Name: Foundations of Cyber Resilience
Uploaded: 2025-09-16T09:46:27.999Z
Duration: 30 min 8 s
Description: Foundations of Cyber Resilience

Transcript for "Foundations of Cyber Resilience": Us today. I'm Nicholas Groo. I'm one of the the field CTO for EMEA at Rubrik. And today, the goal, is to actually talk a bit about cyber recovery, about our idea of resilience or what does it mean today with, unfortunately, I would say, a lot of the changes that we've seen in the in the past years. And we've continued for the past four, five years to actually spend a lot of money in actually trying to prevent cyberattacks. And I would say that the newspaper will not actually, tell me otherwise. It is still a very big thing. We've seen that starting, very much in 2020 with COVID. That's where really we've seen a big rise in the amount of cyberattacks. And, unfortunately, despite the amount of money that we are actually injecting into the business, the the ransomware are still very much here. And, I mean, they've been switching, I would say sometimes from, targets. We've seen a lot of public sector type customers or hospitals being attacked in 2020, 2021. But we can see now that really every part, every verticals are actually affected, and that's really, I mean, in the news, unfortunately, kind of every day. And that's, we think, because a lot of focus has been put on preventing things from happening and, unfortunately, not to be ready to actually, well, recover or or, like, make something out of that cyber attack and be ready back in business as quickly as possible. And that picture may not actually say much to you. That that person is the CEO of the company called Colonial Pipeline, which is, an actual gas, oil and gas pipeline on the East Side Of The US. And that person well, his company was victim of a cyber attack. They had to shut down, oil and gas, well, pipelining. I don't actually know what is the actual word for that, in English. But they had to stop that for several days, because of the cyber attack. And while bringing the whole thing back, it still had to go in front of the US senate to testify on what actually happened, what did they do to actually, well, solve it, recover from it, and what did they put in place to actually prevent it from happening Because this is also the main goal. How can you make sure that you are ready? And that is really, I think, a key mindset change. How can you be ready? How can you anticipate those to make sure that even in the case it happens, unfortunately, we've we've seen that it probably will. How do you actually, recover from it both in terms of, the company, but also the actual company's image and reputation and all that because that's the kind of thing that will be affected. And, I mean, we have lots of examples. I would say in the past couple months. We talked about Mark and Spencer. We talked about other actual, retail in The UK, but we have examples in Germany. We have examples in France. We have examples pretty much in every single country. And it really goes down to, are you actually ready to, well, recover from that kind of attack? And and that's really where that idea of RTO recovery time objective that we know for decades, I would say, in IT, really involved in a certain way because it won't be the same thing. For years, we talked about the RTO about the fact that, oh, yeah. We have a a fire in the data center, and we can just, like, shut down everything, go out into our second data center, and just bring back the entire thing. And we've we've been prepping for that. I'm I'm in IT for twenty four years, unfortunately, I think. And and and I've been doing that forever. I was, I think, twenty three years ago doing complete disaster recovery from one side to another for an oil and gas company in France. That that is, like, per default type situation that everybody has been trained on. But cyber recovery is completely different in the sense that you won't face the same issue. You may not have something to recover to, And that's where the big issue is because the confirmation may be everywhere because it would spread out in the entire environment in multiple data centers. It could even spread out to the cloud if you have an an hybrid environment, and I'm pretty sure some of you does. And that's really it. If you don't have a cyber recovery time objective to the opposite of an actual RTO, well, maybe you're missing out on something. And it's really something that we've seen a lot of companies investing into and and going after an idea of cyber resilience. If, actual malware comes in, how can I make sure I will survive? How can I make sure the company will be there and will be able to survive that thing or at least go back as quickly as possible? And it's really that idea of time that I want to spread out once again because it will be vastly different from what what you've been seeing and what you've been experiencing for the past years. Because and for for a lot of you, I guess, it has always been, well, something happened. Let's restore from our backup. We have the backup. That's what they are exactly made for. It's and it has always been an entire copy of your data center's data, of your production data into a separate storage waiting for production to break. Production breaks, you restore from the backup, and then voila. Unfortunately, with the malware, that will be vastly different in the sense that the first thing, you'll need to know what's impacted. And that's the kind of, well, investigation that takes time. In