Interview. CyberSense is an Index Engines’ malware hunting and detection technology that it sells through an OEM channel with Dell (Cyber Vault), Hitachi Vantara, IBM and Infinidat. But resellers and SIs could sell a CyberSense service that protects general primary and secondary storage, including backup vaults.
We talked with Jim McGann, the company’s VP of strategic partnerships to find out more.
B&F: I’m impressed by Index Engines because you’ve managed to knock off these really impressive OEMs and they’re all basically talking about your message.
JimMcGann: The thing with the OEMs is that what we’re doing is very difficult and challenging and it’s very difficult for them to do it. So they recognise the technology. It’s something that would be challenging for them to get to the level of resiliency that we provide. So I mean, all the vendors are, and if you look at the magic quadrant for Gartner and Primary Storage, the ones that are kind of moving over to the left, outside of the upper right are the ones that we’ve partnered with. So they need more technology to stay in that upper right quadrant. It’s all about cyber resiliency and that’s what we provide.
And you can see, if you look at that magic quadrant, the ones that we haven’t partnered with yet are the ones that are still in the upper right. So they’re sitting in a happy place as they shift. And I think if you talk to the folks that run the magic quadrant for primary storage, this is one of the five pivotal SLAs that vendors need to provide. And the folks at Gartner are smart enough to know that some of the things that the vendors have done are just not good enough. Because you read the newspapers and you see Marks & Spencer and you see people like that that are still having attacks.
B&F: You’ve gone for storage system vendors like Dell, Hitachi Vantara, IBM, and Infinidat. Do you have any data protection vendors as customers for your CyberSense technology?
Jim McGann: So in the Cyber Recovery Vault with Dell, the data that’s in that vault is backup data. We support the Dell backup formats. So PowerProtect data manager, Avamar Networker. We also support Commvault, NetBackup and the IBM backup software. So the vault is a good thing and backup is a 24 hour view of the world, which is good, but we’re moving into production, which is every X minute view of the world, which is better. But not to say that the vault isn’t important because, when they wipe out an array, which some of these variants do, you need to have a gold copy in the vault that’s clean for recovery.
B&F: I’ve not noticed that Rubrik or Cohesity or Commvault are actually using your technology.
Jim McGann: No, they’re not. I mean the modern backup format vendors feel they have it covered. I mean Rubrik is now a security vendor versus a data protection vendor. So they feel they have cyber resiliency covered. That’s questionable from our point of view, but for them, this is the capability that they want to provide as a security player. We’ve had conversations with them and there are conversations going with some of them today. They’re not as interesting as the ones with people more in the production storage side.
There’s still a lot of vendors there. There’s a lot of other vendors that we’re talking to in production storage. I think what we want CyberSense to be is really a data service. That’s how Gartner looks at us; as a data service that overlays on top of both primary and secondary storage.
I think what customers want is to have a unified data integrity platform from primary to secondary storage that says, “Hey, the data’s good.” So if I’m a Marks & Spencer or a Co-op that gets attacked, it is not like a panic mode. It’s like I know where I have clean data and I know how to recover and I can bring the business back to an operational state versus people running around like crazy saying we don’t know how to recover.
I think everybody talks about these cyber resiliency strategies, but they’re clearly not robust enough. And you would think someone like Marks & Spencer would’ve a better look, right? I think taking orders is important for a company like them.
B&F: Infinidat is changing its status.
Jim McGann: Yes. Infinidat will be Lenovo over the next couple months and I think Lenovo wants to get in the enterprise. I don’t know their strategy, but I’m assuming they want to get into the enterprise space. Cyber resiliency is a key aspect to that. So I think they will embrace us very well.
B&F: What about other OEMs?
Jim McGann: If you look at the magic quadrant for primary storage, the folks that are hanging in the upper right are the ones that we haven’t cracked yet because they’re living in a world where they think they have good enough. Whereas, if Gartner starts saying, “Hey, not quite good enough,” and you’re starting to slide down and left, then you’re going to see the doors will open up.
