Accelerate Cyber Recovery with Incident Response, Threat Intelligence, and Cleanrooms

A clean recovery point is the most recent version of data confirmed to be free of malware, encryption anomalies, persistence mechanisms, or indicators of compromise—validated through threat intelligence, AI/ML models, and SOC integrations.

Synthetic recovery reconstructs clean data from multiple backup versions, allowing organizations to preserve recent changes while still removing threats—minimizing rollback and reducing data loss.

A cleanroom provides a safe, isolated environment to repave systems, validate workloads, test recovery steps, run threat scans, and ensure applications are safe before promoting them back into production.

Please view video here for a time-stamped transcript

00:08 – 00:09
Hello everybody.
00:09 – 00:15
Welcome to the Accelerate Cyber Recovery with Incident Response, Threat Intelligence, and Cleanroom session.
00:19 – 00:20
My name is Dave Cunningham.
00:20 – 00:23
I’m part of the product manager team at Commvault.
00:23 – 00:27
I work on our cybersecurity solutions like our threat detection platform and security integrations.
00:27 – 00:28
And I’m here with Dinesh.
00:28 – 00:30
How are doing Dinesh?
00:30 – 00:31
Hey, thanks David.
00:31 – 00:32
Hey everyone.
00:32 – 00:33
My name is Dinesh Reddy.
00:33 – 00:39
I’m part of the product management team at Commvault and I manage our recovery solutions.
00:39 – 00:44
So let’s get kick started here and we’re going to talk about cyber resilience.
00:44 – 00:49
The NIST clearly outlines the structure around cyber resilience.
00:49 – 01:01
You know, the ability to anticipate, withstand, recover and adapt your organization, bring your business back, bounce back from all different types of threats or disasters.
01:01 – 01:07
The conversation of cyber resilience becomes very nuanced once you start considering the evolving threat landscape.
01:07 – 01:15
And we’re going to talk a little bit about some of the advanced capabilities that we offer within our platform to not just provide the resilience,
01:15 – 01:22
provide the intelligence in the way to be ready to bounce back in the event of a cyber attack.
01:23 – 01:37
The reality is that even though organizations have a strategy to be prepared for cyber recovery and being cyber resilient, they usually lack the confidence in their strategy.
01:37 – 01:39
And this is shown in the numbers.
01:40 – 01:42
More than half of the organizations
01:42 – 01:53
don’t have confidence in their recovery and they don’t have confidence that if something happens to their environment, they’ll be able to securely recover their resources.
01:53 – 02:05
In fact, there’s 97 % higher risk of recovery failure because organizations have not regularly tested their cyber recovery plans and processes.
02:05 – 02:10
And they start seeing gaps in their plans during the cyber incident.
02:10 – 02:14
They might not even know if their backups have clean or if they are infected.
02:14 – 02:14
Yeah.
02:14 – 02:25
And also, you know, I think there’s a, part to this that we need to bring out is that 55 % of organizations have siloed security and IT technology stacks.
02:25 – 02:29
And that’s a super, important problem to call out here.
02:29 – 02:35
Because when you’re talking about a resiliency, solution like Commvault, having it disconnected
02:35 – 02:45
from a security platform or from the intelligence that a security platform can offer, kind of cripples you from being able to recover in an optimal state.
02:45 – 02:50
So that’s an important problem that organizations are facing today as well.
02:50 – 02:50
Yeah.
02:50 – 02:53
In fact, this gap between the teams, right?
02:53 – 02:59
The silos adds delays, which in turn increases the mean time to recover.
03:00 – 03:05
Organizations today, I think there’s that traditional recovery
03:05 – 03:09
type of a plan that organizations have been using for quite some time now.
03:09 – 03:21
I think the traditional recovery plans that a lot of organizations are using don’t quite meet the needs of the threat landscape today, how cyber threats are impacting
03:21 – 03:23
organizations today.
03:23 – 03:30
And so we really advocate for this concept of cyber recovery plans, the ability to not only
03:30 – 03:36
test your recoveries, but also introduce some sort of threat intelligence as part of that recovery plan.
03:36 – 03:45
The reason for this is because, you know, when they restore blindly back into the environments, there’s a potential of reintroducing risk in the environment, right?
03:45 – 03:56
You know, the data protection platform is continuously protecting data and, you know, at any given time, there could be threats protected along with that within the combo platform
03:56 – 03:58
with any data protection platform.
03:58 – 04:03
And by restoring blindly into the environment, you could be reintroducing the vulnerabilities.
04:03 – 04:08
And also like rolling back is a concept that we hear quite a bit from organizations.
04:08 – 04:18
when they have a cyber incident and they want to recover their data, they go back in time and that process of going back in time and recovering from an older snapshot, you know,
04:18 – 04:21
maybe a week ago, it leaves some data behind, right?
