Name: Analyst Insights: Building Cyber Resilience Through Proactive Recovery Strategies
Uploaded: 2025-10-14T17:51:00.182Z
Duration: 47 min 44 s
Description: Analyst Insights: Building Cyber Resilience Through Proactive Recovery Strategies

Transcript for "Analyst Insights: Building Cyber Resilience Through Proactive Recovery Strategies": Hi, everyone, and, welcome. Thanks for joining us today. I'm Justin Rees, the director of product marketing here at Rubrik. I lead our data protection story, which includes everything from cyber resilience to how we protect hypervisors, databases, unstructured data, and, the OLAP platform. I'm really excited about today's talk, because we're gonna have a real conversation about something that keeps a lot of us up at night. Well, at least me. How do you actually restore from a cyber attack? And so we've got a special guest joining us, who's gonna bring us some real data and perspective to the conversation. And, you know, look, this isn't gonna be a product pitch. It's gonna be an honest discussion about what's working, what's not, and where the market is starting to go. So with that, let's dive in. Alright. So let me introduce our guest today. We got Johnny Yu joining us from IDC. Johnny is a research manager at IDC's Worldwide Infrastructure Research Organization. His coverage includes storage software, data protection, data replication, basically everything in the data protection and cyber resilience space. And what I really appreciate about Johnny's perspective is that he's not just looking at what the vendors are saying. He's talking to actual IT and security leaders day in and day out. He's analyzing what's actually happening in the market, and he's looking at the data behind some of those news feeds that we're seeing. And so before IDC, Johnny spent years as a tech journalist covering data protection, ransomware storage. He's been in the space for for a long time now, comes with a lot of expertise, knows the market inside and out. So super excited to have you, Johnny. Did you wanna say a few words? Say hi to the guests. Yeah. Absolutely. Thank you, Justin. So, yeah. As, as Justin has introduced, I'm, Johnny Yu. I'm part of the infrastructure software research group at IDC. And, yeah. The a lot of my my research focus is on data protection, cyber recovery, and, cyber resilience. And I have a lot of data for us to to go over today from customers who have encountered ransomware and then the various, outcomes of their ransomware encounters. Awesome. Thanks, Johnny. Great to have you on the call today. Alright. So before we get into the details, let me lay out, you know, what we're going to talk about. If you remember nothing else from this talk, I just hope you remember these key points. First, data protection has fundamentally changed. The threats have changed, the attacks have changed, and so that means that our approach needs to change. And so what worked five, ten, fifteen years ago definitely won't work now. Second, traditional backup is just not enough. Just having copies of your data doesn't mean you can restore quickly or confidently when an attack goes down. You need more than that. Third, you need the insights about the data that you're protecting. Things like anomaly detection, threat hunting, sensitive data discovery. You need to understand what you have and where the risks are before an attack strikes. And fourth, this is kind of the heart of what we're gonna be talking about today. And so in a world where you can't prevent all attacks, the only thing that kinda matters is how fast you can restore your cyber RTO, your cyber recovery time objective. So now, here's the evolution that's kinda happened in the market. And at Rubrik, we've been on this journey with the customers that we support. And so it started with data protection, making sure your data was backed up, secured, available when you need it most. That was really phase one. Then it evolved to cyber resilience and adding those insights and capabilities, threat detection, the anomaly, the ability to actually identify what's compromised and what's clean. That was phase two. But now, we're in phase three. The more proactive approach. Doing the work before the attack strikes, not after. And so when you get that late night call, you have all the key answers, you can get your company back online quickly. And so that's where the market is starting to head, and that's what we're gonna dig more into next. So let's start with the problem statement. Why has data protection changed so much? Well, here's the uncomfortable truth. You can't prevent the unpreventable. I know that's hard to hear, especially if you spent years and a ton of cash on security tools, things like next gen firewalls, endpoint protection, security awareness training. All of that plays a crucial role and will continue to and it all helps. But attackers only need to be right once. You need to be right each and every time. So those odds just aren't good. Right? And so the traditional tools that we've, leaned on up until now, they were built for a different threat. They were built for, things like hardware that might fail. Natural disasters, accidental deletions, things that are more environmental, but not these very specific kind of attacks. And so nobody was designing backup systems thinking about an attacker who's proactively trying to get in and to compromise them. Or just change the retention policies so everything gets aged out. But that's the world that we live in now, and it requires a fundamentally different approach. To throw it to Johnny, Johnny, I'm interested, you know, you've been kinda steadying the market for a long time. What what are you seeing in terms of attacks on backup systems specifically? Yeah. And the the the thank you for that, Justin. And kind of like a good, kind of segue into that point is, yes, your backups are being targeted, and we'll have slides on that later. But