But I think as CyberSense becomes a standard across the enterprise for data integrity and a key component for cyber resiliency, they will come to us because customers don’t just have Dell or don’t just have IBM or don’t have Hitachi, they have mixed environments where they say: “We are using CyberSense here. Why can’t I get it over on my NetApp? And I think you’ll see what we’re doing as a company is; we’ve been a very OEM-focused company where we partner aggressively and that’s worked out very well. But we’re heading into a direction of more providing an independent offering that vendors can integrate to.
So opening up and going to these vendors and providing toolkits that allow them to connect to other environments. So that opens us up to even the security vendors, … the managed service providers, a lot of different folks, the cloud vendors opens us up to those different spaces as well.
B&F: Let’s say CyberSense is a service and let’s say as you’ve indicated, I’m sure it’s absolutely true, a customer would say to themselves, well, I’ve got CyberSense on my Dell kit, but there’s my NetApp kit, there’s my cloud storage. Why can’t I have it layered across everything?
Jim McGann: Indeed.
B&F: So let’s suppose you wanted to layer it across everything. You’ve got this CyberSense capability and it has to integrate with whatever storage vault it’s going to look into. Now this is where I’m getting tricky. How do you do that integration? The OEM sale strategy suggests you have to do an integration per vendor per storage array. But that may not be true.
Jim McGann: It won’t be true in the second half of this year.
The OEM partnerships are strategic and we can create a very elegant orchestration with them. There are toolkits that are available that are being more formalised now that will allow for integration that will work, and work in production. And I think, if you see vendors like some that you have mentioned that we’ve not strategically partnered with, they may want to take it to the next level. They could say: “That’s good, but we can even be more sophisticated about that.”
I think there’s multi-phase approach that you’ll be seeing here. And the same on the security side too. So I think as we’re running and doing scans in production on a regular basis, if CyberSense sees unusual activity, data manipulation activity, that could be integrated to security systems to say: “Hey, there’s unusual activity. Shut this down.”
And I think if you study Marks & Spencer versus the Co-op; the Co-op saw unusual activity and they disconnected the Internet and they were able to recover quickly. Marks & Spencer didn’t do that. So it spread. I mean if you see unusual activity on a single server, being able to automatically sever that from the internet and isolate it is a very god thing. CyberSense can integrate into those security strategies very well and provide that level of telemetry data and knowledge.
But then also I know where the last good version of data is. So that’s the data that you can recover. And our goal as a company is to turn a ransomware attack into a normal disaster that can be easily recovered from. And so it just minimises the impact and the effect of it. And again, if customers are down for months or handicapped for months, like Marks & Spencer, that’s just devastating for them and they don’t need to be at the mercy of these bad actors.
B&F: If Marks & Spencer could six months ago have gone to Index Engines and said: “We want to buy a subscription to the CyberSense service to cover our storage,” you’d have said no at the time, whereas in a few months time, would that be possible?
Jim McGann: Yes.
B&F: Wow! Okay.
Jim McGann: A lot of what we’re seeing in the channel is that the channel sellers are really selling cyber resiliency. So they’re selling a strategy that more integrates with our message and how we sell this. And I think selling through the channel, with the channel sellers having relationships with Marks & Spencers and other, that they can help provide this. So if you think about cyber software, there could be connectors on there to all sorts of different platforms. So the idea is, if you are maybe even a managed service provider, that you can just say: “Hey, I want to connect to A, B, C, and D that that’s possible.” It is going to take us time, but we’re laying the foundation to do that. And that’s really the future.
I think the OEM relationships have allowed us to get into customers that we wouldn’t be able to get into on our own. But now that CybersSense has a brand reputation out there, customers are asking for it across other environments and I think that’s the need that we’re going to satisfy in the direction that we’re going to be taking.
B&F: The core product, the ransomware scanning, the malware scanning; you’ll keep that updated with every flesh flavour of malware you can find?