04:21 – 04:25
It’s kind of putting their business at risk of fully recovering.
04:25 – 04:27
So being able to analyze for threats
04:27 – 04:35
as part of a recovery test or as part of a cyber recovery plan is super important.
04:35 – 04:36
Absolutely.
04:36 – 04:36
Right.
04:36 – 04:37
I think you’re spot on.
04:37 – 04:45
But the big difference between traditional recovery plans and cyber recovery is that like in traditional recovery, there is no malice, right?
04:45 – 04:47
In a natural disaster, right?
04:47 – 04:48
There’s no malice.
04:48 – 04:52
There’s no bad actor that is trying to do bad things in your environment.
04:52 – 04:55
You are just, your site is down.
04:55 – 04:56
You’re just recovering your site.
04:56 – 05:02
And you’re not worried if your data is infected or corrupted or encrypted.
05:02 – 05:05
But cyber recovery is more complex than that.
05:05 – 05:08
You need to ensure your backups are clean.
05:08 – 05:19
And then you need to ensure you’re able to validate those backups in an isolated environment before you actually bring them into your newly rebuilt production so that
05:19 – 05:20
there’s no reinfection.
05:20 – 05:26
And that’s where our solutions help customers to do this in a streamlined way.
05:27 – 05:30
So let’s kind of get into that a little bit deeper.
05:30 – 05:40
So let’s take a look at just like a high level of the platform, like where the platform comes into play, what we’ve built into the platform to kind of help customers with these
05:40 – 05:40
problems.
05:40 – 05:43
So it starts with the resiliency platform, the combo platform.
05:44 – 05:48
And we offer that immutable layer using our core platform.
05:48 – 05:53
So the storage in AirGap technologies that we have in the product.
05:53 – 05:56
And that’s super important because first and foremost,
05:56 – 06:02
We need to protect the data and that data needs to be protected in an unchangeable, indelible state.
06:02 – 06:04
So we have that out of the box.
06:04 – 06:12
And then the integration with the, know, the recovery and response or orchestration and, and security tool sets is also super important.
06:12 – 06:21
But what we’ve done here at this middle layer is we’ve introduced additional technologies that kind of streamline and break down those silos.
06:22 – 06:26
And bring in the threat intelligence as part of the recovery test.
06:28 – 06:31
So, first and foremost, to get that clean recovery point, right?
06:31 – 06:44
And we define clean recovery point or clean point detection as the ability to detect if there’s threats within the data that’s protected and also be able to get the last known
06:44 – 06:51
good version of that data, minimizing the rollback of your recovery.
06:51 – 07:00
So we have signals that we get from our security partners through integrations like with our CrowdStrike and others, as well as built-in intelligence that comes right out of the
07:00 – 07:05
box that our customers don’t have to introduce any additional technologies.
07:05 – 07:12
Those intelligence will provide you with the insight into analyzing your data for malware and encryption threats.
07:12 – 07:17
And this is the first step in getting to that clean point detection.
07:17 – 07:22
So I often like to say, you don’t know how effectively you can recover until you recover.
07:22 – 07:26
And you never want to be in a situation where you need to recover and you can’t effectively recover.
07:26 – 07:33
Where it’s like, it’s really important to consistently, you know, test your data, test your ability to recover.
07:33 – 07:36
Also to validate that your data is in a good state.
07:36 – 07:39
The threat intelligence component of it is super important.
07:39 – 07:43
It’s going to give you that, that uh accurate validation that your coverage.
07:43 – 07:51
that you not only are able to recover your data, but you can recover it in that accurate state, that good state, that clean state.
07:51 – 07:54
And you’re getting the latest good versions of your files back.
07:54 – 08:04
So unifying the security tool sets and the resiliency tool sets, the security tool sets with that recovery uh orchestration is super important.
08:04 – 08:06
It’ll help reduce response times.
08:06 – 08:09
So let’s double click on this concept of synthetic recovery.
08:09 – 08:11
This is something new that we’ve launched.
08:11 – 08:13
And this is something that
08:13 – 08:15
that only we’re doing in the market today.
08:15 – 08:18
So this concept is really simple.
08:19 – 08:29
We use the intelligence in our platform, like I mentioned before, we have uh malware detection in our platform, uh utilizing a signature based engine, machine learning.
08:29 – 08:39
We also integrate with SOC tools like, know, ER rules and hashes for additional intelligence as well.
08:39 – 08:42
So the first step is to find malware in the backup content.
08:43 – 08:47
Next step is we use our AI engine to detect encryption.
08:47 – 08:56
So we have a uh proprietary model for detecting encryption states within the backup content.
08:56 – 09:00
And all of this information we store in our index.
09:00 – 09:07
And when we do this, we’re able to pinpoint which files are impacted by threat and which files aren’t.
