1 of 74

PowerProtect �Data Manager

Anomaly Detection

1

Internal Use - Confidential

2 of 74

Agenda

What is?
Solution
Anomaly Detection

2

Internal Use - Confidential

3 of 74

What is?

PPDM ANOMALY DETECTION

3

Internal Use - Confidential

4 of 74

Anomaly Detection

The process of identifying data points that are different from what's normal or expected. Also known as outlier detection.

Cyber

Security

What

Where

When

Security Platform SEIM/SOAR

4

Internal Use - Confidential

5 of 74

Why do I need in PPDM?

PPDM ANOMALY DETECTION

5

Internal Use - Confidential

6 of 74

Anomaly Detection

EXTENSIVE analysis of backup data to ensure integrity of digital infrastructure, enhancing confidence in cyber resiliency

PROVIDES detection of anomalies to enable insights into potential threats and security risks

MACHINE LEARNING analyzes patterns to detect suspicious activity and indicators of compromise

LIGHTWEIGHT detection within PowerProtect Data Manager

Identify anomalies before they escalate

Threat detection with PowerProtect Data Manager

6

Internal Use - Confidential

Let's talk about Anomaly Detection with PowerProtect Data Manager. This feature provides a robust layer of security by offering early detection of anomalies from every backup. This means you can gain immediate insights into potential security threats, allowing you to address any issues proactively.

Now, how does it achieve this? Our software uses proactive machine learning to continuously analyze patterns within your backup data environment. This helps to identify suspicious activity as it arises, securing your IT environment from threats before they have the chance to escalate.

One significant advantage is the lightweight nature of this detection process. It operates seamlessly within your existing infrastructure of PowerProtect Data Manager. This ensures your on-premises detection is both efficient and resource-conscious, allowing you to maintain optimal system performance.

Additionally, our comprehensive evaluation ensures the integrity of your backup data, further reinforcing the security and consistency of your digital infrastructure. By identifying anomalies quickly, PowerProtect Data Manager empowers you to act before challenges become significant issues.

Overall, Anomaly Detection enhances your ability to maintain business continuity and secure your data from potential breaches or ransomware attacks, empowering you to focus on what's most important—driving your organization's success.

7 of 74

Solution

PPDM ANOMALY DETECTION

7

Internal Use - Confidential

8 of 74

8

Internal Use - Confidential

9 of 74

Complementary Anomaly Detection

Vault

Cyber Analytics

Vault

Data

Production Anomaly

Detection

Backup

Data

Trusted Accuracy

Detect data corruption with 99.5% accuracy with intelligent recovery

Isolated & Available

CyberSense secured inside the vault to ensure analytics are available

Identify Malware

Scan signatures of all vaulted data

Identify Anomalies

UDA across primary data backups

Integrated Backup App

Quarantine to avoid reinfestation

Remove from Backups

Remove from primary backups to eliminate future risk

Unusual Data Activity Anomalies are part of a comprehensive MDR strategy

9

Internal Use - Confidential

10 of 74

Anomaly Detection with PowerProtect Data Manager

Identify cyber threats in your production backup environment

DATA CENTER

(on-premises)

Production

Workloads

PowerProtect

Data Manager

Cyber Resiliency

ML-based assessment identifies abnormal behaviour
Analyses file metadata and system configurations for threat detection
Operates natively in PowerProtect Data Manager
No additional licensing cost

10

Internal Use - Confidential

Anomaly Detection enhances the security and integrity of your data environment with PowerProtect Data Manager. By leveraging advanced machine learning (ML), Anomaly Detection offers proactive security that identifies cyber threats in your production backup environment. This capability ensures early threat detections by scanning metadata post-backup to provide immediate insights into potential risks without additional licensing costs.

Here's how it works:

Pattern Matching uses Dell’s extensive library—comprising over 5,000 patterns— to recognize known ransomware patterns. This method scans backup metadata to identify suspicious file names, paths, and extensions, prioritizing alerts based on severity.
Behavioral Analysis takes a closer look at the backup file metadata, evaluating details like name, modified time, and created time. By applying a time-series model with moving averages, this approach helps detect anomalies that might signify a ransomware attack, even those not covered by pattern matching.
System Configuration Analysis scans system settings during the backup process to pinpoint vulnerabilities that could be exploited. This is one of our competitive advantages because no other vendor has this feature in their anomaly detection functionality. It currently supports Windows systems, checking for common issues like disabled firewalls or User Account Control settings. Dell identifies 20 known configuration settings, alongside 4 specific ransomware configurations, to enhance your security framework.

