Transcript for "Ransomware, It's not if, but when...": Thank you to everyone for joining. So I'm Ben Clark, a product manager a product marketing manager here at Nasuni. My general focus is our ransomware product and security. And today, we're going to talk a little bit about some relevant stats, when it comes to ransomware, some things to think about to ensure resilience in 2025, and some key areas to focus on. I'll introduce the the audience to what Nasuni even is really quickly, and then we'll talk about what we do, for our customers for security. Can you afford to lose 1,000,000 an hour? I think it's it's not worth even pulling anyone unless Elon Musk is in the crowd. I mean, he could probably afford that. But, no, most people most organizations do not wanna lose a million an hour, cannot afford to lose 1,000,000 an hour, and you could probably guess what that what that may be, when it comes to ransomware. Before we get there, ransomware is continuing to be extremely prevalent. Seventy three percent of companies reported successful attacks in the past year. I don't have the the the deeper stats on this, but not many of them were able to detect it and recover quickly. Many of them dealt with issues getting their data back. Many paid the ransom. But 73% is the vast majority, and so it's gonna happen. It's not a matter of of if, but when it happens. And so you have to be, prepared to recover from these attacks when it does happen. And so it it does happen. We see large organizations in the news all the time who you would think have tons of tools, a large security team, but it does happen. And so back to that million dollars an hour, that is the the average cost of ransomware downtime. And, obviously, this varies widely. If you're a massive health care organization or a large manufacturing organization and you have multiple production lines go down, you can easily see these numbers or maybe more. You know, smaller companies, it might not be this much, but the the big thing here is that we hear about a ransom. You know, they're asking for number of Bitcoins or something. They're asking for a ransom to, de encrypt your files, but that's just one small part of a ransomware attack. Many of the costs come with unplanned downtime, impacted supply chain. You may be impacting other organizations that you work with within that supply chain. Reputational damage, when we're talking about stockholder value, when your when your name is in the news for a a ransomware attack. So the ransom is smallest of your worries. There's a lot of costs that are incorporated with a ransomware attack if you can't handle it properly. And so looking at those organizations that were attacked, only 35 were able to recover from this in a week or less. And I wish that was even more granular because if you were down from ransomware attack for a week, that would still be pretty substantial. 31% a week, one week to one month, and then thirty four percent, took more than one month to completely recover. And so this sounds kinda crazy, but to to really investigate the damage, know what's going on, understand what was impacted, get those systems back online, and be able to recover that data when you don't have a plan in place or systems that allow you to easily recover data. It it can take a very long time, and who knows how much money that's gonna cost when you're, you're trying to get back to normal for over a month. And so some other interesting stats from this study, why why is this the case that it's taking this long? Why are they, you know, this many well, I guess, you it's not if, but when. You can't really stop it from happening to you. It's it's really about responding to it. But less than half of these organizations could detect infiltrations in real time. Some organizations have ways to detect that something's going on, that might be sort of delayed, like waiting to analyze backups, or something like that, or maybe they, you know, detect it when half their files are completely encrypted, and it's it's just very obvious at that point or a ransom, message comes through. So that's pretty low. That's that's a key point or a key piece to have, for security strategy. And only 30% prioritize file recovery capabilities. If you can't recover your files, then you're then you're just screwed when a ransomware attack happens. So the the ability to recover fast and the ability to detect it, stop it, and recover fast really are the key points when we're talking about dealing with ransomware, especially in 2025 as, these these ransomware variants and these ransomware groups become more and more sophisticated. Organizations have to become more sophisticated themselves. So preparation makes all the difference, to to get ready for when ransomware strikes. So I before we get into some key pieces here, I wanted to just add a couple more stats that that came from, some of Gartner's, newest reports into 2025. And so top use cases and drivers for, I and O leaders. And so this is for the hybrid cloud storage category, which Nasuni falls into. And Gartner defines hybrid cloud storage as a solution that delivers seamless data services to various data centers, edge locations, clouds, and platform services. So that's, pretty general, vague explanation. But, hopefully, in a few slides, we can help describe what we do here. But the use case is most commonly recognized and funded by I and O leaders. You can see many that are important on the right hand side, but backup or disaster recovery is the 80%, of respondents are considering implementing this or investing in this. And let's see what else is there. Burst for capacity and storage standardization are up there as well, but the key here is that backup or disaster recovery is by far the highest choice there. And so when we're looking at the technologies that CIOs are investing in in 2025, I think the other ones there are pretty obvious. Generative AI and artificial intelligence are towards the top of the list. And if you can't see that sideways there, those are all different industries. And, you know, it really doesn't matter on this graph because they're all pretty