09:07 – 09:11
And you can see in this illustration on the left side, I have multiple different
09:11 – 09:15
data protections, backups that occurred over a period of time.
09:15 – 09:21
And then as the cycle kind of moved on, we have various threats popping up, files getting impacted.
09:21 – 09:23
Now we’re getting introduced.
09:23 – 09:33
And then on the right side, when I actually do my synthetic recovery, we will automatically with one click, we will synthesize or grab all the latest versions of those
09:33 – 09:38
data across the backups, find the last good ones across the backups.
09:38 – 09:41
and use that for a recovery point and we quarantine them out by default.
09:41 – 09:49
So basically we’re providing a clean recovery and we’re minimizing the rollback, which is solving some of the problems we talked about earlier.
09:49 – 09:59
So I’m going to pass it off to Dinesh and he’s going to talk about how we take that clean recovery point and we move this and orchestrate this into the recovery process itself.
09:59 – 10:01
David.
10:01 – 10:05
So like as you mentioned, right now we have identified a clean
10:05 – 10:09
point, right, through various threat signals, scanning of backups.
10:09 – 10:22
The next step would be to validate this data in a secure, isolated environment without actually compromising your production that you are rebuilding.
10:22 – 10:33
And you should always validate your applications inside an isolated clean room before recovering into your newly rebuilt production so that you minimize the infection.
10:33 – 10:34
And one of the key steps
10:34 – 10:39
during this validation process is to repave your servers.
10:39 – 10:51
This is by completely removing your operating system and rebuilding the server from a custom golden image that has been validated and hard so that you always start from a known
10:51 – 10:53
good state.
10:53 – 11:04
Once the application has been thoroughly tested and validated inside this isolated clean room, now you’re ready to promote this application into the production environment.
11:04 – 11:14
In the next few couple of minutes, we will learn how cleanroom recovery helps you do this in a streamlined oh manner.
11:15 – 11:18
I really like this quote from Mike Tyson.
11:18 – 11:23
So it really resonates with what we are trying to solve with our solutions.
11:23 – 11:28
He said, everyone has a plan until they’re punched in the face.
11:28 – 11:33
And this uh definitely applies to cyber recovery and resilience.
11:33 – 11:41
Every organization thinks they have a plan and most organizations might have a plan for a cyber recovery.
11:41 – 11:45
But however, when they are hit with an incident, right?
11:45 – 11:48
So within the first five minutes of this cyber event, right?
11:48 – 11:54
They need to be able to certainly answer questions such as is the attacker still active, right?
11:54 – 11:56
What data can we trust?
11:56 – 11:59
What are the next steps that I need to take?
11:59 – 11:59
Right.
11:59 – 12:03
So and of course, having a paper playbook helps here.
12:03 – 12:07
But the real confidence comes when there is orchestration, right?
12:07 – 12:14
When you are able to codify the steps that you need to perform, when you have gates defined, it’s checks.
12:14 – 12:27
And run this same sequence of steps again and again every week and build that muscle memory so that when something happens, you’re able to quickly execute each of those steps.
12:27 – 12:29
That’s cyber resilience in action.
12:29 – 12:31
And Cleanroom recovery helps
12:31 – 12:33
uh solve this, right?
12:33 – 12:36
This is how cleanroom recovery works, right?
12:36 – 12:40
So you have your production environment on the left side, right?
12:40 – 12:42
Which is your typical production environment.
12:42 – 12:47
You have your file shares, have your VMs, you have your database servers, right?
12:47 – 12:54
And of course your environment could be a hybrid environment, which is segregated across clouds and on premises.
12:54 – 12:56
And then we have the backup
12:56 – 13:03
infrastructure, which is a combo cloud control plane, which orchestrates the process of protecting your applications.
13:03 – 13:14
uh A key component of cyber resilient architecture is to have an offsite copy of your applications data in AirGap Protect.
13:14 – 13:26
This ensures that even if your entire production is completely gone, you have a safe copy of your application stored away in AirGap Protect using which you can recover
13:26 – 13:27
your applications.
13:27 – 13:37
And like if you want to do a recovery testing or you want to do a forensic analysis or you are in an actual cyber event and you’re trying to recover, right?
13:37 – 13:43
The first step is to actually recover your control plane because during any real cyber incident, right?
13:43 – 13:54
Even before the applications are infected, the bad actors would destroy your backup infrastructure, your recovery infrastructure, especially if they are deployed within your
13:54 – 13:56
production environment.
13:56 – 14:01
And Cleanroom Recovery orchestrates the process of recovering the control plane.
14:01 – 14:11
With just a couple of clicks, we’ll be able to recover your control plane and post it within our infrastructure so that you can log into this newly recovered control plane and
14:11 – 14:16
start recovering your applications into an isolated cleanroom.
