sometimes is having the proper DR in place, because I think ransomware, does overlap with disaster recovery, I think, don't you think? And maybe having, having that replicated data to the cloud, that immutable copy, so it's a little bit more of a peace of mind that way you can recover in days and not months. So

Guest: Vic

You mentioned something Jed, right? Your organizations do tend to over-rotate sometimes, right? Yeah. If something's happened or they know of an organization down the street from them that got hit. And so sometimes there is this over-rotating on stacking up with cybersecurity solutions. So one, again, needs to understand where the gaps are, understanding where the gaps are going to go a long way using a system that has some of this baked in already will go a long way,

Guest: Jed

Something more unified,

Guest: Vic

A little more unified, but also, and you hit, and both you Jon hit on this, is the integrations being able to integrate with other cybersecurity organizations that do this on a day-to-day basis. It's in their wheelhouse. And being able to tie into that so that both IT ops and security ops can be bridged so that they can work from their perspective tool sets and not necessarily have to cross-train. It will go a long way because when you can do that, then you can detect ransomware or other cyber threats a lot earlier and then be able to recover from that. Having that ecosystem is going to be huge, but you first have to identify where the gaps are at, and once you've identified where the gaps are, then you can go and look for that solution that can potentially already tie it into something you already have. You may have two solutions already that aren't talking to each other, but

Guest: Jed

Yeah. And I want to clarify something I said earlier about tying in. I was specifically talking about someone just arbitrarily tying in an AI platform into say, their data protection platform and then trying to marry the two together. That's where I was. That's why I want to reiterate, having strong partnerships is important. That way you have that level of trust when you do tie in with another platform. So I just wanted to clarify that.

Host: Jon

I think one of the biggest things is that the detection is key. Early detection is key because here's what's happening. Most of the detection is not identified for a month or two afterward, and then backups are already corrupted and it doesn't matter what you have. So now you're at one point where you cannot recover if you're doing a 30-day backup. So if you're doing longer, 30 days is a heck, two days is a long time, and any type of production with the data changing at a very high rate, but detection early on is key. But obviously to avoid it in general, but I think that's where AI is going to help us. I'm not saying Skynet's coming, sorry, I throw that in. I know you guys are waiting for that to come, but what I'm saying is that we're constantly evolving. If we have AI evolving to threats, and malicious things that are happening, we can immediately make those changes. That's where you don't have enough staff to do it. AI is helping you out. So there's a lot of positives around it. Yes, people are going to use it for malicious stuff, but it's going to learn what people are using maliciously to start protecting it in a good way.

Guest: Jed

I agree.

Guest: Vic

Nefarious.

Guest: Jed

And the thing is, any other, essentially it's still a program. And so companies are still going to be good companies. They're going to build their machine learning capabilities, they're going to write it themselves. And that gives me a little more comfort because some companies are going to do the right thing, hopefully, more than just some. And I think that's something to think about is when you're looking at a company for say, data protection or something, is what are they doing? How do they handle their ai? Are they right? Do they build it? Are they partnering with somebody? These are questions that need to be answered, I think.

Guest: Vic

Oh, no, I'd agree, Jon, you just said that the whole bit about using ai, and Jed, you mentioned the same thing. Being able to detect it is key. And so there are solutions today that exist that that's solely what they do with these indicators of compromise. Now it's machine learning, but like anything, right? It, it's learning. So it doesn't necessarily know of every threat that exists out there yet. It has to learn about it. The new threats have to make it out into the wild. And so as it learns, it puts that into its threat feeds. And then organizations like us at Cohesity, we have that. So we can ingest that, those feeds

Guest: Jed

Or the IOCs and

Guest: Vic

Scan for those indicators of compromise and further later latest threats that exist, the known threats, right? Because there still can be unknown threats that haven't been discovered, but as they are discovered, that's where machine learning can pick up on those. And then those that have not been compromised, they're going to be able to take advantage of that so that they can help mitigate the risk of becoming falling victim to some cyber security threat. And

Guest: Jed

Vic,

Guest: Vic

Because it's ransomware, that's one of the ones that we're looking at.

Guest: Jed

What have you seen? I know what I've seen as far as they're updating these IOC IOCs on a what, literally every hour, every minute. And so if you could connect into these feeds, which a lot of companies now have their capabilities, firewalls, and things like that, data protection solutions. If they can get the near real-time updated list of these threats, it allows 'em to be more proactive. And they don't need 10 guys out there trying to play whack-a-mole

Guest: Vic

And these things down.

Host: Jon

So, unfortunately, we don't know that they're happening until they happen. That's almost like a kind of replacement parts or patching in an instance. People have to report on it in the wild. And yes, there is extensive testing doing it on various codes. But Vic, we talked about not only IDs, but we also talked about training awareness, social engineering, and how state-sponsored stuff's happening. What are some of the things immediately can do to help mitigate these or potentially protect yourselves against them?

Guest: Vic

Well, and I think we, we've kind of danced around it, we've touched on it, but having that system in place that can tie into everything, being able to detect early is going to be key. Because as we all know, the longer ransomware sits in an environment, the more opportunity it's going to have to look for data that is not sitting there in a read-only way. Ruin your backups.