high above 80%. But even in first place, before AI in general is cyber and information security. And so this is tying more and more to to infrastructure, where organizations hold most of their data. You know, for our customers and prospects, we're our, you know, our buyer is usually the the head of infrastructure somewhere in in middle management there. But we're we're typically more and more talking to the CISO than the CIO who are getting involved with these decisions when it comes to an infrastructure platform because you need to make sure that whatever platform you go to is now starting to incorporate, some of these cybersecurity capabilities. And so what what is needed to ensure data resiliency? What are some key points to think about if you are thinking of continuing to invest in cybersecurity? Number one is immutability. And so this goes back to those recovery capabilities, to to make sure you have untouchable versions or immutable versions of your data or or backups of your data that you could, resort to when a ransomware attack happens, to to restore your data before it was encrypted. That's key. If you don't have the ability to recover your data or restore it to a to the state before a ransomware attack encrypted it, there's not much help there for you. Mitigation and rapid recovery. And so this this ties into the whole message here. It's not if, but when. It's all about detecting it fast, stopping it fast, and recovering it fast. The the mean time to recovery, because the you know, every second counts, I think. LockBit was one of the most popular ransomware variants of the last couple years. I think, recently, they've been mostly shut down, but they were one of the fastest as well that could encrypt around a hundred thousand files in about five minutes. So every second counts. You know, if if that's in five minutes, if you even let hours go by, this is spreading to hundreds of thousands of files, or even more than that. And so as every minute passes, the downtime is gonna get worse. The more files and users are gonna get impacted, and then the really bad things are gonna happen that that put your your organization in the news. So speed is key. Adopting accepted frameworks within the industry like Zero Trust and NIST. So Zero Trust is really all about authenticating access that, making sure only the people that that that need to act access certain data or certain information or certain files can, which is super important. And then the NIST framework, which is, you know, built around recovery from different things like ransomware. And we'll we'll talk about how we've mapped to that in a few slides. Enterprise visibility. And so cybersecurity, I I I just talked about how the CIO and CSO are getting more involved with the the infrastructure teams and the security when it comes to storage and infrastructure. There are many stakeholders here. So visibility into your your process when a ransomware attack happens, your tools is extremely important, you know, that your security team understands what's happening with your file data if a ransomware attack happens. So visibility is important important there, and it ties hand in hand with the next one of reporting and compliance. Many in many states, you have to report ransomware attacks within seventy two hours. There's many key stakeholders like the security team, your executive team, your cyber insurance. And so the transparency into what's happening is extremely important, and this also applies to being able to recover effectively. So having transparent report it transparent reports of everything that's going on is key, and this was a, this is a big value for our customers, and we'll we'll talk about how we address this. And then finally, trained personnel. In that study that we were showing those stats from, there was a super low percentage of organizations that even have a plan in place when a ransomware attack happens. So this is you know, if you don't even know what you're gonna do when something happens, it doesn't really matter how many tools you have, whether it's they're sophisticated enough enough or not. You gotta know who's doing what and what's happening when an attack happens and being be able to to practice this and be ready. Okay. So these are some key components here, and now we're gonna, change pace, introduce Nasuni, and and how we approach security. So I'm sure we have a lot of audience members that that don't even know what Nasuni is. And so in a sentence, Nasuni is the only unified file data platform that combines storage and data services into a single scalable software solution. And so in many times, this includes unifying legacy NAS infrastructure. Nasuni was originally named that, standing for NAS Unified. But this also applies to backup disaster recovery and cybersecurity capabilities built in. So instead of just, consolidating or unified, unifying legacy NAS infrastructure, we we often see customers consolidate their their backup infrastructure as well. And we'll we'll see why that is in a second. And so in if we're looking at the three components to why a unified file data platform like Nasuni is valuable, to our customers, Number one is IT efficiency. We streamline operations and simplify the infrastructure, as I mentioned, because we're really consolidating all of their file data into one single pane of glass management or one single source of truth no matter if the customer is in the cloud, on prem, or combination of both and no matter how many locations they have around the globe. And so we do this by utilizing object storage, which is, cheaper and more scalable and allows us to eliminate any limits to how much file data they have on Nasuni. So no limits to amount of files, folders, users, or even snapshots of their data recovery points, which we'll get to. And this can all be easily ramped up and down without the need for additional storage. So super easy to scale globally. And the last point I'd like to make here about efficiency and performance is that we utilize caching either on prem, or in the cloud regions closest to the users to eliminate some of the the latency and