14:16 – 14:24
And this isolated cleanroom can be created either in an AWS environment, in an Azure environment, or even in your own
14:24 – 14:28
on-prem data center, on-prem IRE environment.
14:29 – 14:33
At its core, Cleanroom Recovery is an orchestration platform.
14:33 – 14:36
So it helps orchestrate recovering the control plane.
14:36 – 14:51
It helps create an on-demand isolated cleanroom in which you can recover your applications and start validating them before promoting to your uh production environment.
14:51 – 14:54
Now let’s see how
14:54 – 15:02
threat detection, clean room work, and how these two synergize to help you recover from a cyber event.
15:02 – 15:12
So to help you identify threats, to help you recover uh an infected resources into a clean room for validation in our live demo.
15:14 – 15:17
In the new installment of cleanroom Recovery, right?
15:17 – 15:20
So I want to first walk through this dashboard, right?
15:20 – 15:29
So we are introducing this new dashboard to give a quick preview on how your environment is recovery ready, right?
15:29 – 15:32
So it has information like cleanroom recovery readiness.
15:32 – 15:43
It shows you how many of your protected resources are actually ready to be recovered into the cleanroom, how many are not ready and how many are not configured for Cleanroom
15:43 – 15:44
Recovery.
15:44 – 15:54
and you also show information about like why resources are not ready for cleanroom recovery because you might not have an ATP backup copy for those resources or you have
15:54 – 16:07
selected a different region for cleanroom right and that region does not have uh an ATP backup it also shows information about when was the last recovery drill conducted for each
16:07 – 16:09
of your recovery groups
16:09 – 16:19
and it will show you license usage information as well as active clean rooms by region if you have a distributed environment from here.
16:19 – 16:21
Let’s go into recovery groups.
16:21 – 16:24
A recovery group is a logical container, right?
16:24 – 16:30
It’s a logical grouping of your resources that you want to recover into a clean room.
16:30 – 16:32
Let’s create a new one.
16:32 – 16:34
So I’ll say add recovery group.
16:34 – 16:39
I’m going to give it a name transaction application because I want my transaction application to be
16:39 – 16:47
recovery ready next and now you can add your resources into this group that form your transaction application.
16:47 – 16:51
There are multiple ways you can add resources you can add it.
16:51 – 16:59
can add a rule saying that add all resources that are owned by XYZ person or add resources that have a tag XYZ right?
16:59 – 17:09
So you can define what those rules are and based on those rules the resources will be added into the free intro or you can manually select
17:09 – 17:14
and add resources into into the same recovery group here, right?
17:14 – 17:23
So you can see like we’ll show you all the resources that are protected by Commvault Cloud and you can pick and choose what resources you want to add oh into the recovery group
17:23 – 17:25
called transaction application.
17:25 – 17:33
And one thing that I want to highlight here is that like so we have the added support for Active Directory forest, right?
17:33 – 17:38
So now you will be able to add an entire Active Directory forest into a recovery group
17:38 – 17:43
and then execute recovery into a clean room so that you can validate your end-to-end applications.
17:43 – 17:53
I’m selecting an active directory forest a couple of VMS and couple of Azure file shares and I’m going to add all of this into the recovery group and then execute a recovery into
17:53 – 18:05
a clean room next review your settings in this summary page and then as soon as you’re done with your creation of a recovery group the next step in the process
18:05 – 18:12
is to create a run book for executing your cleanroom because we so you can just say create and start adding a run book.
18:12 – 18:17
This will take you to the next flow of configuring and creating a run book.
18:17 – 18:18
I’m going to give a name for it.
18:18 – 18:27
I want to create a forensic uh run book for my transaction application and as part of this run book, I want to enable text scanning right?
18:27 – 18:30
What this means is if you toggle this option.
18:30 – 18:41
We will automatically scan the resources that are recovered into the clean room for any malware right and it will show up in your run book status if there’s any malware detected.
18:41 – 18:49
So let’s enable threat scan and then go further and here you have an option if you have pre-created a clean room target or a clean room site.
18:49 – 18:52
You can just select use an existing clean room.
18:52 – 18:58
But if you want us to create a new clean room, you can just opt in for new clean room and then go next
18:58 – 19:04
and you can select where you want to create your cleanroom either in AWS or Azure.
19:04 – 19:06
I’m going to select Azure for this demo.
19:06 – 19:07
Click next.
19:07 – 19:12
Let me give a name for this cleanroom Azure West US cleanroom.
19:12 – 19:18
And then click next and this is where we have simplified the process of creating the cleanroom.
19:18 – 19:21
We have introduced this option called express configuration.
19:21 – 19:25
What this does is with a single sign in into your Microsoft account, right?
19:25 – 19:27
So we will be able to
19:27 – 19:37
create all the necessary infrastructure and resources that are required to create an on-demand clean room before recovering the resources into it.