Guest: Vic

Your backups, it's going to go, you're going to have to shore up your backups because threat actors and ransomware have evolved. They become more sophisticated. I think the first one was just to encrypt the data and then as a first attempt, and then when it evolved, it was all about going out. And now we want to go after your backups. We want to go after a company's insurance policy. So if a compromise your backups, the likelihood that they get to collect on that ransom goes up. So they're sophisticated attacks, they're continuously changing their TTPs or their TAC text techniques and procedures is what it's known now as. And then there was, stage three was data exfiltration. And so it becomes really important then to ensure that you have role-based access controls and multifactor authentication and strong micro-segmentation so that you can minimize a blast radius, right?

Guest: Vic

Because that falls into the double extortion play. Not only do they encrypt your data, but now they're threatening of leaking it out into the dark web because they have the data and because data can live anywhere at the edge of the cloud, there are multiple egress and ingress points. And so now you have to look at all these points, all these ingress and egress points that we've created, because we want to be more dynamic because we want our data closer to our stakeholders. And so you have to ensure that that data is being looked after. And when you think about that, you do need to have role-based access controls in place, multi-factor authentication, and a secondary approval process, so that not any one person, if they do become compromised, the credentials become compromised, that it still requires a second person to be able to go and approve an action, approve or deny an action.

Guest: Jed

So yeah, you don't want somebody recovering a bad backup or snapshot. You want those controls in place where I would even bump it up to three or four people to take a look for those checks and ballots and said, okay, is this a known good clean snapshot we're going to recover from? So

Host: Jon

That is interesting. I never thought of that of me. Okay, so you got hit or you need to recover from a backer thing and you're the person, the server admin, rack and sack, and servers. Yep, I got it. I thread, I worked that into the conversation. It only took 50 minutes. But anyway, you're there testing out the backups or you're trying to restore from a certain thing, and you're like, all right, I'm just going to restore this. Who's even to think twice about restoring it, that it could be corrupt and you could be restoring data or content into your environment that wasn't there, but now is, and you are the person who injected it

Guest: Jed

And think about their state of mind. I mean, if you're a guy at a medium-sized organization, you've got the C-suite looking at you to recover so they don't lose money. So you could be pretty frantic. It's a stressful

Host: Jon

System. I'm freaking out. I want to restore it now and then,

Guest: Jed

So that human element, having an extra layer where you have maybe a couple of people that might have a little cooler heads about them, I think it's good to have that 1, 2, 3, 4, or however many people you want to put for the approval process to recover that clean snapshot or backup from, because like I said, it's taking in account that this is a stressful situation. Someone might just click a button because they're being, they've got up against the wall, right? So they're trying to get this recovered as quickly as possible. And I think a lot of times we don't talk about the stress and the emotional part that this kind of attack can have. And so having these proper tools in place can relieve a lot of that stress and that human error or element. So that's just, yeah,

Guest: Vic

You hit it right on the head, I think, right? Jon? You said malicious threats or accidental compromises happen. And again, it comes right back to people. And so to your point, Jed, you can have all the plans in place and to take a quote from Mike Tyson, everybody has a plan until they get hit in the mouth. So

Host: Jon

How do we work that into this conversation? Yeah,

Guest: Jed

Exactly.

Guest: Vic

So having a safeguard there, which is a secondary approval process, by the way, we call that quorum in Cohesity, right? Essentially, you'd be mitigating the risk of introducing bad or dirty data back into an environment that you just recently sanitized, right? And that can take a lot of sanitizing. An environment can take a very long time. And so you don't want to double those efforts because now you're trying to have your business continuity, service level agreements. Every organization has its SLAs, so you certainly don't want to double that, right? You've already under, you're already, your backup is against the wall. If you're an IT practitioner there, that's trying to recover. You don't want to introduce that bad data back in there. And so that can happen if you don't have these secondary approval processes in place.

Host: Jon

No, I agree with you guys. All right. So we have to wrap things up. As quickly as this went. We've already reached our maximum amount of time and still had so much more to discuss. Guys, we're going to have to do another podcast soon and kind of dive deep into a specific couple of these topics that we talked about. Not only training but how do you mitigate it from a specific and state center? We could probably encompass a whole series on this.

Guest: Jed

Yeah. Just on AI alone or future threats could Yeah, for sure.

Host: Jon

Definitely. The way it's going. You never know. All right, everybody, we've been talking with Jed Wallace, a staff technologist, and Vic Camacho, a principal technologist at Cohesity. Our topic today was the evolving ransomware threat and how to keep your data secure. Jed Vic, thanks so much for joining me,

Guest: Jed

Jon. It's been a pleasure, sir. Thank

Guest: Vic

You. Absolutely. Thank you, Jon. Appreciate it,

Host: Jon

Guys. I appreciate it. This has been the Jon Myer podcast. I'm your host, Jon Myer. Don't forget to hit that, like subscribe and notify, because guess what, we're out of here.