the that fundamental kind of difference or transition, I guess, we wanna talk about is we don't live in that world of just being prepared for disasters anymore. Like, a flood or a fire is not actively trying to steal your data and then, you know, extort you for it. So there's this there's this extra step that needs to be taken that traditional normal backup and recovery doesn't cover, which is how do you trust that the data that you're recovering from isn't already compromised? How do you trust that your your your backup admin's credentials haven't been compromised in any way, you know? And I like how in one of the earlier slides, the very first section that was pointed out was zero trust. And it's like, assuming breach isn't paranoia these days, you know. It is the zero trust strategy. It is checking everything along that data path and making sure that your backup, that your security and all that stuff, everything at the point of ingest, the data at rest, and then that data again during recovery, that you're checking again and again that nothing has been compromised because every step of the way has a potential point for compromise and this is why we pull in the zero trust. So, getting back to where we are with with this IDC data, I want to point out that this is data from a survey that was taken at the 2023. Publ we published this information in early, 2024 for this, larger larger report. And one of the questions that was asked here was specifically for organizations that did experience a ransomware attack, what was the the outcome, specifically on on the backups? About a quarter of the respondents said they didn't even have backup for disaster recovery. So that's already a bad sign. So that was, already kind of like a surprising, outcome that we had that we had that we had encountered. Then we have this, other 25% who said that they were affected and did lose access, but the attacker did not actually go after the backup. So this makes up, you know, about 50% of the respondents already. People who didn't have a backup and then people who didn't have their backups attacked at all. So then we have this other 50% ish where the attackers did go after the backup, but they weren't able to delete it. So that's, about only about 20% of the respondents. This largest chunk here is organizations that were attacked. Their backups were attacked and were compromised. So they weren't even able to use their backups as backups. You know, the whole point of backups is to be like that insurance policy, not just against natural disasters, but, you know, against hackers, against malware. And it was attacked, and it was successfully deleted. So it's like there's no fallback. In most of these cases, your only out is to pay the ransom, unfortunately. You know, otherwise, that data's gone. And then moving on to this, this next data point, this is from the same survey, different question. But this was a a a question surrounding basically what kind of capabilities, what kind of best practice they were following. And I guess the main takeaway from this data point is kind of a frustrating point where a lot of the things that could be used to prevent ransomware or like falling victim to to ransomware or having ransomware delete your backup data or any data in general, is that a lot of this stuff is just best practices that just, you know, already exist, you know. There aren't these aren't new, you know. So to have 39% of the respondents come back to us and say, like, we didn't have an air gap for our backups. Or 28% saying that they didn't even have encryption for their backups. Or 22%, like, this freshmen were not having, immutable backups. Like, these are all these are things that the industry has been talking about for a long time. And yet to see that companies are still falling victim to this because they're just not following what are kind of recognized at this point as industry best practices for their backup data is a little, you know it was surprising that they're as high as they are. That's just kind of frustrating. It's like these are new technologies, you know. I would say every data protection vendor out there, you know, outside of Rubrik, you know, have ways to encrypt your backup data, have ways to store them store them in in the immutable storage and stuff like that. So it's just like, it's it's just so surprising that, you know, that these common vulnerabilities not only can't be addressed, it's like we've just had we've had this technology for a long time, you know. Right. And I think that's kinda what Rubik sees as well as, in our own kinda researches. All of these best practices aren't just built in to architecture that customers are deploying. We see all the same things. Some customers don't even have some SLA policies on on the backup life kind of cycle, so things are just not being backed up. And so just kind of a breakdown of the entire system. Some of it might be because of just, how fragmented the tools are or more, how complex things are. But I I guess, the end result is the same of you kinda have this backup strategy that's supposed to be your last line of defense, yet it might not even be there. And so when the time comes, you're gonna be in for it, which is kinda hard to say. And so I think that data around air gaps encryption and and immutability is super crucial because, you know, here's what we need to really think through. Because, you know, what we need to think about is backups do not equal cyber recovery. They're related, but they're not the same thing. Right? And so having a backup copy of your data is kinda just the starting point. And of course, you need that, but when these attacks happen, when they strike, having that backup doesn't automatically that you'll be able to restore quickly or at speed. And so when you think about it, if your backups are compromised, which ones are clean? When did the attack actually start? What sensitive data was exposed? Which