19:37 – 19:47
So previously you had to pre-create certain resources in your Azure account such as an Azure app, give the necessary roles and permissions, create resource groups and a VNet,
19:47 – 19:50
and then come back and configure your clean room recovery.
19:50 – 19:56
But we have taken away all of those prerequisites by introducing this Express Configuration option because
19:56 – 20:04
Once you sign in with your Microsoft account, we’ll be able to create everything that is required to successfully execute a cleanroom recovery.
20:04 – 20:11
And of course, if you have recreated some of those resources and you want to use those resources, you can always opt in for a custom configuration.
20:11 – 20:17
So let’s do an express configuration to show you how easy it is to create an on-demand cleanroom.
20:17 – 20:24
So we automatically fetch all the subscriptions that are there inside your Microsoft tenant.
20:24 – 20:26
I’m going to select this
20:26 – 20:36
for my cleanroom recovery purpose and click next quick review on all the settings that you have selected and then click create.
20:36 – 20:43
So as you can see the system has automatically generated a step-by-step run book for your cleanroom recovery purpose right?
20:43 – 20:47
So and one of the steps here is deployed cleanroom, right?
20:47 – 20:51
Let’s say if you and this run book right gives you a lot of flexibility, right?
20:51 – 20:54
You can add and remove steps if you need right?
20:54 – 20:55
So let’s say want to add
20:55 – 20:59
a step before this or after deploying a cleanroom, you will be able to do that.
20:59 – 21:08
And if you expand the deploy cleanroom phase, it will show you all the uh inner steps that we execute as part of this phase.
21:08 – 21:09
Right.
21:09 – 21:18
So because you have opted in for deploying a new cleanroom, we will automatically create the necessary infrastructure such as a resource group, the networking resources, the
21:18 – 21:24
storage account, all of that before actually recovering the resources uh into it.
21:24 – 21:33
And the resources, if you expand the phase three, which is basically recovering your priority one resources, you can see that we have added an active directory forest and we
21:33 – 21:36
have a couple of VMs that have been added for recovery.
21:36 – 21:40
And one of the steps inside the recovering the VM is repaving, right?
21:40 – 21:51
This is an advanced capability that helps you like repave your entire virtual machine using a custom hardened golden image before recovering the data
21:51 – 21:59
into it right this allows you to start from a known good state even before the data has been recovered inside the cleanroom.
21:59 – 22:12
So now let’s execute uh the run book right select a backup point or a recovery point that you want to use to recover your applications and then click submit.
22:12 – 22:18
Now this starts the cleanroom recovery process and you can monitor the status right within the run book page.
22:18 – 22:21
You don’t need to go anywhere else to monitor the status
22:21 – 22:26
and it will show you at a phase by phase like which phase is being executed and how much has been completed.
22:27 – 22:31
And let’s say there are certain manual steps that you have added and which require acknowledgement.
22:31 – 22:36
They will be highlighted here saying that there’s a one step that is waiting for user input.
22:36 – 22:42
You’ll be able to click here which will filter the steps to show you which step is waiting for user input.
22:42 – 22:44
You can say acknowledge
22:45 – 22:48
and then submit and this takes the run book to completion.
22:48 – 22:48
Right.
22:48 – 22:58
So now the entire cleanroom recovery has been executed and your resources have been recovered into the into an on-demand cleanroom that has been created in your Azure
22:58 – 22:59
subscription.
22:59 – 23:09
Now you can give access to this cleanroom to your security operations team or your applications team so that they can validate uh the resources and of course, right.
23:09 – 23:15
So once you’re done with your validation and you’re ready to like clean up your resources
23:15 – 23:24
you can just say reset run book and this will automatically perform the cleanup operation of all the resources that have been created by us in your Azure subscription.
23:24 – 23:28
So there are no dangling resources that could cost you.
23:28 – 23:36
So as you can see, we have simplified the entire process of creating an on-demand cleanroom and then recovering the resources into it.
23:36 – 23:45
Now, colleague, David, will walk you through how easy it is to execute a recovery
23:45 – 23:46
during a cyber event, right?
23:46 – 23:56
When an event has been detected, when a malware has been detected within your environment, how easy it is to detect it and then recover that infected resources into a clean room for
23:56 – 23:58
any kind of analysis.
23:58 – 23:59
David, over to you.
24:00 – 24:13
All right, so we’re to take a look at the new threat detection dashboard um and take a look at how easy it is to detect threats within your data protection environment
24:13 – 24:17
to drive the clean recovery into the clean room environment.
24:17 – 24:20
So you can see right here, we have the new dashboard.
24:20 – 24:23
And on the dashboard, it’s built to be outcome driven.
24:23 – 24:32
On the left side, we have the various different signals that we’re detecting within the data protection environment.