the sense that you may know very quickly what is that, what is encrypted. Machines are encrypted. How many? Then the whole idea is, what do you do with that? In the sense that most of the time, the machines which are encrypted, not responding, not being able to do anything, but you may have a lot of them. So what do you do? What do you recover first? Because that's really the kind of idea where, well, can we recover everything? If you have 400 VMs, yeah, probably. Yeah. Recover the VMs, recover the databases, BW, or not. We'll see that afterwards. But if you have 4,000 or 40,000 VMs, 70,000 VMs, like some of our customers, can you really recover everything? Yeah. Should you? That's the next question. What's the priority? And that's the kind of thing that in a cyber resiliency plan, you need to think through first. There is really a big part of productivity that needs to come in place to understand what you should be doing because you'll need to find out what was impacted, find how many of those machines or databases are not good anymore, And then identify when the malware may have got in, but also where it may still be because that's the big issue most of the time. The hackers will encrypt themselves. They will also encrypt the actual machine they use for the infection, for the encryption of all the others. And so you have machine who host the malware and you have machines which are just, you know, side things where they they actually got encrypted because they're web then, but they don't host the malware. And and that would make a big difference because if you restore one of those machines which hold the malware, well, after it reads, it would probably restart encrypting the whole thing again, which means you're going back now. You'll also need to do things, and that's like, front and center, that idea of what is the impact on the sensitive data. That's actually something in those type of crisis that you may want to do, quicker than being right front and center in the page because and and talking a lot about Europe, and and specifically about Mainland Europe and and all the countries which are subject to GDPR, for example. You actually need to go back to the regulator, so to maybe you, within twenty four hours with the type of data and the amount of data that may have actually been exfiltrated. Twenty four hours depending on the size of your environment may not be the easiest thing to do. So better to install that as quickly as possible. And once you've found the malware, once you've found which machine actually holds the malware that are encrypted, then you can quarantine them and stop the program. And, unfortunately, it won't be as fast as me saying it. This will take time, and I'm not talking hours of days. We've seen it with, Mark and Spencer, and I'm I'm gonna use that for a bit, unfortunately, because that that actually just happened, and it's very fresh. At least info wise, that's we we have a lot of information about what's happening. But, yeah, it's it's really something that will take down, and we're gonna see that afterwards. But we actually decided to do things a bit differently in the sense that and and I've been working in in IT and data protection, as I was saying, for twenty four years. I've been very well, aware of the the idea of the other backup software and and how they're running. But we've decided to do things in a completely different way. Because eleven years ago, when Rubik was created, the whole idea of our founders was, can we actually change the paradigm? The paradigm, as was just saying before, is that your backup is a complete copy of your production waiting for it to break. Well, it's 2025. We have all that data sitting in very expensive hardware doing nothing for most of the day. Can we actually use it? Can we try to make sense out of it? Can we actually get value out of that data sitting there doing nothing for most part of the day and give that value back to our customers. And that's really where we started, getting into what we could be doing and bring value back. The whole idea at the beginning was to actually get the fastest recoveries possible so that you could actually use that data with what we call live now. But very quickly, we built that idea of native threat engine so that with all the data that we were backing up, all the data that we were indexing because we're gonna be indexing all that data, why not actually looking into that data for known threats? One of actually looking into that data and find out what type of data it actually contains. Maybe it's PII. Maybe it's PCI data, like personal information or banking information or very specific things from the company that you care about. The the the old, like, PI from, from from the company needs to be protected. That's the value. That's the asset of the company we need to protect that. And that's really that idea of combining the data that we back up, the metadata that we create from it, and run that through our native rep engine to get you value out. And that is keeping on evolving. We will talk about AI integration afterwards, but it is really one of the fundamentals of Rubrik that the zero trust architecture, and I could spend hours talking about how it is secure, how it is actually made immutable, but how you can actually use it to get some value out of all those data. And as I was saying earlier, unfortunately, the big difference will be in the time. And we've seen it again with Mark and Spencer, they they went back on track after several weeks because