systems do you restore first to reduce what the impact is? And so traditional backup systems can answer those questions, and they weren't built to do that. Now, you know, zero trust principles helped us get here. Immutability on the first kind of backup, the air gaps protection, role based access control, multi factor authentication by default. All of that is super crucial like we've talked about to ensure that your data is actually available when you need it, but even that's not enough. You need the insights. You need to know what's in the backup. You need to have an automated action to spot when something looks wrong. You need threat hunting to find threats. You need containment. And more importantly, you need to be able to test and kind of validate that you can actually recover those backups when the time comes. And so this is the evolution I was talking about before at the start. At Rubrik, we started with that foundation of strong kinda zero trust data protection, making sure that your data was secure and available. That was phase one like we talked about. Then we built in cyber recovery capabilities, the insights, the threat detection, the ability to understand what you're dealing with. That was phase two more or less. But as we're going on that kind of evolution, we started to realize something. If we assume breach, if we accept that attackers will eventually get in, then the name of the game is speed. Right? How fast can you get your company back online? And so that's phase three. Being more proactive. Doing all of that kinda heavy lifting before the attack happens, not after. And so I think this connects to something that you were talking about on the exfiltration side, kind of leading up to this call. And so exfiltration of sensitive data continues to be a huge, you know, source spot and problem for customers. And so interested to get your thoughts on that, Johnny, from an exfiltration perspective. How big of a problem is that for companies? Sure. So thank you for that, Justin. And, I think that's a good good, segue into some, IDC data about, data exfiltration and why that's a big deal. So what the problem of exfiltration, let's start there, is that it really sets up this double extortion opportunity opportunity, if you will, if you're a bad guy, where not only could they hit you once by denying you access to your data or blocking your data or deleting your data, But then, let's see say you resolve that one way or another, you pay the ransom or you didn't or you find a way to recover from it. The second extortion is, well, I have your data and I'm going to release it to the dark web if you, you know, don't pay me this other ransom, you know. So that's that's the big the big issue of, with data exfiltration. And we have IDC data again from that same survey really illustrating how big of a deal it is. So that's the chart on the left there where it says about a third of organization said that none none of the data was exfiltrated. You know, good for them. And then this, oh, just to clarify that this is just organizations that were specifically hit by ransomware and they did lose access to data. So this wasn't, like, you know, people who solve the problem completely on their way, on their own, you know. So in those, ransomware attack cases, a third of them said that data wasn't exfiltrated exfiltrated. So that means the remaining two third and then this tiny 2% who said they don't know. But, you know, let we're we're we'll use some round numbers here. The remaining two third say that data was actually traded. And then of those two thirds, roughly half of them say that valuable and sensitive and secret data was actually traded. You know, important stuff was taken. And then the the remaining half said that what was stolen was either public or just, like, you know, completely worthless, useless, no value data. So why that matters from a cyber resilience, cyber, recovery standpoint is tying back to, Justin, what you were saying about, like, Rubik's capabilities and also when you are mapping out, like, kind of that maturity model of the transition from traditional data production to cyber recovery is if you don't have any sort of intelligence on your data, if you don't know what got stolen, then you're basically in a coin flip situation of, well, maybe that data was useless, so I shouldn't I shouldn't be paying to get it back. Or, you know, maybe it was sensitive, and I'm gonna be in big trouble if, you know, if this gets released on the dark web, so I should pay the ransom. It's like, are you really gonna go for that coin flip scenario? Or, you know, would it be better to know what you have so that you'll know what gets stolen? So, you know, have that guide your recovery or your negotiations from there. So, you know, that's this and then, like, the the exportation list, you know, just really illustrates the importance of that point. And then tying into that is the second chart here where there's the 31% where organizations were able to, recover just from their own capabilities. You know, their backups were good enough. They didn't have to pay their ransom. This is possibly the best possible outcome from a ransomware attack is you didn't have to pay the ransom. Your backups were good enough. You're able to, you know, keep on keeping on. Great. But then there's the there's the 17% who didn't pay the ransom and weren't able to recover from backup. So their backup systems weren't good enough and also for one reason or another, they couldn't pay the ransom. Then the largest chunk here and I don't want this to be endorsement or anything, but these are the people who paid the ransom and then the decryption worked and they were able to carry on from there. And I know it's a large chunk and once again, it's not an endorsement, but it is kind of a a reflection of what ransomware actually is is it is a criminal enterprise. It is a business. It is, like, you