Is my data clean?�Cyber Recovery in action
Daniel.Olkowski@dell.com
Daniel.Olkowski@dell.com
The most fresh ppt version of this document, you will find at:�http://backuprecoveryguy.blogspot.com/2022/07/backup-and-recovery-materials.html
Polish video covering Cyber Recovery:�https://youtu.be/SjmM60ZhPHw
© Copyright 2020 Dell Inc.
1
of 20
Internal Use - Confidential
Daniel.Olkowski@dell.com
Czy dane w mojej firmie są czyste?
Jak zatrzymać atak �hacker / ransomware?
Jak odtworzyć utracone dane?
Dlaczego / Technologia / Demo
© Copyright 2020 Dell Inc.
2
of 20
Internal Use - Confidential
Agenda
© Copyright 2020 Dell Inc.
3
of 20
Internal Use - Confidential
Agenda
© Copyright 2020 Dell Inc.
4
of 20
Internal Use - Confidential
Video – CyberSense
© Copyright 2020 Dell Inc.
5
of 20
Internal Use - Confidential
What is Cyber Bunker?�Componentes
© Copyright 2020 Dell Inc.
6
of 20
Internal Use - Confidential
Cyber Bunker answers for the following questions:
© Copyright 2020 Dell Inc.
7
Internal Use - Confidential
CyberSense part
© Copyright 2020 Dell Inc.
8
Internal Use - Confidential
Castle strategy
© Copyright 2020 Dell Inc.
9
of 20
Internal Use - Confidential
Castle strategy
© Copyright 2020 Dell Inc.
10
of 20
Internal Use - Confidential
Ambulance
strategy
© Copyright 2020 Dell Inc.
11
of 20
Internal Use - Confidential
IT Infrastructure
Data Domain
Any backup�software
Backup
Recovery
SITE A
IT Infrastructure
Any backup�software
Backup
Recovery
SITE B
Disaster Recovery
1% data transfer
100% recovery
Data Domain
Air Gap
Cyber Bunker
Cyber
Recovery
Checking
ransomware
PLAN B – Secure data & Recovery
Compliance
No possibility to change data
Ransomware
protection
Secure
Historical
backups
Recovery
automation
Data Domain
Separation
from production
Cyber
Sense
Backup
software
Sandbox
Any tests
Ransomware
protection
Management
and automation
Dell - Internal Use - Confidential
12
of Y
Internal Use - Confidential
What can we do in �Cyber Bunker?
© Copyright 2020 Dell Inc.
13
of 20
Internal Use - Confidential
Air Gap
Cyber Bunker
Cyber
Recovery
Checking
ransomware
PLAN B – Secure data & Recovery
Compliance
No possibility to change data
Secure
Historical
backups
Recovery
automation
Data Domain
Separation
from production
Management
and automation
Cyber
Sense
Backup
software
Sandbox
Any tests
We have data
after cyber attack
Check data �if compromised
Restore
Tests
…
Dell - Internal Use - Confidential
14
of Y
Internal Use - Confidential
What is CyberSense?
© Copyright 2020 Dell Inc.
15
of 20
Internal Use - Confidential
What is CyberSense?
© Copyright 2020 Dell Inc.
16
Internal Use - Confidential
Most common vector attacks
Encryption
Data corruption
Deleting improtant data
...
Dell - Internal Use - Confidential
17
of Y
Internal Use - Confidential
Are cyber attacks bypass our real time protection?
Can we assure our data’s integrity?
How do we know your data is not already corrupted?
CyberSense answers the questions:
Which copy to use to recover?
Dell - Internal Use - Confidential
18
of Y
Internal Use - Confidential
Real time ransomware protection
Essential but can be defeated
Attack vector 1
Attack vector 2
Attack vector 3
Dell - Internal Use - Confidential
19
of Y
Internal Use - Confidential
Dell - Internal Use - Confidential
20
of Y
Internal Use - Confidential
Dell - Internal Use - Confidential
21
of Y
Internal Use - Confidential
What is CyberSense?
Detects
Diagnose
Allow to
recover
Dell - Internal Use - Confidential
22
of Y
Internal Use - Confidential
What does CyberSense provide?
© Copyright 2020 Dell Inc.
23
of 20
Internal Use - Confidential
Value of CyberSense
Checking
data integrity
All the time monitors data for signs of corruption
Diagnose and Recover
Post attack tools to take action on damage
Dell - Internal Use - Confidential
24
of Y
Internal Use - Confidential
Why to check data in �Cyber Bunker?
© Copyright 2020 Dell Inc.
25
of 20
Internal Use - Confidential
Production
Air Gap
Cyber Bunker
Cyber
Recovery
Checking
ransomware
PLAN B – Secure data & Recovery
Compliance
No possibility to change data
Secure
Historical
backups
Recovery
automation
Data Domain
Separation
from production
Cyber
Sense
Backup
software
Sandbox
Any tests
Management
and automation
Encrypted?