24:32 – 24:41
We scan data on a scheduled basis, or we can scan data automatically when there’s various anomalies occurring
24:41 – 24:42
as well as on demand.
24:42 – 24:49
So there’s a very uh flexible uh scanning type modes available in the new solution.
24:50 – 24:59
And when we detect threats, we correlate those insights, including partner insights into this dashboard to assign risk levels to it.
24:59 – 25:05
So you can see we have some critical risk resources, high risk resources, medium and low risk resources.
25:06 – 25:08
Then on the right side,
25:09 – 25:10
we have the results overview.
25:10 – 25:19
And this is giving you the input or the insights into what data has been looked at and what Commvault has done with that data from a threat perspective.
25:19 – 25:24
So it’s telling you you have a bunch of clean data that we’ve detected, we’ve scanned through, and data that is impacted.
25:24 – 25:26
So you can see we have some impact here.
25:26 – 25:30
And we’ll dig deeper into this to see how to recover from it.
25:32 – 25:37
And then below, we have operational components of the threat detection platform.
25:37 – 25:44
So let’s go ahead and double click into some of the critical resources to kind of get an idea of what’s going on here.
25:44 – 25:46
So I’m going to click on the tile.
25:46 – 25:56
You can see I have a bunch of resources here that are in critical status, which means that there’s malware detected amongst other things within the data protection and recovery
25:56 – 25:56
points.
25:57 – 26:01
I can click on the various different components here.
26:01 – 26:06
So we have anomalies for this particular system here that are being triggered.
26:06 – 26:09
And this is using Commvault machine learning.
26:09 – 26:14
As we’re protecting the data, we look at the various different changes that are happening on that system.
26:15 – 26:19
And we will generate the event on the dashboard.
26:20 – 26:22
Next up, we have partner signals.
26:22 – 26:33
So we have multiple different integrations where we ingest signals from our partners like CrowdStrike, Netscope, and DarkTrace to name a couple or name a few.
26:34 – 26:36
And these signals are providing
26:37 – 26:49
an indicator of an attack or kind of like a behavior that’s happening on the resource that we map to a recovery point to help the user kind of see if there’s an impact on that
26:49 – 26:50
system.
26:50 – 26:52
It will kind of look at that in more depth a little bit later.
26:52 – 27:04
And then lastly, we have threats and this is using our multi-layer uh scanning engine, our threat scan engine, where we detect malware using signature based engine, uh machine
27:04 – 27:04
learning
27:04 – 27:08
and we have an AI model for detecting encryption.
27:08 – 27:22
We’ve also built in Yara and Hash Support for this new product, uh product release, to give SOC analysts the ability to inject their own intelligence into the platform to find
27:22 – 27:23
malware threats.
27:23 – 27:26
On the right side, we have various different actions.
27:26 – 27:33
So you can mark this resource save, you can quarantine it, you can disable it from data aging, which preserves
27:33 – 27:37
the previous data protection jobs from pruning off.
27:37 – 27:41
So if you ever need to go back in time, those data points will still be there.
27:41 – 27:42
They’ll be intact.
27:42 – 27:43
They won’t prune off.
27:43 – 27:44
They won’t age off.
27:44 – 27:47
They’ll always be there for either forensics or for recovery purposes.
27:47 – 27:54
You can hunt for threats, which is an on-demand scan if you want to inject new intelligence into the platform.
27:54 – 27:58
We’ve even introduced APIs for doing hash scanning.
27:58 – 28:02
So you can use hashes to look for known threats within the
28:03 – 28:07
data protection environment, and then of course, restore.
28:07 – 28:09
So we’ll get to that in a second.
28:09 – 28:13
Let’s dig into a little bit more of the details on what’s happening with this system.
28:13 – 28:18
So I’m going to click on the resource, and this is going to take me to the overview dashboard.
28:18 – 28:20
So this is the overview of the resource.
28:20 – 28:25
So I get to see all the signals that are being triggered for this particular system.
28:25 – 28:28
ah And I can see it on these trending lines.
28:28 – 28:30
And the trending lines are really good
28:30 – 28:38
for kind of pinpointing when the issue first started happening, when the infection first started happening within the data protection jobs.
28:39 – 28:44
And this kind of view could be complicated or could have a learning curve.
28:44 – 28:50
So what we’ve done is we’ve incorporated AI around all of these different signals.
28:50 – 28:59
So you can use our Arlie Insights to get a summary of what’s going on for this particular resource or even at a global level.
28:59 – 29:06
and it’ll give you all the context around what’s been detected and what to do, what are the recommendations to do.
29:06 – 29:11
So at a minimum, this is all you really have to do to understand what’s the next steps.
29:11 – 29:14
All right, so moving along, we’re gonna go to the anomalies tab.
29:15 – 29:21
If you’re continuing your investigation, you wanna understand what files are anomalous, you would go to this tab here.