know, for better or worse, there is incentive for incentive for them to provide some level of customer service where if you pay them, they will, like, you know, be able to at least be able to recover for you. And then there's, like, the 12% where you pay the ransom and they weren't actually able to recover. But going back to that earlier point where paying the ransom does work, quote unquote, in terms of a recovery, it will not guarantee you a fast recovery because from our experience and from IDC data, not included here, but, you know, from from other studies, that the decryption tools that they give that they give to their victims after a ransom has been paid are not exactly optimized and it still ends up taking two days, three days, a week to run those decryption tools to get their data back. And the drawback to that on top of on top of all that is you haven't solved the problem that got you infected in the first place, which means that you're likely to become infected again or attacked again later on. Yeah. So these stats really stood out to me that, like, this is a viable attack vector for baggage. Right? They're practically looking at the backups, like to what you said. Not an endorsement, but it really tells the story of if your backups were working and were able to withstand the attack, you would definitely take advantage of those. But also, this is where we get to the core of the problem and the solution. In a world where we're assuming breach, you know, where we accept that prevention will have, you know, gaps. The only thing that really comes down to is how fast you can restore, which we've talked about. So think about it from a company perspective. For as long as you're down, what's what's actually the result of that? You're losing customer trust. Your brand is taking a hit. And the longer you're down, all the pressure continues to grow. The executives want answers. The board wants to know when you'll be operational. Customers are starting to call. Maybe, you know, your company's starting to be in the news. And this is where most organizations just hit a wall with, all the traditional data protection approaches. Because as the analysis work goes on, when you're trying to see what's been compromised, which kind of backups are clean, when the attack started. All of that is happening during the attack. And so when you're under maximum pressure, when your team is really on the clock, and so that creates an added challenge you can't just work around. You're having to rehydrate the data just to scan it. You're doing all the forensics across all these different types of systems. You're trying to reconcile information from different types of data protection tools. You might be going through a huge number of manual steps just to restore all of your domain control callers on on all of the identity systems. And so, no amount of faster storage or faster networks can solve that main kind of problem. The problem when you're doing all of that work during the time of an attack. But so what if you could do all that work before the attack? What if your platform was continuously kind of analyzing all of the backups, you're starting to build insights, you're identifying threats, you're pre computing which restore points are clean. And so that's what the fastest cyber RTO is kind of all about. Not just having fast infrastructure, but being able to have the insights for when you need it most. And so when we think about the data on the actual recovery times, it's super super interesting. As Johnny kinda mentioned in the last slide, encryption tools not always the answer. Paying the ransom not the fastest way to get back online. And so interested, from your perspective, Johnny, and customers research you've done. What are you seeing on the actual recovery times of companies? Yeah. And that's a good point, Justin, that the slide brings up of how every hour costs you. And, this is the IDC data. Again, same, same survey of, how long that, customers were out of business, you know, how much downtime they did that they suffer from, from a ransomware attack. And I I wasn't able to capture this in that last data point that I had about data exfiltration, but I'm curious. How many people do you think paid the ransom because they thought that it would be faster than what they could do on their own, you know? Like, this is kinda like the result of of of that is the large, the largest chunk here, 40% said they they were out of commission for a few days, so more than a day. And a a tiny percentage well, I wouldn't say tiny. It's not the smallest bar, but 13% is still not where we wanna be. So that's, took a day to, took less than a day to recover. But, you know, there's there's the majority is taking a few days or longer to recover from a ransomware attack. And so the idea that if you think you can pay the ransom to get a faster recovery, they could get that for faster than a few days then it becomes a tempting option even if they know that they do have a backup system that, like, you know, that they have good clean data they can recover from. They just know that it's gonna take a while to do that recovery. And it just kind of highlights that the speed is important because if your backup system is slower than what the decryption tool can do, why have the backup system at all. Right? Yeah. I think that's something I think we've heard some anecdotal stories ourselves on the rubric side of customers that or market of these companies who've been attacked paying for the decryption tools and, ultimately, it was still faster to restore. Right? So it's kind of like a two a two prussed out of, man, we paid and then we still had to recover our our own kinda data with our own tools. And so with that, thought that'd be a good segue into kind of paint the picture of what actually happens when these organizations get hit with the cyber attack when they are kinda using traditional recovery tools. And so if