These techniques provide fast detection and immediate responses, enabling your organization to address threats before they escalate. The lightweight nature of the software ensures it operates effectively without external dependencies or local resource consumption, maintaining operational consistency and enhancing the integrity of your digital infrastructure.

With PowerProtect Data Manager, you're empowered to protect your valuable data seamlessly, fostering a resilient and secure business environment

11 of 74

Complementary Capability

PPDM

Anomaly Detection

Prod / DR

2 Copy Message

Integrated with PPDM

Meta-data

Not isolated (running in production)

PPDM Only support

(File, Virtual)

Vault

3 Copy Message

Integrated with PPCR

Full Content

Yes, isolated (intrinsic isolation in vault)

Heterogenous BU SW support

(File, NAS, Virtual, DB)

Messaging Alignment

Workflow Integration

Analysis Level

Isolated & Availability

Backup App & Workload Support

CyberSense

Analytics

11

Internal Use - Confidential

12 of 74

Why CyberSense - Isolated

Production

Storage & Backup

Connected

Outside Blast Radius

Blast Radius

CyberSense is isolated and available to help with incident response and recovery.

CyberSense is available when everything else is not
Isolated with no persistent connection
Vault control is intrinsic and autonomously

Vault CyberSense

Isolated

12

Internal Use - Confidential

13 of 74

Why CyberSense - Accuracy

ESG Validated: 99.99% SLA in Detecting Ransomware Corruption¹

Trained AI performs deep full-content inspection of data
Over 7,000 of the latest, sophisticated variants to maintain continuous accuracy.
Detonate actual ransomware and study patterns of corruption.

¹ Source: https://indexengines.com/esgvalidation

13

Internal Use - Confidential

14 of 74

Why CyberSense – Raw Disk Attack

Raw Disk Attack prevents access to VM file system.

New detection models

Record partition metadata (e.g., MBR / partition Table)
Alert on new File System Integrity score

Examples: KillMBR, Cobra Locker-Legion , Hydrox, STOP

ML/AI analyzes behavior
Does not require malware detection

14

Internal Use - Confidential

15 of 74

MITRE ATT&CK Alignment – RawDisk

RawDisk

RawDisk is a legitimate commercial driver used for interacting with files, disks, and partitions. The driver allows for direct modification of data on a local computer's hard drive. In some cases, circumventing Windows operating system security features..
Anomaly Detection of RawDisk is aligned with MITRE ATT&CK.
65 known variants¹ use the technique - Data Encrypted for Impact

Source¹: https://attack.mitre.org/techniques/T1486/

Source² https://attack.mitre.org/software/S0364/ - (Image)

15

Internal Use - Confidential

16 of 74

Why CyberSense - Data Integrity

CyberSense validates the integrity of the data.

Full content and AI based machine learning provides the most accurate integrity validation.
Meta data detection does not validate the integrity of the data.

16

Internal Use - Confidential

17 of 74

Why CyberSense - Accelerate Post Attack Forensics

CyberSense helps identify what to eradicate

Identify malware using malware signatures. Updates available weekly.
Leverage YARA rules to determine patterns and characteristics beyond just exact string matches
Perform forensics using post attack workflows to identify threats to eradicate.

17

Internal Use - Confidential

18 of 74

Why CyberSense - Smart Recovery

CyberSense accelerates incident response and recovery.

Knowing what is NOT trusted, and what is trusted, significantly speeds up incident response and recovery.
Minimize business impact and data loss by quickly determining the most recent validated data.

18

Internal Use - Confidential

19 of 74

Why CyberSense – Broad Heterogenous Support

CyberSense supports a variety of backup software providers and workloads

Heterogeneous support for backup software providers.
Multi hypervisor support (support beyond just VMware)
Includes Database support and integrity checking

19

Internal Use - Confidential

20 of 74

Complementary Anomaly Detection

Vault

Cyber

Analytics

Production Backup

Integrated

Trusted Accuracy

99.99% SLA in Detecting Ransomware Corruption

Isolated & Available

CyberSense secured inside the vault to ensure analytics are available

Post Attack Forensics

Identify Malware via signatures and YARA rules

Included Light Weight Anomaly Detection

Detection of anomalies from backup

Integrated Backup App

Quarantine to avoid reinfestation

Remove from primary backups to eliminate future risk

Broad Support

Heterogenous backup software and extensive workload coverage (including databases)

Smart Recovery

Know what is trusted to accelerate recovery

Data Integrity

AI based machine learning validates data integrity

Detection Techniques

Pattern and Behavioral Analysis

Identify suspicious names, paths, exts. Evaluate mod/create time

System Configuration Analysis

Windows systems, e.g. disabled firewalls, User Account Control settings. 20 known settings

Ransomware Detection

Extensive library comprising over 5,000 patterns

Comprehensive Strategy Strengthens Data Resiliency

20

Internal Use - Confidential

21 of 74

21

Internal Use - Confidential

22 of 74

22

Internal Use - Confidential

23 of 74

23

Internal Use - Confidential

24 of 74

24

Internal Use - Confidential

25 of 74

PowerProtect Data Manager Anomaly Detection - Techniques

Pattern Matching

Algorithm analyzes backup metadata to identify suspicious known ransomware patterns in file names, paths, and extensions.
Extensive library comprising over 5,000 patterns for high accuracy.