29:22 – 29:25
And then next we have our threats tab.
29:25 – 29:28
And this is gonna give you an overview of the various
29:28 – 29:34
malware and encryption that was detected using our multi-layered engine.
29:34 – 29:45
And once again, just to reiterate, we have the malware engine that utilizes signature-based scanning, machine learning, as well as Yara and hashes.
29:46 – 29:52
And then we also have an AI encryption model for detecting encryption with high levels of accuracy.
29:52 – 29:57
And it’s trained on what an encrypted file looks like versus what a clean file looks like.
29:57 – 30:02
So right here we can click on the one particular threat that was detected and get more details.
30:02 – 30:09
And once again, like I mentioned before, we use Arlie across the interfaces in the dashboard to give you like the context that you need.
30:09 – 30:16
You can get more details on this threat, including hashes and, you know, and the details of this particular impact.
30:17 – 30:19
And then lastly, we have partner signals.
30:19 – 30:24
So I mentioned before that we integrate with several different security partners.
30:24 – 30:27
We ingest the signals into our platform.
30:27 – 30:36
These would be indicators of attack or early indicators of malicious behavior happening, potentially malicious behavior happening on those systems.
30:36 – 30:38
And we map these to the recovery points.
30:38 – 30:41
As you can see here, these recovery times.
30:41 – 30:50
And this tells the user that at these particular times, there was some sort of malicious activity that occurred on those systems.
30:50 – 30:56
And therefore, this signal kind of drives the outcome of
30:56 – 31:02
You should scan it or if there’s other different signals going on that there might be an impact to your recovery point.
31:02 – 31:06
We also integrate with CrowdStrike NextGen Sim.
31:06 – 31:07
This is something new.
31:07 – 31:15
And right here you can see in the CrowdStrike NextGen Sim that we’re sending signals to the Sim platform.
31:15 – 31:19
And this is great to provide enrichment for the SOC analyst.
31:19 – 31:24
And you can see one of the insights here is our risk analysis insight.
31:24 – 31:25
And this is telling
31:25 – 31:30
the SOC analysts that there was sensitive data discovered on this particular system.
31:31 – 31:40
Now this is very important because if you have threat signals being triggered as well as sensitive data triggers, that’s going to kind of raise the alarms.
31:40 – 31:44
You really want to take a look at the system to make sure everything is okay.
31:44 – 31:48
Now we don’t share any sensitive data information.
31:48 – 31:55
We just provide the information that the system met, had some policy violations based on
31:55 – 31:57
how risk analysis is configured.
31:57 – 32:08
Those policy violations can be customized as well as specific to certain types of uh data sets.
32:09 – 32:20
And then of course, in addition to the sensitive data discovery, we also send signals such as any of the threats that were detected from our scanning capabilities.
32:20 – 32:23
And so we’ve sent over some information to the NextGenSim.
32:24 – 32:27
so the SOC analyst can get those notifications.
32:27 – 32:29
All right, so now let’s do a recovery.
32:29 – 32:30
We’ll go back to the system.
32:30 – 32:32
We’ll go to restore.
32:32 – 32:36
And right here, we have three different restore options.
32:36 – 32:37
Number one is manual.
32:37 – 32:40
And this would be if you wanted to select a clean recovery point.
32:40 – 32:45
You can see here that we’re actually detecting the clean recovery points.
32:45 – 32:53
We’re telling you which ones are impacted by threats with um the indicator here, the triangle.
32:53 – 32:59
And we even break it down, like what kind of threats are uh in those recovery points.
32:59 – 33:09
Now, if I did a recovery by clicking the recovery point, as an example, on the 25th, and I did a recovery from there, I could potentially be leaving good data behind because I have
33:09 – 33:15
two more recovery points after it that even though we’re infected, maybe not all the data is infected.
33:15 – 33:17
So there would be some level of rollback.
33:17 – 33:20
And that’s why we introduced this feature
33:20 – 33:24
where we call it our synthetic recovery feature.
33:24 – 33:37
Our synthetic recovery feature, it composes the recovery point by taking the latest recovery point that’s available, understanding what’s infected by our scanning
33:37 – 33:46
technologies, and then going back in time, pulling the good versions of the files across the backup sets to kind of synthesize a recovery point.
33:46 – 33:48
So it minimizes the rollback.
33:48 – 33:49
We’re going to use this option.
33:49 – 33:57
You can see here, we even give you the information as to how much data is actually being rolled back and how much is coming from the latest update or the latest recovery point.
33:58 – 34:00
And briefly, I want to mention the forensic option.
34:00 – 34:05
This is an option wherein you can recover the infected data.
34:05 – 34:08
And we only allow this recovery to go to clean room.
34:08 – 34:09
We’re out of place.
34:09 – 34:12
And you can use this for investigations and forensics.
