Stealing data, compromising data, and holding data hostage have always been the main goals of cybercriminals. Threat detection and response methods continue to evolve as the bad guys become increasingly sophisticated, but for the most part, storage has been missing from the conversation. Enter “Cyberstorage,” a topic the SNIA Cloud Storage Technologies Initiative recently covered in our live webinar, “Cyberstorage and XDR: Threat Detection with a Storage Lens.” It was a fascinating look at enhancing threat detection at the storage layer. If you missed the live event, it’s available on-demand along with the presentation slides. We had some great questions from the live event as well as interesting results from our audience poll questions that we wanted to share here.
Q. You mentioned antivirus scanning is redundant for threat detection in storage, but could provide value during recovery. Could you elaborate on that?
A. Yes, antivirus can have a high value during recovery, but it’s not always intuitive on why this is the case. If malware makes it to your snapshots or your backups, it’s because it was unknown and it was not detected. Then, at some point, that malware gets activated on your live system and your files get encrypted. Suddenly, you now know something happened, either because you can’t use the files or because there’s a ransomware banner note. Next, the incident responders come in and a signature for that malware is now identified. The malware becomes known. The antivirus/EDR vendors quickly add a patch to their signature scanning software, for you to use. Since malware can dwell on your systems without being activated for days or weeks, you want to use that updated signature scan to validate that you’re not reintroducing malware that was sitting dormant in your snapshots or backups. This way you can ensure as you restore data, you are not reintroducing dormant malware.
Audience Poll Results
Here’s how our live audience responded to our poll questions. Let us know what you think by leaving us a comment on this blog.
Q. What are other possible factors to consider when assessing Cyberstorage solutions?
A. Folks generally tend to look at CPU usage for any solution and looking at that for threat detection capabilities also makes sense. However, you might want to look at this in the context of where the threat detection is occurring across the data life cycle. For example, if the threat detection software runs on your live system, you’ll want lower CPU usage. But, if the detection is occurring against a snapshot outside your production workloads or if it’s against secondary storage, higher CPU usage may not matter as much.