The best defense against a ransomware attack is a clean recovery: Commvault CEO Sanjay Mirchandani
It’s been easy pickings for bad guys on the dark side of the web – there’s more open source intelligence than ever before, a treasure trove of personal identifiable information (PII) and compromised credentials on hacker forums, and a large language model chatbot smart enough to clear Wharton’s MBA exam can now write malware.
Staving off cyberattacks no longer depends on defensive capabilities alone. Companies must be able to know exactly what can be targeted. More importantly, recent incidents such as the cyberattack on AIIMS, the SpiceJet ransomware attack, and the takedown of Mumbai’s power grid underlines the criticality of businesses to be able to bounce back without business disruption.
ETCISO, in its conversation with Sanjay Mirchandani, CEO of Commvault and Balaji Rao, Area Vice President – India & SAARC, brings to light the importance of offensive capabilities in building cyber resilience and how the company aims to take the fight to threat actors.
Mirchandani tells us how the company is trying to go a step further in protecting against ransomware attacks by focusing more on clean data recovery and usage of offensive capabilities such as deploying deception tech.
Edited excerpts:
ETCISO: Sanjay, you’ve had a ringside view of how the threat landscape has evolved. Could you share some key observations – what has changed in the cybersecurity space and how is Commvault adapting to these developments?
Sanjay Mirchandani: We’re seeing a significant increase in cyber threats, specifically ransomware. Over the last three years, during the pandemic, when most of our defenses were down, the bad guys were at work. They became well-equipped and well-resourced. It is hard to expect a midsize company to have the defenses of the Pentagon to protect itself.
Data protection, a decade ago, went from being sort of an insurance policy to an active policy – you want to ensure that what you have works. With that, a lot of the conversations migrated from revolving about backup to addressing recoverability; and then from recoverability to how good the recovery is and the quality of the data recovered.
In simple terms, if I can deploy decoys across the network in a systematic way and make it harder for the bad guys to find the real asset as they go left to right in the network, or when they trip, it sends a clear signal to the folks that need to know that their data may be compromised because somebody is touching something they should not.
That is why we bought a company out of Israel, called TrapX. We rebuilt the product and released it recently as ThreatWise – our deception technology capability – to ensure that the backup level of proactive protection is available to our customers.
We’re ensuring that we can give our customers peace of mind about their businesses and the level of resiliency. We have been doing it for 26 years. We’re publicly listed and traded on NASDAQ and we have 1,100 patents as of today.
ETCISO: Honeypotting and deception tech are sometimes clubbed together. How are the objectives of deception tech different from honeypotting?
Mirchandani: Honeypots are a very simplistic way of thinking about it. But with decoys, you can customize and deploy them in different ways. You can also have them centrally managed.
They can look like your backup camera server, and it just makes your network that much safer. I was a CIO and the way I think about it is that hackers will get in. Now, if they get in, they are going to move. What can you do to make their life difficult?
With deception tech, we can catch them along the way. Let us say they get to the target, have you protected your core assets? Have you protected the data that matters?
That’s our way of thinking about it. If we assume they get in, let us try and catch them quickly and ensure that the data that they touch along the way is clean because you are backing it up and hoping you can restore it.
Threat actors today are well-equipped and well-resourced. The way our technology works is that it allows you to customize and manage the decoys to get the signal-to-noise ratio to where you need it.
ETCISO: Balaji, you’ve closely tracked the threat landscape in India and SAARC. What changes have you observed in the tactics, techniques, and procedures (TTPs) threat actors use today, especially ransomware operators?
Balaji Rao: Ransomware actors are getting more sophisticated. We saw a drastic reduction in dwell time as well. It’s partly because of the level of sophistication, but it’s more so because of ransomware.
Today, we see 19-day service disruption following a ransomware attack. We’re seeing a sophisticated evolution of threat actors, so we need to be proactive.
In the early days of data protection – say 5-6 years back, when we did not have this preponderance of ransomware, we were just looking at how we get the data back.
Now, we are talking about how quickly we can restore the data. It is a boardroom conversation. If we get ransomware, how ready are we to get the business back on track, and in how many days? This is a drastic change.
At Commvault, we’re trying to go a step further in protecting against ransomware attacks.
A threat actor’s penultimate step before encrypting all the systems is to disable the backup. We’re going on the offensive by putting a sensor out there that sends out an alert to the business indicating an intrusion.
This very important piece of intelligence coming from the backup systems counts as a far more critical alert than those coming from the several layers of security which the bad guys are still able to evade.
ETCISO: Sanjay, you’ve coined an interesting term – IT collision. How is this caused and what impact does it have on an organization’s security?