you look at the time line, you've got kind of any normal day. Everything is fine. People are working. Systems are up. Life is good. Right? Then there's the initial compromise. It could be a phished credential, could be an unpatched vulnerability, but ultimately, the attackers are in. Right? Now here's where things start to get super scary. They don't just immediately blow things up. That's not how these attack works now. Right? They spend time. Sometimes days, weeks, they go through the environment, they move across the environment, they try to figure out where all of your valuable stuff is and they're establishing persistence. They're accelerating data like we talked about. They might be copying customer information, your IP, all of the financial records, and all while, you know, it all just seems fine, and you have no idea that they're there. But then comes the malware and the encryption itself. And that's when everything comes to a stop. That's when you find out that you've been compromised. People are trying to log in for the day and they can't. And this is where traditional recovery becomes the actual nightmare. First, you're scrambling to try and to scope how bad it is. What systems were affected? How far did they get in? And this all takes time because you're looking across all of these disconnected systems. You're trying to find out what's going on. And then you're trying to figure out, you know, when did this all start? Was it three days ago? Was it three weeks ago? Three months? And you need to know this because you need to restore before the actual point of infection. But you're actually having to manually go through logs and hunting through all your backups, trying to find that one backup that's actually clean. And here's the problem. You might have a couple thousand restore points across the system, which, you know, which ones have the dormant kind of malware, which ones are safe. And so with traditional systems, you're trying to rehydrate full backups just to scan them. You have to mount it, scan it, find the malware, throw it out, try the next one, and this can take days, weeks. And then you're trying to figure out what sensitive data was exposed. What do you need to report on? What do you need to tell all of your existing prospects and customers? And so this is all the manual work. And only then, after you've done all of that leg work, can you start to restore. And so this whole mess takes days, sometimes weeks, sometimes months for super large kind of systems. And so think about it what that means on the company side. This is the reality of traditional reactive approaches. It's not because IT teams aren't working hard. Right? It's because the process itself just doesn't work. Traditional backup systems were built for a different time, for hardware, kinda mishaps, natural disasters, but not attacks. And so now, you know, let me show you the same scenario, but what this looks like on the proactive recovery strategy side. And so it all starts the same, looks the same. Things are operating fine. Then there's the initial compromise. And so the attackers are still in, they're still doing all that recon, they're still moving across the network, they're still establishing persistence, exfiltrating data, and eventually, they deploy the malware and encryption. But here's what the difference is. While all that is happening, while the attack is progressing, your data protection platform, your cyber resilience solution has been working in the background. Continuously, It's been analyzing all of the backups as they're created. It's building all the insights that you need. It's looking for all of these anomalies. It's scanning for threats. It's pre computing which recovery points are clean. And so when the attack happens, when you discover the encryption of the data theft, you don't have to start from scratch. And so if you look at that timeline, instead of days or weeks of scrambling to do all that leg work, you can get your company back online super quickly. So faster cyber RTTO. And so that's what the difference is. And so the attack becomes a blip, not an existential crisis that keeps your company down for an extended period of time. And so this is the key insight I wanted to you to take away. You know, this isn't just about having backups. All organizations have some level of data protection. This is about having the insights when you need them so you can get back online quickly. And so remember what we talked about before, the evolution from data protection to cyber resilience to the proactive recovery approach. And so you still need all the zero trust data protection as the foundation, air gaps, and immutability, and encryption. That ensures your data can survive the attack. But you still need the insights into your data, anomaly detection, threat hunting, sensitive data discovery that helps you understand what just went down. And so here's the thing. If you're doing all of that in analysis and language after the attack kinda happens, you're still stuck being on your back foot. Right? The breakthrough is doing it before things strike continuously. So when things happen, you have all those key answers. And so, Johnny, just curious on your thoughts on kind of this different approach. Right? It's a new way of thinking. I think it's where the market's going, but curious if this is what you're seeing and what what stands out. Yeah. Absolutely. And I think, Justin, the way that these, that you kinda illustrated what the weaknesses of the reactive approach versus the proactive approach is, like, that's that's really important because I think there's a pretty good illustration here of if you're stepping in after boom, you know, after detonation, you're already way too late to to fix a lot of those problems. And that's not to say that you can't recover necessarily, like, you know, that things are, you know, broken beyond repair. But that recovery is definitely