Optimizing the Resilience of Data Assets Against the Tide of Cyber Attacks

Krista Case: Welcome to Six Five Media On the Road, here at NetApp Insight 2024. I’m Krista Case, Research Director and Senior Analyst with The Futurum Group, and I have the pleasure of being joined here today with Gagan Gulati, General Manager of NetApp’s Data Services Division.

Gagan Gulati: Hi, Krista.

Krista Case: Hi Gagan, thank you so much for joining today.

Gagan Gulati: Absolutely. Thanks, Krista.

Krista Case: How’s the event been for you?

Gagan Gulati: It’s been an amazing event. We have had a lot of fun. We had a great keynote today and I’m looking forward to just talking to you.

Krista Case: Absolutely, absolutely. So Gagan, I’ve had the pleasure of engaging closely with yourself and your team since in inception a couple of years ago, and I’ve been very impressed with how your team has really established itself as the tip of NetApp’s sphere for cyber resiliency. We do see this as a very prominent board level concern, so we’ve been very excited to partner with NetApp on a research study around cyber resiliency, and in particular the nuances around what practitioners are struggling with to protect their data assets from cyber attacks. So first I’d like to set a little context based on feedback we received from the study.

So of course it’s clear that no organization is immune from cyber attacks. More than half of the respondents in our study indicated that they have experienced a successful cyber attack over the past 12 to 18 months. And these attacks are certainly not going away. In fact, malicious actors are only getting more efficient and effective with tools like artificial intelligence. I know this has been a theme here at the event this week. Nearly half of the respondents in our study, Gagan, they indicated that the evolving threat landscape, and in particular cyber criminals innovating their approaches, has the most material impact on their organization’s cyber resiliency as a whole, so pretty staggering. So a question for you, Gagan, are you hearing this from NetApp’s customers more qualitatively, and if so, how is NetApp helping customers from this perspective?

Gagan Gulati: Yeah, look, cyber attacks and ransomware protection in general is a board level problem. Every time we talk to our customers, they ask us about how NetApp can help them in their journey towards better cyber resilience. And most of our customers also now understand that storage is a last line of defense. Because when all else fails, whether it’s your perimeter security, whether it’s your identity security and everything else that falls in place, it all leads to data. And when it comes to data, if you store the data on NetApp storage, you want to make sure that storage helps you not only detect the attacks, but also help you recover very quickly when something goes wrong. So it’s definitely a board level problem, it’s something that’s top of mind of every customer we have talked to, whether you’re a storage admin or whether you happen to be on the security side.

Krista Case: Certainly, and I think that really hits the nail on the head, Gagan, with what we’re hearing as well and it’s all about that ability to minimize the amount of data loss and downtime following an attack. And you’ve alluded to some of these areas just now, but when we talk with customers about cyber resiliency, there are four kinds of key topics that tend to come up quite frequently. So there’s the ability to use data classification, there is the ability to use AI to detect attacks in real time, again, as you were alluding to, there’s also the ability to execute full application stack recovery, and there’s the ability to have process consistency for data protection across these multi-hybrid cloud environments that really have become the norm for most enterprises.

Gagan Gulati: Totally.

Krista Case: So looking first into data classification, as you were alluding to Gagan, we also see that this really is the linchpin for optimizing defenses against cyber attacks and getting kind of back and running. And in fact, in our study, approximately one in five respondents indicated that they plan to implement data classification over the next 12 to 18 months. And we really see this as being because the ability to catalog data according to its sensitivity, its value, and its risk, this can help us to achieve things like avoid overly permissive access to data, which can allow for malicious access to data, and also to better identify the scope of an attack and to prioritize the recovery following. So Gagan, are you seeing that enterprises are sort of struggling with this? Because I think some of this feedback from the survey and the conversation that we’re seeing certainly indicates that.

Gagan Gulati: Yeah, absolutely. You have to know your data before you can govern your data and guard your data. It’s a simple problem that way. And most companies have been on this hybrid multi-cloud journey. Data sprawl is real. You have data that’s multi-years old, 10 years old, 20 years old, 30 years old, sitting in your data center, whether it’s on-prem or in the cloud. And almost no company can claim that they understand all of your data. And without understanding all of your data, how can you figure out what do you want to prioritize? What do you want to prioritize in terms of data protection, whether it’s about backing up your workloads or whether it’s about doing better DR? And more importantly, how would you prioritize where do you want to put into effect your techniques to do better ransomware protection or against cyber threats?