34:12 – 34:15
So right now, we’re going to pick the synthetic recovery option.
34:15 – 34:17
Next, this is
34:17 – 34:20
where some of the other innovations have come into place.
34:20 – 34:23
Cleanroom is fully integrated as a recovery location.
34:23 – 34:29
So you no longer have to jump through hoops to get your data into the cleanroom for further investigation.
34:30 – 34:31
So I’m going to pick the cleanroom option.
34:31 – 34:34
I’m going to do the synthetic recovery to the cleanroom.
34:34 – 34:39
And I’m going to pick the existing cleanroom that Dinesh created in his demo.
34:39 – 34:41
And we’re going go ahead and restore.
34:42 – 34:45
And this is going to send a
34:45 – 34:51
that infected system is going to do a a full clean recovery of that system to the clean room.
34:51 – 34:57
So we can do that last step validation in the cleaner room before you put that data back into production.
34:57 – 34:59
So you have optimal recovery.
35:00 – 35:04
So now that we have seen the demo of how the product works, right?
35:04 – 35:12
How easy it is to spin up an on-demand clean room, test your cyber recovery readiness.
35:12 – 35:14
And when you are in a cyber event,
35:14 – 35:25
how quickly and effectively our threat detection platform will be able to identify what threats are there within your backups and help you recover using minimal data loss, right?
35:25 – 35:27
Using that synthetic recovery.
35:28 – 35:33
If there’s one thing that I want you to remember right from this session is this slide, right?
35:33 – 35:41
It shows the end-to-end journey from recovery readiness into clean production recovery, all in a single integrated flow, right?
35:41 – 35:43
We start with readiness, right?
35:43 – 35:44
It’s all about
35:44 – 35:54
configuring and setting up regular scanning of your backups and continuously monitoring critical workloads if they are clean or not.
35:54 – 36:00
So once that is done, the next step would be to do a recovery testing.
36:00 – 36:12
Use the clean room functionality to schedule and validate your cyber recovery plans and process so that you uncover any gaps that could be there so that you are prepared when an
36:12 – 36:13
actual event
36:13 – 36:14
happens, right?
36:14 – 36:16
The KPIs here are simple, right?
36:16 – 36:21
You scan your backups, ensure that all your critical workloads are covered, right?
36:21 – 36:28
You test frequently, ensure that your cyber plan has been thoroughly vetted and there are no gaps.
36:28 – 36:31
And then you’re ready to move on to the next step.
36:32 – 36:33
Yeah, absolutely.
36:33 – 36:41
And part of that planning phase and that readiness phase is, you know, the scanning policies, the scanning plans that you have in place.
36:41 – 36:43
This is all background.
36:43 – 36:47
operations and we utilize the signals automatically for you.
36:48 – 36:57
Our anomaly engine, you know, the malware detection encryption engine, like we talked about before, and all the SOC tools from their integrations, as well as integrated tool
36:57 – 36:58
sets.
36:58 – 37:10
These are all things working for you automatically in the background, detecting whether or not there’s any threats within your, your, your protected data and easily getting to that,
37:10 – 37:11
that clean point.
37:11 – 37:12
oh
37:12 – 37:13
for that clean point recovery.
37:13 – 37:25
And we talked about synthetic recovery, which is one of the key capabilities of our product, which is it’s not only about getting that clean recovery back, it’s also about
37:25 – 37:32
optimizing that clean recovery in the sense that we’re not rolling back to a previous point in time to get your clean data.
37:32 – 37:36
So it’s a fully optimized clean recovery point.
37:36 – 37:40
And then this is where the magic happens
37:40 – 37:50
where now you should have your clean synthetic recovery, you can send it over to your clean room for those next uh operational steps and validation steps.
37:51 – 37:52
Exactly, right?
37:52 – 38:03
And during that process, when you’re doing this recovery into the clean room, you can apply additional layers of security to ensure it is truly clean.
38:03 – 38:06
For example, you’ll be able to repave the entire operating system
38:06 – 38:17
by ripping out the operating system, bringing in a new custom golden image, and then rebuild the server using that image before recovering the data into it.
38:17 – 38:28
And finally, once all of this validation has been completed and you have a crisp go or no-go decision from the security teams, you are ready to move these cleaned applications
38:28 – 38:33
from the cleanroom into a new production environment.
38:33 – 38:35
The net result is like you have a clean
38:35 – 38:45
validated, repaved applications that have been restored with minimal data loss and as efficiently as possible with your new production.
38:45 – 38:45
All right.
38:45 – 38:47
So that wraps it up.
38:47 – 38:51
I hope everybody enjoyed this session and learned something.
38:51 – 38:59
And we look forward to having further conversations with you, especially our customers and any of you that have any additional questions.
38:59 – 39:02
So thank you from me and Dinesh.