going to take longer. It's gonna be a lot more stressful because you're still doing this, you know, while things aren't working. So you know your, you know, your your business overall is losing money over that that period of time. There's so much more that could be done if you went, you if you transition to a more proactive strategy. If you have systems in place that are looking for anomalies, looking for malware signatures, and just assuming the worst, you know. I mean, again, it all comes back to it's not just paranoia. It's it's this is this is how this is that prep work that you need to do so that you're able to achieve that faster RTO to be able to, as you've described it, turn an incident into a book on radar instead of, you know, weeks of weeks of downtime. And, we are we are seeing those kinds of capabilities not just from Rubik, from other vendors as well. We're seeing a push from customers wanting to embrace those kinds of capabilities and, you know, more inquiries on is there a way that they can build that using the tools that they have or, you know, if not, then, you know, what vendors they can do. Like, you know, there's certainly an interest in in achieving this fast cyber RTO as as as you guys are describing it. And this all kinda comes back to what I would describe as the three pillars of, of cyber resilience. So, you need a absolute data survival, which, traditional backup is already pretty good for. So, like, you know, kudos for that. But then the next pillar is guaranteed integrity of that data. So that data has to be accurate and it has to be recoverable. So two points there. One, the integrity point is important, obviously, because if you're restoring data that's been tampered with in any way, it's as it's as bad as or worse than just not recovering that data as well. Because if you're recovering that data, it's all, like, obviously tainted in some way or you don't know if it's tainted in some way, then, like, what's the point? So the data integrity is actually really important component of, and that's why it's the second pillar. And the third pillar, which you're highlighting here, is that rapid recovery. Because again, to a point that we're discovery discussing earlier, if it takes you weeks for your own internal recovery process to take about two weeks or whatever, you're just gonna be so tempted to just pay the ransom anyway because you think that the ransom for pre dual isn't gonna take quite as long. So those are the three pillars and it all kinda goes back to that. Right. And I think, just fundamentally, it was kinda like this idea of, hey, the stopwatch doesn't start once the attack happens. Like, you should already be doing this work proactively ahead of time. I think you were talking about it kinda in the lead up to this call of, hey, the bad guys are spending a lot of time and effort trying to bleeding into the attack. We need to be putting that same level of effort and preparation, assuming things will go bad. Right? And so I think that's a delta, like, to your point on some of these common attack vectors and some of the best kind of practices on zero trust. It's like some of these things are known. I think I think what's different is they're thinking of taking it from that back foot approach to how do we much more take advantage of these tools and capabilities more proactively before. Right? And so just to kinda make this a little bit more clear and more concrete. And so, like, how does this all happen in the background just to help us think through this? Well, it starts with that assume breach mindset that that we've been kinda talking about on the call. And that means that you're not hoping attacks won't strike, but that you're prepared for when they do. And so the key is doing all that, that you're doing all of that key kind of analysis work can, in the background on each and every backup that you're taking during day to day kind of operations. And so think about what your backup process looks like right now. You take, some kind of a backup of a system, you move it to the backup storage, you keep it for x amount of time, done. You know, box checked. But what if, you know, every time you take that kind of backup, you were taking a closer look at it. You're building some insights from it, pre computing the answers that you would need if you were, to be kind of kind of, hit with some kind of, threat. And so that's what kind of changes, that shift. And so during normal operations, while your business is running smoothly, while backups are happening automatically in the background, the the platform is doing its job. It's starting to to to look at what the potential scope of attacks by understanding your data landscape and all of the related systems. It's identifying points of infection by kind of analyzing changes and anomalies over time. It's assessing sensitive data impacts by classifying what's actually in, the system. It's finding and quarantining some of that kind of malware proactively. It's identifying which backups are clean, and can be restored from. And all of this is continuously happening in the background on each and every backup. It doesn't need somebody to kick off all these operations by hand. So this is what proactive recovery means in kind of practice. This is the architectural difference that counts, that you're not just waiting until the crisis to do the work, like like we've been kind of saying. You're doing it well beforehand when you have that extra time. And so now here's the critical point of difference between reactive and proactive recovery. This isn't pie in the sky. Right? Organizations are doing this now, and we're seeing more of it in the market. So we covered a lot of ground. Wanted to start to recap things before I ask, kinda Johnny a couple more questions. And so first, the key takeaway is that data protection is fundamentally shifted. The threats have changed, the attacks have changed, and so