bandwidth issues that you normally run into with cloud deployments. So it so it works as if you're, you know, just working off an on prem server. And so there's caching and then intelligent synchronization to prioritize which of your files will propagate to that gold copy in the cloud so that you can improve collaboration for other users that may be on the other side of the world also working on those files. So Nasuni does very well with industries like AAC, manufacturing, even game developers, because it allows great collaboration between global locations even when, different users are working on very complex files, like engineering design files, like AutoCAD, things like this. So that's the the bread and butter of Nasuni there. You know, cost savings, I think that's an obvious one. And then resilience, you know, we have customers with petabytes of file data on Nasuni. So resilience and cybersecurity is key, and that's what we're gonna get into now. And so what is our whole story on security for your data? So here's your your petabytes of data in the bottom right corner. So it's super important to protect that. We know that most organizations follow a multilayered approach or a defense in-depth that every layer counts to protect your organization and your data. And so file data is generally some of the most important data an organization has, and we think we provide a very strong layer of protection for your organization's file data. And so number one, that starts with the Nasuni platform itself. So there's all these great things like end to end encryption that, you know, us or the the cloud provider is not seeing the the data that our our customers have, zero trust trust authentication, some of those great certifications like SOC two type two. But the main point I wanted to point out here, I mentioned earlier that there's no limits to to snapshots on the Nasuni platform. And so these infinite immutable versions of your data are created every time a file is created or, if there a file is changed. So every delta, goes up to the cloud as a new version. And so what this does is and how this, you know, really applies to security is that when you have a ransomware attack, you're just dialing the pointer back to the time and the version before that ransomware, attack entered your system. And so you're not restoring any data, as you would from backup or tape or disk, which can take forever. You're really just dialing back to the the previous version, and then you're good. And so this what this creates is extremely fast recovery, and this is something that's, you know, built into the architecture of the platform that we've we've always had. And that's great. And it allows us to you know, we've we have videos showing us recover petabyte of data or a million files in less than a minute. And so it's extremely fast, and it's extremely granular. When when you do this kind of recovery, it's not even recovering that whole snapshot or of data. You don't have to recover the whole volume or even folder. You're simply recovering you know, if it's 300 files, it's only dialing back those 300 files before the the ransomware attack entered the system. And if you have users working on other files within that same folder, they won't even know anything happened. So that's great. But fast recovery is not too helpful if you don't even know a ransomware attack is is in your system. And so we introduced our ransomware protection solution, to really fill in the gaps there. And so what this is incorporating is, real time detection that's analyzing file data at the edge, automatic mitigation, you know, once an attack is detected. So, generally, at the at the edge, it's always looking for behavior of a ransomware attack. As soon as something is detected and it creates an incident a minute or minutes later, the these mitigation policies will kick in and block it from the rest of the network. And so the blast radius, has been limited. And then it also introduces comprehensive reporting that, can be generated immediately with all the details you need to know. We'll look at this in a second. And then finally, you're getting to your recovery even faster by detecting, mitigating, and knowing exactly what's happening. So that's ransomware protection. And then finally oh, I think I'm missing the the third the third layer here. I might have deleted that slide. But the third layer here is enterprise integrations. And so we you know, this is this is really great for, you know, maybe your terabytes or petabytes of file data, and it works super well for a ransomware attack that impacts your file data. But, you know, when we have really large corporations that have security teams, that are overlooking a huge global corporation, not just file data, but many different systems. Enterprise integrations are key to expand the reach of our security capabilities. And so that's been a big priority for us. And so that what that what I mean by that is integrating the logs and the the early detection we have into different SIEM or SOAR tools like Microsoft Sentinel. We're we're introducing our integration into CrowdStrike, this upcoming month. But this really improves our story there and allows these security teams to see that a ransomware attack was detected and then maybe enact secondary actions outside of Nasuni, you know, whether it's in the Microsoft ecosystem or or whatever. And so dialing into each of those steps, I mentioned the detection is in real time. I mentioned how we're just dialing back snapshots, and we talked about how every minute counts. And so why this is great is because, you know, even waiting a few hours for analyzing a backup takes too long. The attack will spread extremely fast, and every minute can be very costly. And so what the what our detection is doing is looking at the activity at these edge instances and looking for known ransomware signatures as well as anomalous behavior that could, could hint at an unknown ransomware signature, which is extremely common, these days. Just having a database of known signatures updating multiple times a day wasn't good enough. And so now we're