Partner Content: Exclusive Q&A: Rubrik's James Blake on cyber attack recovery, ransoms and threat hunting

clock • 6 min read
Partner Content: Exclusive Q&A: Rubrik's James Blake on cyber attack recovery, ransoms and threat hunting

For today's businesses, any downtime caused by cyber attacks including ransomware can be costly in terms of time, resources, regulatory fines and reputation. Therefore, organisations should be working to ensure they do not come to a halt when faced with the growing number of ransomware attacks and cyber threats.

Protecting data is central to this, and despite it being organisations' "crown jewels", it often falls into the hands of cyber criminals, with responsive workflows falling down the cracks between IT and security, leaving businesses tempted to pay ransoms. Advanced data observability and threat hunting are just some of the ways organisations can shore up their defences against ransomware, but many lack the resources to engage in such activities.

To find out more, Computing spoke to James Blake, Field CISO in EMEA at Rubrik, ahead of his speaking sessions at Rubrik's annual user conference FORWARD 2022, which takes place virtually May 17-19, 2022.

What is the current ransomware state of play in the context of the pandemic and an increase in hybrid working?

"What ransomware has shown us is organisations' lack of cyber and operational resiliency. The ability for IT and security to work together, have integrated processes, integrated systems, being able to not make fragile systems in the first place, and having the ability to withstand and endure an attack is lacking. And, if we don't manage to build resilience in the way we operate and build systems now - especially when going through digital transformation - all this same fragility will transfer to our cloud infrastructure, and we're not going to learn the resiliency lessons from dealing with ransomware.

"We know an incident is going to happen, so let's deal with them and reduce the impact by building our resilience and our ability to respond, and handle incidents like a business-as-usual - and that is what Rubrik does."

What tools and strategies are organisations deploying to respond to the increase in ransomware attacks and stop their operations grinding to a halt?

"Organisations have, on average, around 130 different security controls, contributing to increased complexity and licensing cost, and about 80-90 per cent of budget is spent on preventative and detective solutions, so we are not learning our lesson. Lots of silver bullets and very little meaningful integration and operationalisation.

"And just when IT departments are moving to the cloud, at the same time security is busy building out on-prem infrastructures and staffing them with multiple personnel, all while there is a global cybersecurity skills shortage. So spending is going up, complexity is going up, alerts are going up but operational capability often isn't. We're in a place where we see the law of diminishing returns on likelihood-focused controls at full scale. So, is the needle really moving? I don't think so."

How have Rubrik's customers adapted how they use your products and services for this new landscape?

"Rubrik's customers have really understood how to apply the platform. What we see now is that they really understand the ‘identify stage', where they can identify regulated data. Most organisations don't know where their data sits, and if they do - the reality is that operational teams have to work around official repositories of data that rarely are the single-source of truth to get their job done. Rubrik customers can discover their regulated and critical data inside the diverse workloads we manage without the deployment of yet-another-tool. We see them apply the Zero Trust Data Security approach and capabilities for protection of their data, to put it beyond reach of adversaries. And for detection, we see them apply our capabilities to detect malicious artefacts used during an attack, as well as alerting on malicious deletions and encryption of data.

"When we get to the response stage, we see them employ features that enable them to do live mounting of files systems over time to support incident investigation and forensics and we see them proactively look inside their workloads with threat hunting - and to look for those gaps between your protective/detective controls. In the recovery stage they apply this intelligence so that they recover only the data that they need and not the malicious or infected data."

How important is threat hunting and do organisations have the resources and know-how to engage in it?

"A part of the challenge of threat hunting is the typical time it takes to get any value from threat hunting. It can be several months to years. You have to train a team to use the tools, you have to deploy those tools, you have to manage these tools, you have to put the infrastructure management in place - then when your environment changes its back to the drawing board. There are lots of different ways of threat hunting, my perspective is that it is a bit of belt and braces and there is a place for them all. It's a broader topic and one we'll explore more in detail at FORWARD."

What steps can organisations take to become proactive rather than reactive in their approach to cybersecurity?

"The first thing is, understanding what it is you are protecting. This is the biggest one. I see so many organisations that have security, but not risk management - they're not aware of what they should be protecting or what they're liable for from a compliance perspective. That is a big problem.

"The value is really in the data, and where the data resides, and how the data supports business processes.  So many CMDBs today have only details of hardware and software - the things we can now instantiate in seconds thanks to orchestration tools, virtualisation and the cloud…but they often don't know where the data is which is the value that is irreplaceable, that has the compliance obligation and that is the target of the attackers. So, the first thing they need to do is understand that data, understand how it supports the business, and understand where that data resides. Once you know where your data is, it is time to do your risk assessment and deliver value to the business."

What would you say to organisations tempted to pay ransoms following a successful attack?

"Don't do it. There is no guarantee you'll get what you want out of it. In paying a ransomware, you could find yourself funding a criminal organisation, and it may even be breaching international sanctions, and your shareholders may or may not thank you for doing so. What you need to do is have an honest conversation with the business around its readiness to stop and prevent an attack, then collaboratively work on a resilience strategy.

"If your first thought is to add the 131st tool in an effort to prevent ransomware, it won't change the fact that you'll be repeatedly targeted and - let's not forget that malware is still getting past those tools. Malware and ransomware share many similarities with only the type of impact differing at the end of the chain. It is a numbers game, eventually, it will hit you. Spend on impact reduction and resilience, then you won't need to pay the ransom and you'll get a better return on security investment than yet another preventative tool."

To hear more about how to protect your organisation against cyber threats, tune in to FORWARD 2022.

This post is sponsored by Rubrik

Sign up to our newsletter

The best news, stories, features and photos from the day in one perfectly formed email.

More on Threats and Risks

CISA confirms Windows privilege escalation flaw has been exploited

CISA confirms Windows privilege escalation flaw has been exploited

US cybersecurity agency also added a recently disclosed Google Pixel flaw to its list of exploited vulnerabilities

Kyle Alspach
clock 17 June 2024 • 1 min read
Windows users warned of wireless takeover vulnerability

Windows users warned of wireless takeover vulnerability

Users are advised to update immediately

Penny Horwood
clock 17 June 2024 • 2 min read
Threat group 'systematically compromising Snowflake customer instances'

Threat group 'systematically compromising Snowflake customer instances'

165 organisations notified to date

Kyle Alspach
clock 11 June 2024 • 2 min read