Inventing Cyber Recovery… and Creating a New Category

The ‘Hack of the Century’ at Sony pictures was a wake-up call for everyone, regardless whether you are inside the cybersecurity community or not. The destructive cyberattack was a true shake-up of the system that brought along the opportunity to tackle the underlying problem head on. For me, this was the moment where preparation met opportunity and my entrepreneurial spirit, fostered by the Dell Technologies culture, kicked in.

On Monday, November 24th, 2014 a crushing cyberattack was launched on Sony Pictures. The slow-moving, multi-stage attack exposed sensitive data, erased 3,262 of the company’s 6,797 personal computers, and 837 of its 1,555 servers. Storage and backup systems were also attacked and destroyed. It is believed that the hackers were inside the network for over 6 months before the attack.

A nation-state doesn’t usually attack a private sector corporation. But the attack set the stage for the art of the possible. For some background, ransomware is available as a service complete with localization, tech support, and user forums. Nation states and criminals are collaborating, giving bad actors unprecedented access to sophisticated exploit kits. Ransomware and destructive malware are increasingly targeting the core infrastructure (e.g. the domain controller) and the backup infrastructure.

Cyber Recovery – A New Form of Disaster Recovery

Shortly after the attack our team engaged with customers to analyze the emerging threat vectors and underlying tech components of existing business continuity solutions.

It became clear that that Dell EMC’s leading portfolio and reputation were a solid foundation to develop a solution. It also became clear that the underlying technology components needed to be architected differently to protect from a different type of disaster. This urgency was corroborated by analyst firm Enterprise Strategy Group[i] who found that 9 out of 10 organizations are either using, planning for, testing, or interested in using isolated data protection copies as a preventative measure against cyberattacks.

So how is Cyber Recovery (CR) different than traditional disaster recovery (DR)?

Cyber Recovery Software

Let’s dig in deeper into the path of bringing to life a new solution. Our team got to work on designing a dream version of a cyber recovery solution that would keep our customers safe and increase their odds of being able to recover from a destructive cyberattack. Here is what we came up with:

  1. Keep an air-gapped copy removed from the network to minimize the attack surface.
  2. A high degree of automation allowing a few privileged administrators to set protection & retention policies.
  3. Secure mechanisms to manage the infrastructure in the dark site (aka Cyber Recovery Vault) and to provide continuous reporting to IT and security personnel.
  4. Ongoing integrity checks on the protection copies to flag when copies are corrupted or not recoverable.

The incubation phase of the solution was spent settling on an architecture and creating automation scripts to synchronize and protect copies in a dark site (aka Cyber Recovery Vault).

We spent over a year partnering closely with customers to refine the architecture and the workflow of the new Cyber Recovery solution. Along the way, we also needed to solve important challenges around secure management access, secure reporting and anomaly detection on protection copies.

The team’s big moment came in October 2018 when we were able to offer our customers the first fully productized software version, PowerProtect Cyber Recovery 18.1. The software addresses the four key requirements above including a game changing innovation: the ability to analyze protection copies without data movement or re-hydration. This is made possible by an integration between PowerProtect Cyber Recovery and CyberSense (Index Engines).

Since then, we’ve released four versions of the software, each delivering important innovations to keep our customers’ data working for them, even in the case of a cyberattack.

A logical illustration of the Cyber Recovery solution is shown here:

Innovation at Dell Technologies

All of this is only possible with the right culture and an infrastructure to reward innovation. In looking back on how we were able to create this new solution, let me highlight the following three ingredients to success.

Innovation – Dell Technologies fosters innovation in several ways but noteworthy is the ease at which innovators can file patents to protect great ideas. We filed multiple patents related to Cyber Recovery and inventions are showcased driving profound sense of making a meaningful contribution to the future of a given market segment. Cyber Recovery also provided fertile ground for incubating a different approach to software development and then standardize it across other data protection areas.

Winning Together – Creating markets is difficult and brings a high degree of ambiguity. We were close to failing several times. Coming together as ONE team across product owner, scrum master, and developers vs. the often typical ‘us vs. them’ approach allowed us to accelerate development, reduce waste, and remove impediments quicker. The broader team is equally critical. Relentless pursuit of a winning message from marketing and constant feedback from the field specialists opened a path to success. Dell Technologies’ Cyber Solutions Group in Beer Sheva, Israel ensured that our team is always at the cutting edge of cybersecurity making us more relevant in the security community.

Customers and the Art of Active Listening – Winning the very first customer if difficult in and of itself. Keeping a customer can be even harder. Our partnership with Dell Consulting allowed us to understand the customer pain points as well as important corner cases. ‘Game On’ was the first customer to benefit from  our Cyber Recovery solution. Enabled by our agile development approach we could quickly prioritize important areas such as simplifying the installation process and enhancing automation to improve the user experience.

What’s Next and Food for Thought

The area of analytics was briefly covered but opened an entire new dimension worth exploring. Customers tuck away their business continuity copies in the hope to use them for a recovery. But how can they be confident that this data copy is not corrupt? How does their CIO know that the data can be fully recovered after an attack? Sure, a periodic recovery drill is a common approach, but perhaps we can have more automation and mechanisms to ensure that every copy has integrity? What do you think?

[i] ESG Dell EMC Isolated Recovery Custom Research, 2018