they had to go through all of what you actually can see on screen now. Like, having all of those steps, finding out where you are, finding out what you need to do, finding out which actual data is safe to recover. And that is, I think, the most critical part. Finding out what they say to recover and actually going through the whole thing. And, unfortunately, as I was saying earlier, most of it is is somewhat something proactive that you have to do. And we've seen a lot of companies actually going into that idea of what's my minimum viable company. What are the actual applications that I care the most about? What are the applications that I need to recover first? What are the applications that will make sure that money still come in the company, that I can still pay my employees because that's also part of the issue. And that is really something that the regulators are also starting to push, which is interesting because it is really going into the into the sense of what we were doing. But this is really where we can make a huge difference, and I will explain afterwards how technically we get there. But, really, the idea is to find out from yourself or your company what are the, what we call, MDCs, minimum viable company, minimum viable applications, what needs to be back, and ensure that you can bring them back as quickly as possible in a complete automated fashion. And that in the sole goal of reducing those weeks of potential recovery from a ransomware to few days, maybe less if you're lucky, and everything is established, everything is ready to actually run, and you can obtain the whole thing and on the click of a button, recover the entire set. We oh, Rubik, I would go through a bit on, the the, I would say, the technical features of the whole thing, but it's not only that zero trust architecture that we bring. It's also all the things like the Rubrik Zero Labs. We have our own threat intelligence, business unit, which is doing research, which is creating threat intel, library rules, and all that, and actually publishing it directly onto all the the whistleblowering sites and all that. We have partnership with a lot of other companies, for for that, and I I will talk about that later on. But it they're also grabbing, their own sources from our ransomware response team, which is, a team in Rubrik support, which is solely dedicated to that very purpose, help our customer to recover in case of a ransomware attack. And that is a service that we give for free as part of our support. All our customers are eligible and, well, they will be with you from, I would say, a to z, really helping you out, hating in that ransomware recovery, making sure that everything is set up, giving you some best practices, and helping you out the best they can. And all that, comes with a ransomware warranty of 10,000,000. We're so sure that the platform cannot be breached that we're actually putting, money where our mouth is, and that is, I think, another big testament of what we want to bring to our customers. Talking a bit about technology and and what we're doing, I won't go into too much details into what you can protect, what you can actually back up, and and where you can do that because we won't have enough time in that webinar. But feel free to reach out or or send questions, if you want through, through the chat, and and we can talk about that later on. But, really, the idea is to make sure that we can back up the data wherever it is from the data centers to the cloud, being SaaS or PaaS, but also everything identity related because, unfortunately, and we've seen it again, Mark and Spencer, but others as well, that identity is the prime target of hackers, if not the actual way of entries for them. And, unfortunately, that is one of the key parts that needs to be protected and you need to ensure that this is spot on. But as I was mentioning earlier, one of the key idea of Rubrik is really to bring value out of those backup, and that is really what we do on the right side of your screen. The first thing and I think that there's really that idea. I mentioned that already, but that idea of productivity of things that needs to be done before even before talking about the reactivity. I mean, in the end, we have the backup. We will be there to recover all of those. But how is actually a big thing. And proactivity wise, we we have, I would say, various things, but the whole idea is really within that data security posture, that you have in the middle of the screen, which is really helping you out identifying that sensitive data in the sense of telling you where is located your PII data, PCI type of data. Also, anything which is specific to the company that can be regressed, we will be able to find it out just to make sure, and that's actually one of the key elements, that you know where data is. Because, unfortunately, that's what we see a lot in in a lot of those attacks. Customers get data exfiltrated without even knowing that some data were there. And that's one of the key and fundamental problem. If you don't know what data you have, if you don't know where data is, well, how can you even know what is your applications doing or what is the entire set of, well, applications that you have moving data, moving pieces everywhere, actually doing? And that is a key thing. So we will be going through that, but also going through that idea of user access, user analysis in the sense that we will be looking up for how many users have access to specific type of data and if there