JimMcGann: That’s so. Even better than that, we just got a patent issued for an automated process. So in our colo offsite, we have a secure lab. Any new variants that are detected on the market through different sources are downloaded into that lab and detonated. We study that and then we make sure that our machine learning is up to date to support that.
It’s an automated process that we’ve just patented that will say basically, if there’s new variants, cyber central will find it. And variants are basically classified into about 30 or so different general categories. So they’re not reinventing the wheel every time. They’re changing the name, they’re changing the encryption algorithms. So we’re seeing them, we’re classifying and say, okay, we’re good. And if not, then the machine learning would need to be updated because we have a 99.99 percent SLA to find that corruption.
B&F: This is a core constant ongoing engineering development effort for CyberSense?
Jim McGann: There’s 800 to a thousand or more new variants every day. I mean there are just tweaks and modifications of existing variants. So the idea is if you’re going to play in a soccer match, you study the study the opponent and understand what they’re going to do. That’s what we’re doing. We’re studying the variance on a continual basis to know exactly what they’re doing. Most of the times they don’t change much, but if they do that, we’ll see that and customers can know that. They’ll have that confidence that any corruption with these new variants will be detected with 99.99 percent confidence
B&F: And then you’ll be adding connectors?
Jim McGann: it’s all about just being able to feed as much data to CyberSense as possible. CyberSense looks out as data changes over time. The idea to be agnostic of platforms is the vision that we have and I think that’s what customers want. They want a data integrity service that can look at data across the portfolio, across the data centre, and give them the assurance that their data is good and, if not, where’s the data I need to use for recovery.
B&F: With a storage array, a filer, an object storage or a block storage array with a database, there are APIs you can use to get into that storage array. If you can talk NFS, then you can talk NFS to any storage array that uses NFS. But, with a backup vendor’s vault, that’s not the case, because the only doorway into that vault is through the backup vendor’s own proprietary API. So you have to do that, I think, on a case by case basis.
Jim McGann: We’ve engineered access to these backup formats. Part of our intellectual property here at Index Engines is understanding complex formats so that we can look at something like NetBackup and understand it. If those partners or backup vendors cooperate with us and give us the schema, that helps. But we have engineers that can really understand and look at the bits and bytes of these proprietary formats and engineer access into them. So that’s what we’re doing; cracking them open without rehydrating them, and looking inside of them.
That is key to the Dell Cyber recovery vault because it’s all backup data that’s in there. Also key to snapshots is to be able to understand a snapshot and how to mount it to block storage. So it sounds easy saying that we scan data, but, as you understand, the devil’s in the details here. How the formats work. And a lot of these vendors like IBM or Infinidat; they participate with us to create, to orchestrate into those APIs.
With something like NetApp, they have things like SnapDif and they have APIs to be able to help you interpret their data. So we’re leveraging anything we can just to understand the data and how CyberSense looks at it to see how it changes over time. So for example, with a Oracle database or a health records database, we need to see either a snapshot of that or a backup of it so we can see a static copy of it and compare it to the previous version.
We’re not going to be scanning production databases because customers don’t want that. So we’re looking at, for example, health records databases like Epic, and snapshot it every 15 minutes. CyberSense can scan it every 15 minutes. And when there is an attack on that database, then CybersSense will say: “Hey, the one from the previous 15 minutes is clean. You can go back to that with confidence.” That turns a recovery into minutes versus trying to say which one should we recover? Is that clean or not? And they have to go to a clean room and test it. CyberSense is giving you that confidence on a continual basis that you don’t need to study it or go into a clean room. We were telling you that it’s good and you can recover with confidence.
B&F: Is there anything else you care for me to know about what CyberSense may be doing over the next three to six months?
Jim McGann: I think the future is definitely maintaining these strategic relationships because they’re important to us, but also opening up so that cybers sense can easily integrate into other environments and really that’s what customers are asking for and we’re providing that solution out to the market.
Bootnote
We think Index Engines has just signed up Panzura as an OEM.