Exploit?
Dell - Internal Use - Confidential
26
of Y
Internal Use - Confidential
IT Infrastructure
Data Domain
Any backup�software
Backup
Recovery
SITE A
Air Gap
Cyber Bunker
Cyber
Recovery
Checking
ransomware
PLAN B – Secure data & Recovery
Compliance
No possibility to change data
Secure
Historical
backups
Recovery
automation
Data Domain
Separation
from production
Cyber
Sense
Backup
software
Sandbox
Any tests
Ransomware
protection
Management
and automation
Isolation
Why shall we scan data at Cyber Bunker?
Out of
criminal eyes
Consistent data
Load
Dell - Internal Use - Confidential
27
of Y
Internal Use - Confidential
IT Infrastructure
Data Domain
Any backup�software
Backup
Recovery
SITE A
Air Gap
Cyber Bunker
Cyber
Recovery
Checking
ransomware
PLAN B – Secure data & Recovery
Compliance
No possibility to change data
Secure
Historical
backups
Recovery
automation
Data Domain
Separation
from production
Cyber
Sense
Backup
software
Sandbox
Any tests
Ransomware
protection
Management
and automation
There was a virus, which in specific type of activates (protection software) was moving to somewhere else.
In Cyber Bunker we have a photo. No escape.
Please note that even now, in films – where there super technology – still camera snapshot is used as investigation method. The criminal can not escape, gold ring under the desk cannot be removed and can be proof, source for deduction.
Why shall we scan data at Cyber Bunker?
Real case
Dell - Internal Use - Confidential
28
of Y
Internal Use - Confidential
CyberSense workflow
© Copyright 2020 Dell Inc.
29
of 20
Internal Use - Confidential
CyberSense Workflow
Dell - Internal Use - Confidential
30
of Y
Internal Use - Confidential
1. Scan
CyberSense scans critical data sources in Cyber Bunker.
What is scanned?
The result creates observation
Dell - Internal Use - Confidential
31
of Y
Internal Use - Confidential
Status of previous checks
Scanning existing production copies in Cyber Bunker
Dell - Internal Use - Confidential
32
of Y
Internal Use - Confidential
Dell - Internal Use - Confidential
33
of Y
Internal Use - Confidential
We can schedule scanning
Dell - Internal Use - Confidential
34
of Y
Internal Use - Confidential
Dell - Internal Use - Confidential
35
of Y
Internal Use - Confidential
2. Analytics
Over 100 stastistcs
based on the observation
Dell - Internal Use - Confidential
36
of Y
Internal Use - Confidential
Data types
Files
Core Infrastructure:
Databases / App:
Dell - Internal Use - Confidential
37
of Y
Internal Use - Confidential
Backup software
Databases / Apps
AD / LDAP / DNS
Filesystems
Backup format
CyberSense
Understands backup �application format
Dell - Internal Use - Confidential
38
of Y
Internal Use - Confidential
3. Analysis
Stastistics are analyzed by Machine Learning
Indication if a data �attack took place
We see results in Cyber Recovery panel
Dell - Internal Use - Confidential
39
of Y
Internal Use - Confidential
Status of previous checks
Info from Machine Learning
Dell - Internal Use - Confidential
40
of Y
Internal Use - Confidential
4. Repeat
The process repeats:
Dell - Internal Use - Confidential
41
of Y
Internal Use - Confidential
5. Invstigate
Anaylysis, reports to
Dell - Internal Use - Confidential
42
of Y
Internal Use - Confidential
CyberSense Infrastructure
© Copyright 2020 Dell Inc.
43
of 20
Internal Use - Confidential
CyberSense requirements
CyberSense
Virtual Machine
or federated
Virtual Machines
Working
together
Requirements:
6-20 CPUs
128GB-400GB memory
Sizer:
* Exact specification
* Number of VMs
Depends on
* number of scanned front end data
* change rate
* type of data (databases?)
Dell - Internal Use - Confidential
44
of Y
Internal Use - Confidential
CyberSense �Unique points
© Copyright 2020 Dell Inc.
45
of 20
Internal Use - Confidential
Structure of file (document / database)
File Metadata
Name, extensions,
size, time, path, …
Document Metadata
Type, Structure
Content
Change extension, file size, ..
File type mismatch, Corrupt file structure, …
Partial encryption, Corrupted content, …
More
sophisticated
attacks
Dell - Internal Use - Confidential
46
of Y
Internal Use - Confidential
Let’s compare 2 files
© Copyright 2020 Dell Inc.
47
of 20
Internal Use - Confidential
Metadata only analytics will not detect corruption
© Copyright 2020 Dell Inc.
48
of 20
Internal Use - Confidential
Content analytics detects attack
Requires algorytms and power
© Copyright 2020 Dell Inc.
