If you prefer, we could call this blog post “Restore from a ransomware attack or quit? Hard choice.” I know that’s how some IT practitioners have felt after all.
Update: the next blog post in this series is now available here.
During my time at Rubrik and even before (I used to handle firewalls and proxy servers when a customer), I explored the ransomware and security landscape whether in interviews, multiple webinars, or presentations at VMUG Usercons and other conferences (VMworld 2017 for example).
While exploring this topic, my goal was to be relevant for customers without ‘ambulance chasing’. Ransomware attacks and recovery are a hard topic – it’s one that resonates for customers as a real issue while they hate it (I know I did) when vendors overpromise or take advantage of what is already a hard situation.
In my new role as a Principal SE at Pure, I had a conversation last week with Keith Coughlin, a local SE Manager (and former vSpecialist too!). During that discussion, he mentioned how many Pure partners he’s talked with recently have thriving security practices. We then wandered into a 30 minute brainstorm about where Pure might be relevant in a security context while making sure we’re not overpromising.
After some research this last week, here we are. I’m anticipating a multi-part blog series to explore several areas where Pure can help from a security context. Of course, this will be a defense in depth conversation as all security discussions should be.
The layers I’ve recommend focusing on in the past are:
- “Before the Attack: Human Focus” or Education
- “Before the Attack: Technology Focus” or Antivirus/Patching/Filtering/Analytics
- “Before the Attack: Financial Focus” or Insurance
- “After the Attack: Technology Focus” or Data Protection & Rapid Restore
Within that framework, we’ll focus on several Pure capabilities to see where they might be relevant. Even given the Pure focus, I’ll try to frame things from an architecture perspective so if you’re not a Pure Storage customer (not yet at least) you can get some value.
- Rapid Restore – what if you could use an insanely fast backup target to not only speed backups but restore large amounts of data equally quickly. There’s a whole book on that here.
- Ransomware recovery is one of the few scenarios where you might need to restore large amounts of environment with very aggressive Recovery Time Objectives.
- Analytics – whether Splunk or other SIEM and UEBA platforms, correlation can be data intensive. When the average ransomware attack is detected 226 days in, having data on cold/slow tiers may not work. Webinar on that here by Vaughn Stewart.
- Storage Snapshots – yep, robust pointer-based snapshots that could even be archived off the main storage to external targets (in the datacenter or cloud) play a real role as first line defense.
- Update: this post is now online here.
We’ll explore these and more in later blog posts. Thanks for reading and feedback is always welcome.