Behavioral Analysis

Algorithm evaluates file metadata details, including name, modified time and created time.
Leverages a time series model with moving averages to detect anomalies that might signify a ransomware attack.

System Configuration

Analyzes system configuration to identify vulnerabilities and detect threats. Support for Windows systems.
Monitors disabled firewalls and User Account Control. Detection for 20+ configuration settings

25

Internal Use - Confidential

26 of 74

MITRE ATT&CK Alignment - UAC

User Account Control

User Account Control (UAC) is a security feature in Windows that prevents unauthorized changes to your system.
Anomaly Detection of UAC is aligned with MITRE ATT&CK. Once detected there are mitigations
55 known variants¹ use the technique - Abuse Elevation Control Mechanism: Bypass User Account Control

Source¹: https://attack.mitre.org/techniques/T1548/002/

Source²: https://attack.mitre.org/mitigations/M1052/ - (Image)

26

Internal Use - Confidential

27 of 74

MITRE ATT&CK Alignment – Impair Defenses

Windows Firewall Service

Windows Firewall is a security feature that helps to protect your device by filtering network traffic that enters and exits your device.
Anomaly Detection of Firewalls is aligned with MITRE ATT&CK.
31 known variants¹ use the technique - Impair Defenses: Disable or Modify System Firewall

Source¹: https://attack.mitre.org/techniques/T1562/004/

Source² https://attack.mitre.org/datasources/DS0018/ - (Image)

27

Internal Use - Confidential

28 of 74

Anomaly Detection shall be used Everywhere

Helps achieve comprehensive cyber resiliency

100%

All companiesshould have PowerProtect

Anomaly Detection

Who shall implement Anomaly Detection?

Discussion – how to do that
Every backup solution shall have it!
We go far further! -> Cyber Recovery & CyberSense
Mature IRR, consulting and managed services
Cyber Recovery vault for comprehensive resiliency

Included with PPDM price!

28

Internal Use - Confidential

29 of 74

PowerProtect Data Manager Anomaly Detection Demo

29

Internal Use - Confidential

30 of 74

Anomaly Detection Prerequisites

Search Cluster should be configured and active

Indexing must be enabled in protection policy

PowerProtect Search Engine Requirements

PowerProtect Data Manager Deployment Guide - Page 21

Each Search Engine node must meet the system requirements.
CPU: 4 * 2 GHz (4 virtual sockets, 1 core for each socket)
Memory: 8 GB RAM
Disks: 3 disks (50 GB each) and 1 disk (1 TB)

30

Internal Use - Confidential

31 of 74

Enhancements

Augmented Detection

Includes pattern matching, behavioral analysis, and system configuration analysis
VM & FS – Linux/Windows

Visibility and Reporting

Anomaly alerts dashboard widget
Alert notifications available in title bar bell icon
Forensic reports include category details

Workflow Enhancements

Identify anomalous copies with direct links and action alert as safe or quarantine
False positive reduction capability
Syslog provided for SEIM integration

2

Identify anomalies before they escalate….

5

4

3

1

31

Internal Use - Confidential

32 of 74

Source:�https://dell.sabacloud.com/Saba/Web_spf/PRODTNT091/app/me/learningeventdetail/cours000000000478720?regId=regdw000000070318146&context=user&learnerId=emplo000000000811143&returnurl=catalog%2Fsearch%3FsearchText%3D19.18%2526selectedTab%3DLEARNINGEVENT%2526referrer%3Dtrue%2526filter%3D%7B%7D

32

Internal Use - Confidential

33 of 74

https://dell.sharepoint.com/:p:/r/sites/dpd-advanced-customer-eng/_layouts/15/Doc.aspx?sourcedoc=%7B56D789F0-C96B-49D7-94CA-00E2DFFF6FD4%7D&file=PPDM%2019.18_Anomaly%20Detection_Technical%20Deck.pptx&wdLOR=c99D19186-5FE6-4C20-93B3-61C1F32D92CA&action=edit&mobileredirect=true