49
of 20
Internal Use - Confidential
Attack vectors that maintain valid file extensions
© Copyright 2020 Dell Inc.
50
of 20
Internal Use - Confidential
CyberSense �Forensic analysis
© Copyright 2020 Dell Inc.
51
of 20
Internal Use - Confidential
CyberSense Workflow
Comprehensive index
Changes on content over time
Security Analytics
100+ statistics indicative of cyber attack
Machine Learning
Trained against attack vectors
Dell - Internal Use - Confidential
52
of Y
Internal Use - Confidential
CyberSense Workflow
Comprehensive index
Changes on content over time
Security Analytics
100+ statistics indicative of cyber attack
Machine Learning
Trained against attack vectors
Attack vector
The result of CyberSense job
Dell - Internal Use - Confidential
53
of Y
Internal Use - Confidential
CyberSense Workflow
Comprehensive index
Changes on content over time
Security Analytics
100+ statistics indicative of cyber attack
Machine Learning
Trained against attack vectors
Attack vector
The result of CyberSense job
Detailed list of corrupted files
Dell - Internal Use - Confidential
54
of Y
Internal Use - Confidential
CyberSense Workflow
Comprehensive index
Changes on content over time
Security Analytics
100+ statistics indicative of cyber attack
Machine Learning
Trained against attack vectors
Attack vector
The result of CyberSense job
Detailed list of corrupted files
Source of the attack
Dell - Internal Use - Confidential
55
of Y
Internal Use - Confidential
CyberSense Workflow
Comprehensive index
Changes on content over time
Security Analytics
100+ statistics indicative of cyber attack
Machine Learning
Trained against attack vectors
Attack vector
The result of CyberSense job
Detailed list of corrupted files
Source of the attack
Last good copy
Dell - Internal Use - Confidential
56
of Y
Internal Use - Confidential
Main page
Dell - Internal Use - Confidential
57
of Y
Internal Use - Confidential
Status of previous checks
Info from Machine Learning
Dell - Internal Use - Confidential
58
of Y
Internal Use - Confidential
Job status
Last good copy
Dell - Internal Use - Confidential
59
of Y
Internal Use - Confidential
Email notyfication
Dell - Internal Use - Confidential
60
of Y
Internal Use - Confidential
CyberSense reports
© Copyright 2020 Dell Inc.
61
of 20
Internal Use - Confidential
CyberSense detailed reports
Statistics
Observations
Machine Learning
© Copyright 2020 Dell Inc.
62
of 20
Internal Use - Confidential
Deleted files entropy count
© Copyright 2020 Dell Inc.
63
of 20
Internal Use - Confidential
Ransmoware extension count
File type mismatch count
Enropy scores
Backup size comparing to previous backup size (high value means small de-duplication)
© Copyright 2020 Dell Inc.
64
of 20
Internal Use - Confidential
Ransmoware extension count
File type mismatch count
Enropy scores
Backup size comparing to previous backup size (high value means small de-duplication)
We do not need to look into that
If there is attack, CyberSense analysis all the info and provides deterministic attack vector
We have this report for every observation
© Copyright 2020 Dell Inc.
65
of 20
Internal Use - Confidential
Attack vectors
Dell - Internal Use - Confidential
66
of Y
Internal Use - Confidential
Attack vectors
Attack vectors are based on the impact of data:
Dell - Internal Use - Confidential
67
of Y
Internal Use - Confidential
The six attack vectors that are the most common
© Copyright 2020 Dell Inc.
68
of 20
Internal Use - Confidential
The six attack vectors that are the most common
99.5% of the attacks are based on this 6 attack vectors
Attack vector 4 numer �is the most common
Encryption of file with new file extension
© Copyright 2020 Dell Inc.
69
of 20
Internal Use - Confidential
Attack vectors
We have detailed info about the source o the attack
Dell - Internal Use - Confidential
70
of Y
Internal Use - Confidential
Corrupt data report
Corrupted file
vs
Last good copy
© Copyright 2020 Dell Inc.
71
of 20
Internal Use - Confidential
We can dig deeper
© Copyright 2020 Dell Inc.
72
of 20
Internal Use - Confidential
Index Engines report on corrupt data using info from Event Logs
© Copyright 2020 Dell Inc.
73
of 20
Internal Use - Confidential
Index Engines report on corrupt data using info from Event Logs
Finds last user to modify corrupted files
Looks for patterns
(f.e. Same user to delete all files)
Identify application that modified the file
Potentially detect and find malware
© Copyright 2020 Dell Inc.
74
of 20
Internal Use - Confidential
Licensing
© Copyright 2020 Dell Inc.
75
of 20
Internal Use - Confidential
Daniel.Olkowski@dell.com
Questions
© Copyright 2020 Dell Inc.
76
of 20
Internal Use - Confidential