is any changes in what they're doing. Maybe you have users with access to too many files. Maybe you have files which are completely open to everyone. We actually had a customer with that not so far ago where I I got to a meeting with them, and they were having lots of file on the NAS, like, 7,000 files on NAS being spotted in red with no permissions, no ACLs, completely open to everyone. And through the product, we managed to identify the list of files and the customer was, guys, there's no way that all that is open. And I was like, well, it may be a false positive. Can we connect to that, NASH course and and double check? And, unfortunately, we were correct, and those files were completely open. Only thing I could think of, because that was very old time, but that was a period of, like, five years. Then we're completely open. And the only thing I could think of was really like a bad GPO, something that just reset the main passing, and and that was it. And that's really the kind of thing that if you don't know about it, those files will be there without protection potentially forever until they get deleted. And I'm French. Trust me. We don't delete much data anymore. And not figuring out enabling you to track potential violations as well. I mean, we are backing up your active directory. We will be checking on the users. We will be able to tell you if there is anything which is out of the ordinary users with too many access, users with access changing. And maybe I mean, you were working in IT for long and you can see that all your colleagues have a certain set of, privileges. And suddenly, one of the people from HR gets access to, well, all the files that you have access to. And it may be normal, and maybe that person, that person evolved in the company and got into IT or maybe suddenly her privileges or his privileges were bumped up because he was or his or her account got hacked. Unfortunately, that happens more than once. And that is really what we need to track down proactively is what is happening, who has access to what, what is the type of data, what makes that minimum viable company as well, and make sure that you can start creating those cyber recovery plans in that orchestrated recovery on your on your bottom right because those will actually be application blueprints of your entire tier zero, tier one, tier two type environmental applications to make sure that you can actually recover out from it. Creating those plans of what needs to be recovered, how do they need to be recovered, where, and potentially make an actual bubble and and go through the entire thing. And that's another idea, of of it that I will talk about in a minute. And, unfortunately, despite all your efforts, something happens. You get hacked. Your data, your machines gets encrypted. That's where Rubrik will actually kick in automatically. By default, every backup is in Next. We will check through our Mandiant integration. We have a partnership with Mandiant, which, lends us the, IOC database, those indicators of move confirmations where we will actually look out and find out which machine are actually encrypted, but also by what. We will bring that up so that you can quickly identifies quickly identify which machines are compromised, what you need to do, but also let you know since when which backup actually started showing up those things. And it could be that it went completely silent because it's a zero day attack of something that was created specifically for your company, which fortunately is something that we see a lot. But if that happens, your soft team will be all over it. You'll probably get help from some other, companies that will create those IOCs. You will be able to pass them into Rubrik, into our threat hunting module to actually go down, identify which machine is actually impacted, which machine is infected, and since when so that you can identify the, well, best recovery point the day or the hour before it actually got impacted, and then you'll be able to recover the entire thing in well, recover clean data. But, unfortunately, it may not be the case in the sense that let's say you have 2,000 VMs that are encrypted. You run through all the things and you end up finding out that you have 10 VMs, which actually holds the malware. Those 10 VMs, well, I would say they cannot be recovered or maybe you need to in the sense that those 10 DMs maybe, I don't know, web servers. Well, Comcast server, IS server, fine. Kill it. Make a new one. The good thing, if you think about it, is that you have 10 machines which are known to be infected. That also means that you have a 919 machines which are okay. You can start recovering them or batch recover those a 919 machines and then focus specifically on those. And as I mentioned, server hit it. Big SQL server, most important thing in the company. What do you do? You need to recover it, and you don't need to recover it to the, I would say, the cleanest copy, which may have been a month ago. Because in fact, the hackers, they tend to stay quite long in the environment before sliding. Can you actually recover back a month ago on your biggest SQL database? Probably not. So what do you do? Then you use, orchestrated recovery feature as I was talking about and recover that in isolation. Recover that into your, what we call, IRE, isolated recovery environment, and get you soft team access to that isolated environment so that they can clean that. Bring them the actual latest known backup that you have so that they can clean it up and