33

Internal Use - Confidential

34 of 74

Critical

- find anomalies

Warning

- conifuration mismatch

Verified Saved

- user analized the message and said – this is fine, this is not anomaly for me

34

Internal Use - Confidential

35 of 74

Anomaly detection requires Indexing to be turned on

35

Internal Use - Confidential

36 of 74

Tech Preview Label – Protection Policy Enable

36

of 97

36

of Y

Internal Use - Confidential

37 of 74

Anomaly Detection activity – Job Group

Job Type ‘Anomaly Detection’ is available
Available for ‘File System’ and ‘Virtual machine’ asset types

Applicable statuses are – Queued, Running, Success, Failed, Skipped, Cancelled

37

Internal Use - Confidential

38 of 74

Anomaly Detection activity – Job Details without anomalies

Job Details shows the summary of anomaly detection

38

of 97

38

of Y

Internal Use - Confidential

39 of 74

Anomaly Detection activity – Job Details with anomalies

Job Details shows the summary of anomaly detection
If anomalies are found, the resulting details are shown as well

Anomaly Summary

Example 01

39

Internal Use - Confidential

40 of 74

Anomaly Detection – Jobs View with Anomalies Cont.

Note: If “Protect” or “Index” job is failed/cancelled, Anomaly Detection Job is marked as Skipped.

Example 02

40

of 97

40

of Y

Internal Use - Confidential

41 of 74

Tech Preview Label – Critical Alerts

41

of 97

41

of Y

Internal Use - Confidential

42 of 74

Anomaly Detection –Warning Alerts

42

of 97

42

of Y

Internal Use - Confidential

43 of 74

Tech Preview – Copy Management

43

of 97

43

of Y

Internal Use - Confidential

44 of 74

Anomaly Detection results – Copy Management

Anomaly Detection column is added which shows the detection status for the backup copy
Anomaly detection statuses are – Clean, Suspicious, Verified Safe and Quarantined

Clean – No anomalies detected (system generated)
Suspicious – Anomalies detected (system generated)
Verified Safe and Quarantined – User can change to these statuses post analysis

44

Internal Use - Confidential

45 of 74

Anomaly Detection Report

Reports available for download in case of suspicious copies
Max 3 csv reports are available. Based on detected anomalies, corresponding csv is available in the zip

Download is progress

Download completed

Export successfully complered

45

Internal Use - Confidential

46 of 74

Anomaly Detection Results – Report Download

Once the report is available, download icon is available
Zip file is available containing 3 files

SuspectedFiles.csv
ConfigurationAnomalies.csv
FileCategoryBehaviorMetrics.csv

46

Internal Use - Confidential

47 of 74

Anomaly Detection results – Status changes and notes

47

Internal Use - Confidential

48 of 74

Feature Feedback

For feature feedback, customers to use the feedback button for ANoD either in Copy Management > Filters > ANoD Filters Or in Alerts.

48

49 of 74

Tech Preview Label – Protection Policy Enable

49

Internal Use - Confidential

50 of 74

50

Internal Use - Confidential

51 of 74

51

Internal Use - Confidential

52 of 74

There are 3 jobs if anomaly detection is started:

- protection

- indexing

- anomaly detection

52

Internal Use - Confidential

53 of 74

Succesful anomaly detection jobs does not say anything about checking that everything is OK

It only says that the job finished fine.

53

Internal Use - Confidential

54 of 74

54

Internal Use - Confidential

55 of 74

55

Internal Use - Confidential

56 of 74

56

Internal Use - Confidential

57 of 74

57

Internal Use - Confidential

58 of 74

58

Internal Use - Confidential

59 of 74

59

Internal Use - Confidential

60 of 74

If files were deleted intentionally we can skip the message

Warning marks the copy as clean

60

Internal Use - Confidential

61 of 74

61

Internal Use - Confidential

62 of 74

62

Internal Use - Confidential

63 of 74

63

Internal Use - Confidential

64 of 74

64

Internal Use - Confidential

65 of 74

65

Internal Use - Confidential

66 of 74

66

Internal Use - Confidential

67 of 74

67

Internal Use - Confidential

68 of 74

Suspicious is only for Critical anomaly

68

Internal Use - Confidential

69 of 74

Clicking here starts downloading report files

69

Internal Use - Confidential

70 of 74

SuspectedFiles

70

Internal Use - Confidential

71 of 74

After analyzing the report we can mark the copy as Safe or Qurantine

71

Internal Use - Confidential

72 of 74

72

Internal Use - Confidential

73 of 74

73

Internal Use - Confidential

74 of 74

End logo slide

Questions…

74

Internal Use - Confidential