Mirchandani: A collision occurs in the hybrid halls of IT. The security guy wakes up to say, “we have had a breach.” He calls the IT infrastructure guy for a good backup, but the infrastructure guy says, “I am sure I do, but why are you asking me?”
When it’s explained how all systems have been locked down, the IT guy goes, “Why did the bad guys get in? You took my budget and bought all the security stuff.” And that’s how you have a collision.
This collision is a very uncomfortable place to be in. If your defenses get breached – which they probably will – then be very clear in establishing what are your core and data assets.
You need to test and ensure that your data is completely recoverable and that it’s clean. You need to check if the data is backed up by policy, and is it recoverable. If you test those things, and you have a protocol around it, you are as prepared as you are going to be.
The best defense against a ransomware attack is a clean recovery.
ETCISO: You seem to lay a lot more emphasis on cyber resilience vis-à-vis cybersecurity. Do you see them differently? What must CISOs do to amp up cyber resilience capabilities?
Mirchandani: I think cyber resiliency is an outcome. My data protection strategy and my information security policy – what I call ‘walls and moats’ – need to be fed into a more resilient business. Simply put, they must layer on top of each other.
I’m a little cynical when someone says: “Here’s a one-size-fits-all ransomware product.” These are generations of systems, and different policies are managed in different ways. The bad guys use the light between these systems to get in.
I think if your data protection strategy involves proactively checking the quality and health of your backups, and testing to ensure a high degree of confidence in your recoverability, you are more resilient.
The question is: Do you want to take a defensive point of view and hope you can block everything, or an offensive standpoint that says: “I have tested the capabilities of my systems, and they are quite bulletproof.”
Rao: We’ve seen that despite expanded budgets of 2x, and 3x investment on security products, multiple layers are still on. Most customers still carry an equal amount of risks as before, sometimes even more.
There’s no foolproof strategy yet, other than having a clean copy of data somewhere that can be restored and tested very quickly. It is a chase because your tech services are going up every day – thanks to the rapid adoption of a multi-cloud environment.
ETCISO: Tell us about Commvault’s growth journey in India? Are Indian CISOs on board when it comes to conversations around offensive capabilities?
Mirchandani: We’ve had a presence in India both from a customer and an engineering point- of-view since 2004. We’ve just about every aspect of our business represented here. Our recently-built Center of Excellence has done well for us even though the pandemic.
Our Metallic SaaS business is well represented. Our software businesses are well done here. I would say we have an enviable roster of customers across the country. We’ve been the employer of choice for multiple years now.
Rao: If you look at our range of customers across the country, we’ve customers ranging from large banks to telcos to service providers who serve customers across small and medium businesses. I’m seeing two clearly-identifiable vectors which are virtually disrupting or making people re-look at the entire data protection infrastructure:
- Multi-cloud environment adoption, which is being majorly pushed by the application vendors, and because of the ease, speed, and agility that it offers, there has been a lot of adoption post-COVID.
- Need for proactive cybersecurity: We see customers who are willing to engage a lot more in conversations around Threatwise. A lot of them are asking “How can we be more proactive in our approach to data protection?”
It takes almost 25-30 days to recover. I can get the data back, but getting the processes, applications, and databases up and running is a 20+ day process that businesses cannot afford to lose. And this is why having a single pane of glass is crucial, irrespective of whether you have your data in the cloud, on-prem, or a SaaS application.
The reason why we’re positioned here today is because Commvault is best suited for this complex environment. We’ve been doing the traditional stuff for 26 years now.
With the speed at which we’ve moved to the cloud, forged partnerships with key cloud vendors, and the ‘nativeness’ we’ve developed in these cloud environments are giving customers the edge to detect issues issues as and when they pop up.
ETCISO: Your parting thoughts for CISOs in the country. Also, how is your company going to make it easier for them to manage security in a multi-cloud, SaaS-based era?
Mirchandani: Having a roadmap is crucial. Drop a clean line between protecting your defenses and your boundaries. Protect your data on the inside, but be well aware that the data is now also going outside. It never used to in the past, but now it does.
Security is not a fad – it needs to be built in, not bolted on. If you get fifty thousand signals from twenty different tools, you could apply all the AI you want, but there’s going to be that one signal that gets through, and you may miss it. You don’t want to trip the fidelity meter.
Customers see the need to be able to do logical workload management. We are the only ones that give you the capability of being able to mix and match SaaS with software in a single pane of glass – it was engineered to be able to do so.
Rao: We’ve embraced the cloud is a way that’s native to all the four prominent cloud service providers. We provide that along with the on-prem data such as Desktop Office 365, Edge, and SaaS data. We’ve engineered it to be thoroughly integrated – something that can be viewed and controlled on a single dashboard. And since we’re native, even the economics of moving the data between clouds has been factored in.