We asked Steve Preston, VP of Metallic Security at Commvault, some questions about newly introduced security measures and how they relate to competing products and services.
Blocks & Files: How do Commvault’s early warning technologies detection compare with those from competitors like Nebulon and Sysdig?
Steve Preston: Nebulon, Sysdig and Commvault each do slightly different things in terms of how they conduct their detection, and users should take stock of their environment and which tools will best serve their needs. In general, a layered approach is always wise when it comes to security.
ThreatWise uses patented cyber deception technology. Unlike traditional honeypots, we enable customers to configure lightweight, highly scalable fake assets (decoys) to dilute the surface area and further protect critical workloads. Think of these decoys as trip wires in customer environments. The decoys are not visible to legitimate users and, when interacted with by a bad actor, provide an immediate alert to IT and Security teams (via security tooling) for investigation.
This all happens in production environments, so ThreatWise is able to uncover lateral movement, discovery, and recon – giving visibility into threats before data is compromised or hits backup environments. We are the only vendor in the data protection space with the ability to surface zero-day and advanced attacks in production. Additionally, Commvault has detection capabilities within backup environments themselves – such as the identification of abnormal file activities (ML powered), user behavior monitoring, and scanning for malware to prevent reinfection.
Blocks & Files: Another threat attack detector is Cohesity with DataHawk. This combines threat protection with scans for attack indicators and malware. Again, how do Commvault’s early warning technologies compare?
Steve Preston: Correct, Cohesity DataHawk does provide some similar scans for indicators of compromise (IOCS), but only conduct those scans post-backup. It has no capabilities to monitor or alert on threats present in the live/production environment as none of the scans are conducted until:
- Backup is successfully completed to the Cohesity DataProtect platform;
- Metadata for the backup job(s) is replicated to Cohesity DataHawk (resident in their AWS tenant);
- DataHawk conducts basic anomaly detection, and can then execute deeper threat analysis (similar to Commvault Threat Scan, except our solution is localized to the customer environment and does not require customer metadata to be sent outside of their environment).
This is the key differentiation between what Commvault offers in our early warning capabilities (built into the core platform) as well as via the ThreatWise cyber deception solution (separate offering). We not only scan for anomalies, corruption, malware, and other threats within the backup data sets, but we also actively monitor the production clients we protect via our agents and honeypots to detect potential threats earlier and enable much faster incident response.
Rather than waiting to scan the data for threats once every 24 hours (post-backup), we can also monitor for threats as frequently as every five minutes in the active/production environment. No other data protection vendor does this – they only focus on examining the data post-backup.
Blocks & Files: Commvault Risk Analysis quarantines and deletes sensitive data – how does a customer then access their own sensitive data?
Steve Preston: While Risk Analysis can quarantine sensitive data in this fashion, customers have full control over how it remediates these types of issues. Risk Analysis can identify sensitive data, and alert if it’s found to reside outside of secured systems that it should be in. This is often referred to as “data spillage.” By default, Commvault will only notify if sensitive data files are found where they should not be, but from those alerts you can execute immediate remediation within the Commvault Risk Analysis dashboard by way of:
- Locking down the file ownership or permissions;
- Moving the file to an appropriate location;
- Deleting the file from the incorrect directory/server;
- Any/all of the above.
In addition, these actions can be automated or built into a broader orchestration workflow if there are more complex tasks and approvals needed prior to any action. So, unless the customer has determined that sensitive data, if found outside identified “secured” locations, should be immediately deleted, it will remain in place for the customer to resolve the alert as they see fit.
This resolution for data spillage can also apply to the backup copy, as the references to the sensitive data files themselves can be purged to ensure those files are not inadvertently put back into the wrong location as part of a restore. This also works for malware and ensuring malicious files are not recovered to reinfect the environment.
Blocks & Files: How does ThreatWise Advisor work?
Steve Preston: The Threat Advisor delivers an integration layer and logic between Commvault/Metallic backup environments and the ThreatWise Security Operations Console (TSOC). By continuously assessing workloads protected in backup environments, the ThreatWise Advisor intelligently recommends what sensors to configure and where, to simplify and maximize decoy placement, further harden critical workloads, and reduce the cognitive load for users.
Logic runs in the backup environment to assess workloads currently being protected, as well as active decoys deployed for those workloads. Users are provided with decoy recommendations to further protect workloads and data, and users can either disregard recommendations or complete the configuration process to deploy decoys for additional coverage.