So data classification definitely is the linchpin to just understand your data state. And then from there onwards, you go ahead further and say, okay, this is where I want to invest first. Because it’s all about prioritization and risk management. And at NetApp, we understand this problem really well. In fact, earlier this year we have this amazing product called BlueXP classification. We made it freely available to all NetApp customers. So they can use it to actually go solve that fundamental problem on discovering their data, understanding their data, and like you were saying, Krista, understanding the data based on sensitivity, based on certain other classes like timestamps, like what data is how old, which application is using what data, which data has never got touched over the last decade, which data, you know, build a heat map. Then start making sense out of it so that they can apply these techniques on data protection, better governance, and better security to that data. So classification is just the linchpin of everything the customers want to do. And at this point, what we are seeing is a tremendous increase in the number of customers who are adopting our classification technology as the baseline for building an amazing cyber resilience strategy and execution play.

Krista Case: Certainly. And I think that image of a heat map is very powerful and I think it really illustrates that point and it sets the foundation for this second challenge that we were talking about that I hear across the cybersecurity space as a whole, not just looking at data storage, but I think data storage is particularly relevant, and that is the ability to detect attacks with confidence as quickly as possible. So these threat vectors are kind of changing and evolving very rapidly, and so as a result, there’s been a lot of investment and interest in these AI capabilities we’ve been talking about to detect anomalous activity. And in fact, in our study we found that investing in new technologies like AI-powered threat detection, that was the top approach that respondents noted when it comes to keeping up with these constant changes to the threat landscape. So Gagan, can you talk about the NetApp point of view when it comes to real-time detection of these attacks?

Gagan Gulati: See, we believe in a very simple philosophy; that these attackers may be sitting in an environment for months, for years sometimes, but when they attack, they’re going to attack quickly. They’re going to encrypt your files and they’re going to walk away very quickly. So if you are depending on your backups, by the time these backups are taken, it may take hours, and by the time you do anomaly detection on these backups it may be another few hours, and by that time the damage has been done. So the detection of these attacks have to be done in real time because the quicker you do these detections, the quicker you can start responding and the smaller the surface area of the attack is going to be. So that’s point one.

Point two is that you also have to detect these attacks with very high accuracy because if you don’t do that and you have false positives, then your security operators are spending their critical time trying to respond to a false positive and they’re not going to like it. They want their time to be well used for investigations and actually working on real stuff. It’s like crying wolf. And that is the reason why we as NetApp have invested very heavily in building real-time ransomware detection into the primary storage. And at the same time, I would also say that we have worked on building this with immense accuracy using the power of AI, and we call this technology as ARP/AI.

What this technology does and has proven is that we can detect attacks with almost 99 to 100% accuracy, and at the same time the recall is very high, up to 99% as well. What that means is that we don’t leave any attack unheard. So that’s been a really, I would say, a turning point in security in terms of being able to detect these attacks with really high accuracy. And the way our system works is that not only would we detect the attacks, we can generate alerts for our security operators, we can take snapshots, and we can do a lot of other stuff to allow this company to then be able to recover and respond very quickly. So this has been something that we are very, very focused on and we believe that we have to help our customers drive the point home.

The last point I’ll also make is a point you made earlier, which is around the power of AI and how some of these attackers are using AI to continue to evolve. When you ship these models or you ship a technology into storage, the technology becomes stale the day you ship it. These attackers keep evolving and their attacks keep evolving, so these models have to be updated all the time. So one of the critical technologies we have built is that these models that detect these ransomware attacks are now auto-updatable, which means that they can be updated as and when we believe there are new attacks happening, new attack variants coming into place. And we update them just like an antivirus company will take care of your laptop or your machine, you won’t even know about it. New signatures show up on your box, you don’t have to restart your machine, you don’t receive a notification, they just keep you safe.

So in a very similar term, ARP/AI, a technology that we have shipped recently is auto-updatable, which means that when our research team, our data science team finds out that there are new attack variants for which we have new versions of the models that need to be sent over to your ONTAP boxes or your NetApp systems, we will send them over to you without you knowing about them, without having to worry about rebooting your system or upgrading ONTAP. And that is a true game changer to keep our customers safe in real time and being able to detect all kinds of attacks that are happening.

Krista Case: Absolutely. Just going back to that rapid pace that these threat vectors are evolving and the fact that customers, to your point, Gagan, don’t even need to worry about it, it’s kind of just on a rolling update there behind the scenes. I know that’s a very powerful message and something that really has been resonating here at the show. So one other item that’s making this even more challenging for customers is the fact that against this tide of these threat vectors evolving very rapidly, we also have the issue that data is very segmented and siloed in these multi-hybrid cloud environments that have become the norm for practically speaking every enterprise today. And this creates some challenges because it creates issues in detecting attacks and potential vulnerabilities as well across these different silos and it also potentially introduces the possibility for reinfection during recovery.