that means that our approach needs to change. Second is attacks on backups are super, type of mind. I think some of the data that Johnny showed that over, I think, half of organizations are seeing that their backups are being attacked. But the good news is that these common kind of vulnerabilities can be addressed. Things like air gaps, encryption, immutability, these aren't nice to haves. These are, set requirements that we need to implement and I think we know what those are. Third, traditional backup is just not enough. Zero trust principles will continue to be a crucial part of the foundation, but you also need the insights, anomaly detection, threat hunting, sensitive data discovery, all those things to help you kind of understand, what risks you have and where they are. Fourth, data exfiltration. Top of mind kind of problem and will continue to be and recovering without paying their ransom is getting a little bit more challenging and difficult. But with the right approach, all of those things that we talked about, you can get ahead of that risk. And lastly, you know, in this world where you can't prevent all attacks, the only thing that it comes down to is the fastest cyber RTO. And so most recoveries are taking weeks, months, but with proactive recovery strategies with that assume breach, you know, kind of mindset and approach where you're pre computing, all of the answers to those top of my questions on each and every backup, you can compress that, timeline, down. And so this is the natural evolution that we're seeing. Data protection to cyber, protection to proactive, restore. And so now, Johnny, before we wrap, I wanted to get your perspective on a few things that were top of mind. I think a few folks on the call would be interested to hear as well as, one thing that I hear all the time from IT teams is this tension on who owns what. They'll say, hey, security is not my job. I'm an IT or, you know, flip that. And so when you look at everything we've talked about today, kind of the need for these kind of, knowing what we're protecting, the assume breach approach, the focus on cyber RTO, it feels like that mindset's not the right one as we move ahead. And so curious on your thoughts on the relationship and the dynamic between IT and security in this new world of kind of getting ahead of these attacks. Yeah. And that's a good point, Justin. And this is also a beautiful, summation slide of everything that we had talked about earlier. But that is one of the challenges, that customers have been telling us when we when we ask them and also out of surveys. There there's the recognition that in order to address cyber resilience, cyber recovery, there's going to be the traditional data protection element and then the, the security component. And those are two separate disciplines and two separate teams. So that exact mindset does come up that you said where someone from, like, you know, from the IT side of things, the backup admin, says, well, the security stuff is outside my scope. I don't understand malware detection, identity, protection. These are all, like, security related stuff. Why am I being dragged into this? And one of the big challenges is, like, understand that there needs to be a collaboration between those two teams. And it doesn't mean necessarily that, you know, a backup admin is now suddenly doing some some sec ops work. But there needs to be systems in place so that, one, you have tools that can detect, some security related weirdness going up in the backup tool, like, someone with backup admin credentials is logging in at 2AM from a a Russian IP trying to delete backups. That's that should probably be flagged. Granted, it's a security issue and it's not up to the backup admin to resolve it, but it is up to the tools and the and the backup admin if they saw it happen to have a way to, after spotting it, move it up the chain to someone who can deal with it on the sec ops side of things. So there needs to be that level of collaboration, not so much that, you know, the expectation isn't that the backup admin is going to fix this, but is able to, like, you know, have the tools necessary to escalate it to someone who can. And so that's the level of collaboration that we're talking about. It it's both a tool thing and a staff and strategy kind of thing where you need your tools to be able to have that sort of linkage between the backup tool and the the data protection tool and the security tool. But then also the training and developing an understanding of the need for that collaboration between that. Because as of as of right now and again, from a different study, and I don't have the I don't have the the the data points for for this presentation, but that is one of the challenges that get that gets brought up when we ask what are some of your challenges when it comes to cyber recovery. And there's a lot on the tool side for sure, of, you know, they're not sure they're deploying the right tools or implementing them and and and, you know, using them to full full full potential. But one of the biggest, biggest challenges that come up is organizations not understanding how to facilitate that collaboration between backup admins and SecOps. Correct. Yeah. I I think that's exactly what we see as well. It's right. It's like you need both perspectives. Like, if IT and ops is kind of on the hub to get the data back online, but needs to work very closely with security to make sure that everything checks out, you know, if they can even just point out where to look first, I think just helps. Right? And so I don't think that's something that we've seen in the past of, hey, we have to just go through all these backups, mountain scan, just keep doing it until we find the right one. But if we're able just to even give a place to look to start, I think that helps. Right? So just to what you're saying, being able to bring tools that will allow the conversations, not