In an effort to alert enterprises to ransomware attacks as they occur, Catalogic Software this week released GuardMode in DPX 4.8.1, the latest version of the company’s enterprise data protection product.
GuardMode, available to customers at no additional cost when upgrading to DPX 4.8.1, uses threshold monitoring, pattern detection, and honeypots to identify potential ransomware attacks, identify affected files, and restore only affected files to reduce data loss.
Catalogic’s new feature is part of a trend among data backup vendors to provide earlier ransomware detection and data backup veracity. GuardMode is in line with what others such as Cohesity, Veeam and Rubrik already offer, according to Krista Macomber, senior analyst at Evaluator Group.
“We see that data protection needs to evolve to help detect cyberattacks and prevent them as well,” she said. “Catalogic is stepping forward with the platform to be able to meet these requirements.”
A closer look at GuardMode
Traditionally, it takes companies seven to eight days to catch a ransomware attack, and since they don’t have the tools to identify which files or how many files are affected, they restore all systems, resulting in a loss of useless data, according to Sathya Sankaran, COO at Catalogic.
Catalogic now provides a more selective capability by monitoring not only daily block-level data changes, but also file-level changes before a backup is created, which can include, for example, changes to file extensions. file indicating ransomware attack.
“We can collect these heuristic models [on a file] by just being in the surveillance pipeline,” Sankaran said.
When unusual behavior is detected, GuardMode runs the anomaly on over 4,000 known ransomware strains, collected using a Windows file server resource manager. If GuardMode finds a match, it notifies the backup administrator of the suspicious behavior.
Catalogic automatically updates the list of known GuardMode strains as new variants are added to the collection. But before offering the update to customers, Catalogic manually authenticates the changes.
Macomber said this aspect of GuardMode, in particular, helps differentiate Catalogic’s offering from others.
“He proactively sends this list to admins, and…they don’t have to worry about whether it’s up to date,” she said. “This is particularly important given the volatility of the threat landscape and the evolution of these attacks.”
For unknown ransomware variants, GuardMode uses honeypots, or files full of decoy data, to trap bad actors.
“Your plan A is to check against a known database,” Sankaran said. “Your plan B is that even if they fall into this database, we have a way to capture it.”
Currently, GuardMode works on Windows file systems. Catalogic will extend GuardMode to Linux filesystems, which Sankaran says should be released during its regular release cycle in four to six months. The company also plans to introduce SIEM integrations, a dual detection feature for more granularity, as well as machine learning and guided product recovery capabilities.
When data protection and security meet
Macomber expects the trend of providing ransomware detection tools in backup and data protection products to continue. Ransomware detection and recovery is now a board-level concern, putting additional pressure on IT operations to run quickly and prompting vendors to create tools to help them do so. she said.
Putting tools like these in the hands of the backup administrator also pushes the storage team to be more proactive in a company’s cybersecurity strategy, according to Johnny Yu, research director at IDC.
“Data protection is its own thing, and security is its own thing, but to fight ransomware you have to deal with both processes,” Yu said. data protection and recovery.
This is how Catalogic’s Sankaran describes GuardMode, as a data backup feature layered on top of security elements. Because it is integrated into the data recovery process, GuardMode not only monitors data changes and can alert the backup administrator to suspicious behavior, but it can also take the following actions to help an organization recover in a way that endpoint detection tools like Microsoft Defender cannot.
“These [endpoint detection] solutions … are optimized to give you a red alert to all your security actors but without actually telling you how to recover your important data set,” he said.
While some data backup vendors may add a security label to their products, Catalogic remains firm in its focus on the backup administrator.
“What we’re really trying to do is help the storage and backup team give them the tools they need to do their job,” said Mike Miracle, chief strategy officer at Catalogic.
DPX vPlus
Catalogic also unveiled DPX vPlus this week. The offering provides data protection for Microsoft 365, as well as open virtualization platforms such as RHV/oVirt, Acropolis, XenServer, Oracle VM and KVM.
“DPX vPlus is really about protecting all of these workloads outside of the traditional hyper VMware[visor] market leaders,” Sankaran said.
DPX vPlus licenses are additional cost components, as it may be a standalone product; licensing for vPlus is based on worker nodes or number of users, depending on the company.