So Gagan, in our survey we asked respondents about their top challenges relating to their cyber resiliency, and this question really hit this nail on the head in particular as well as some of these other topics that we’ve been talking about today. So the top three challenges that emerged were difficulty in identifying and prioritizing the most critical data for recovery, data sprawl across multi-hybrid cloud environments, and slow time to detection. So we’ve touched a little bit on this, but can you share in a bit more detail other areas that NetApp is investing in to kind of help address these issues?

Gagan Gulati: Yeah, I think like alongside real-time ransomware detection, one of the key challenges that our customers like you talked about is being able to recover and recover at a workload level. Not file by file, but at a workload level. And with data sprawl, different business units coming into play, different applications coming into play, being able to give our customers the ability to have an orchestrated ransomware protection for their entire NetApp data state is critical to us. So over the last year we have built a new service, we call it the BlueXP ransomware protection service, that helps our customers protect at a workload level and then respond and recover their workloads at a workload level without having to worry and looking at file by file methods as have been very traditional.

And that has been a real game changer. Imagine you have customers with an simple application, let’s assume a patient app using SQL on multiple different volumes in multiple different controllers. And when attacks happen, the attackers may choose to encrypt and delete files across the board. If you are using one of our service for example, they’ll help you not only detect the attacks in real time and then take snapshots right away at an application consistent level or a VM consistent level as they happen, but also then give you the ability to recover in an application consistent way without having to worry about issues around inconsistency in how your application is going to behave if you went file by file.

So that has been a true game changer from our perspective and the early adopters of our service are absolutely loving it. So that’s one part of the core work that we have done. The other part of what we have done is thanks to not just the rise in these attacks, but also core regulations that we are seeing with DORA and Bank of England regulation, there has been a growing need to build what we internally call as a vault. Most of our customers come and tell us that they need the ability to do air gapped data protection at a workload level. And this is where the power of everything we have done at NetApp comes into play because we allow you the ability to then orchestrate having a vault of sorts which is air gapped, immutable data, indelible data at a workload level in the cyber vault. And that has been a true game changer for customers, not just from security perspective, but also then from a privacy and compliance perspective.

Krista Case: Certainly, certainly we have heard that as well. It’s kind of air gaps are certainly back in vogue, if you will, and certainly the evolution has kind of gone beyond the on-premises tape implementations that we’ve seen today with organizations getting very creative in solutions like what NetApp is offering. And Gagan, your commentary regarding kind of the full application stack recovery, from my perspective, that really kind of rounds out the conversation. I know that was one of the things that we had kind of talked about earlier in terms of the key challenges our customers are having with their cyber resiliency and it’s certainly no surprise that they are because when we think about the different interdependencies, the complexities of maintaining data consistency in the various configurations, et cetera, so it’s certainly not surprising that customers are giving that feedback. So Gagan, is there any more commentary that you would add here regarding where you think this market for cyber resiliency needs to go and the role that you see NetApp playing from that perspective?

Gagan Gulati: I think we covered a lot, right from the ability to classify your workloads and your data with AI powered classification to give you the ability to prioritize what you should go after first. In terms of risk management, I think that’s super important. The ability to detect in real time where the attacks are happening, not eight hours afterwards or six hours afterwards so that the surface area of the attack is really small and it’s best done through the power of AI to be able to discover such attacks. The ability to, again, orchestrate and use AI to help you orchestrate at a workload level the ability to respond and then recover these workloads when things go wrong, I think that’s the third thing. And then last but not the least, the ability to always have indelible, immutable copies of your data.

And lastly, if you as a customer are running in a hybrid multi-cloud world, you want to make sure that your processes are the same. You don’t have to have a separate set of processes just because you have a workload running on premises or in one of the hyperscaler clouds. And one of the things that we are really focused on is that whether it’s your security team, whether it’s the application owner, whether it’s storage admins, whether it’s your legal team, the processes and the tooling that’s used to be able to detect such attacks and then recover from those attacks and respond, they are consistent across the board. And this is where the power of NetApp storage comes in because we have our storage available on all major hyperscalers, it gives us the ability to allow for the tooling to be very consistent and thus allows the processes that our customers are building around cyber threats and cyber attacks and cyber resilience therefore are very consistent as well. So yeah, I think it’s a brave new world as we go in and we’re just very happy with the progress the team has made so far.

Krista Case: It certainly is a brave new world and you certainly have much to be proud of with your team. So Gagan, thank you so much for joining today. This has been a pleasure. Very insightful as always. And we’d like to thank our audience for joining as well. Please make sure to keep an eye out for our research study and jointly conducted with NetApp on cyber security and cyber resiliency. That is publishing this fall. And please also tune in for future episodes of Six Five Media On the Road. Thank you so much.