intended to circumvent different teams, but just, hey, we all want the same thing. Right? And are we able to give us tool to actually do that? And so looking ahead, where do you see the cyber recovery market going over the next, let's say, two to three years? Because it feels like, you know, we're at this inflection point where organizations are starting to realize or have known that traditional backup isn't the right tool, but not everyone knows what's gonna come next. Yeah. I think what we're gonna see from a lot of data protection vendors who are specifically trying to move beyond the just the data protection and move into cyber recovery is we're going to be seeing, because there's demand for this, more of a service oriented, like, offerings, because the tools are there. But I think, from what I'm seeing and, like, you know, from my evaluations of some of the challenges that companies are running into is these tools are there, the skills are not. And so they're kind of expecting or hoping that, that their their data protection vendors have offerings that can either upscale the teams that they have and help them with their collaboration between the the the IT ops and the sec ops, and help them train that way. Or barring that, offer some kind of service package, like, you know, maybe something along the lines of, like, incident response resources that they can tap because they know that their their own level of expertise within their own organization is lacking when it comes to, like, you know, what to actually do during a cyber incident. But if we if we have this third party from our from our vendors that we can pull in, you know, and we subscribe to that service and, you know, we're willing to pay for it because, you know, we know that our own staff isn't trained enough and don't have the expertise. So they're looking for something to fill that skills gap. So I think that's one of the main trends that we're seeing and we're kind of tracking because we've kind of reached a point where many of the technology and tools challenges have been I don't wanna say solved because that assumes that it's over and all our problems are dealt with, but at least are being addressed and addressed well. And then it's really that skills gaps that's really the the problem right now. So that's what I, what I expect to see coming down, like, six, twelve, eighteen months down the line of how cyber recovery is going to change in terms of, product offerings. And then related to that, because, you know, no conversation about technology is not gonna bring up AI in some way. We're gonna be seeing AI, AI enablement for data protection tools inside and by extension cyber recovery capabilities. But we're also going to see organizations becoming more adept at using AI and, and, building AI into their own applications or using applications to enhance some part of their business. And then by extension from that, once that takes off, we're gonna start seeing, bad guys trying to find ways to exploit, and extort AI in that way. So cyber recovery and ransomware and and all that stuff is is going to to move towards finding ways to counteract that. And then one other thing that's kind of, kind of related to all this this is, post quantum cryptography. We'll certainly be, something to watch out for in the low cyber recovery. Certainly, right now, the I would say there's only a limited, couple of industries that are that need to be very focused on it right now. Like, you know, if you're working for government and you're and you're rightfully afraid of foreign entities with a lot of, financial backing gaining access to quantum computers to start, you know, breaking through our current level of cryptography. Right now, that's it's probably limited to, like, just those entities. But as this becomes much more common, and and bad guys start getting more access to these kinds of resources, then it will become a larger problem for, you know, any anyone in finance, you know, anyone in manufacturing and needing in ways to counteract this kind of stuff. So that's that's kinda what we're seeing coming down the pipeline. Awesome. Yeah. Super exciting to see all the growth, and and continued kind of effort and focus that's been put here. Definitely, I think the industry's already come a long way and I'm really excited to see some of these new, AI tools especially helping scale and guide customers. To your point, little bit scary because we know the bad guys are using those tools as well. So there's a little bit of an arms race, but, I think from a cyber, RTL perspective, lots of interesting things on the way from, the a AI side. Alright. Thank you, Connie. Super great to have you. Thank you so much for joining us today and sharing all that research and perspective. Super super interesting and helpful. And to everyone else on the call who, joined us, thank you for your time. I know you all have a lot to do in your day to day. The fact that you spent some of your day with us means a lot. Here's what I want you to take away. If you remember one thing, just remember this. You can't prevent the unpreventable. Attackers will unfortunately get in. So the question isn't if you'll be breached. The question is how fast your server RTO is when they do get in. And the fastest server RTO doesn't happen by accident. It doesn't happen during the attack. It happens because you built your solution to address it, because you prepared for it, because you took the proactive approach. And so if you wanna learn more about, you know, what we talked about here on the call, we've got some additional resources available. Just, reach out to the team. And if you wanna talk about your specific environment and some of the kind of struggles and challenges that you might be faced with, we're here to help. And thanks again everyone. You know, stay safe out there. Assume breach. Prepare proactively and focus on that fastest cyber RTO. Take care.