analyzing patterns that will tell us if there's a a ransomware attack that either has an unknown signature, like a zero day attack, or one that generally creates a random signature every time it pops up. And so this is, you know, detected quickly at the edge and then, as I mentioned, immediately stopped. And so for if we're looking at the process here, we've detected it. We've stopped it. And then I mentioned right when that happens, you know, this could even be just in minutes, you have a report of everything that happened, and that's what this looks like. This this incident report is able to be generated from the management console, pretty much instantly. And, hopefully, it's not super small for everyone. But it it starts off with a summary of the key details of an attack, like the amount of files affected, the the filer that was affected, the volume, the user that was involved with this attack. And if it if it was a known signature, we'll list that as well. And then the I think the the biggest part of this report is that timeline there. So you'll see, when it was detected, when it was stopped, when it was blocked. This is an example if you came back after recovery. So it will show you when that restore was completed. But it also shows you instantly when that the last completed clean snapshot was, which is the first, the first box in that timeline. So as soon as you detected and stopped the attack, you have all the information to to go to the restore process, including the point in time that you're restoring back to. So this is super valuable for that enterprise visibility. This is super value valuable for, you know, maybe giving to the security team, super value valuable for recovery, for cyber insurance, all kinds of different things. And then finally, at the bottom of that report, you can see, it's actually a sample list of the files impacted. It just it it stops at a limited amount to give you a sense of what area of the system it's in. And then there's also logs provided with with the full list. So I mentioned mean time for recovery, and that's what we're trying to incorporate the speed into every part of our solution. And putting it all together, this this industry leading mean time to recovery starting from that detection that's that's looking in real time, that's alerting both in the Nasuni console and in SIEM tools like Microsoft Sentinel instead of delayed detection, from analyzing backups, responding instantly and giving you the details instantly of what happened, and eliminating that investigative work. So that that can be an extremely lengthy part of the process if you don't have those details to investigate even where this came from, what part of the system was impacted, how far did it spread, what files were impacted, and then when did it start, when can we even recover, like, what what snapshot or what backup can we even recover to, this is an extremely lengthy part of the process. And by limiting the blast radius and giving you those details, it almost completely eliminates this. And then finally, you get these details are actually automatically queued into the recovery process. So when you go to recover, that last snapshot is already queued into the system, and it's really just a few clicks. And so then you get to this rapid recovery that, you know, probably won't get to a million files, but if it did spread wide, can handle that recovery in just a few minutes. And so it's all built around speed because ransomware, you know, it's not a matter of if, but when. So you've gotta handle it and handle it quickly. And so I think that is the end of the slides, And we have time for some questions. Let me take a look. Okay. A couple questions here. So on the client blocking piece, is the client blocked to that share, or is it, network access blocking? So we we block at the level of the edge appliance, so that IP address will be blocked. One of the the the upgrades we have coming very soon this year is that we're going to be able to block by user, to be, more accurate there. And we've you know, as I've mentioned, we also we also have done work with SIEM and store solutions like Sentinel to feed that blocked information up to those security management tools, so that, you know, this user can be blocked from other things throughout the the rest of the organization, outside into soon. What is the retention period for these immutable datasets? Yeah. So there's no required retention period. You you can keep these immutable versions as long as as you want. There's, really minimal impact, to the the storage of these snapshots, and customers generally define this based on their needs and can configure this. We have customers who have never removed their their snapshots. Some of our our oldest customers have had it for years and years, and we actually have some of our larger customers that have over a billion snapshots, a billion RPOs. I don't know why they would have to restore data back, you know, ten years, but there's no limits there. It's infinitely scalable, but it's by preference. On recovering at scale, how granular is this? Is this selected by Nasuni, or does the customer choose this? So it is very granular. We have a feature called targeted restore. So that's that's what I mentioned that the the details from that report are queued into the restore process, and it really dials it in. And like I mentioned, it restores those exact files. You know, even if it doesn't impact the whole folder, you you're only dialing back those exact files. So that granularity is super powerful and, you know, lends itself to the speed as well. So it just makes it faster that you're restoring less. Let's see. And do we have any integrations they can share on the road map? And so, as I mentioned, CrowdStrike is is coming very soon. We're integrating with their SIEM tool. And then, soon after that, with their SOAR tool, for responding to threats. And I think, you know, as I said, it's a priority for us to to integrate with as many of these tools as possible. I believe SentinelOne would be on the road map for for the next one we're looking at. Do you have a primary focus on anticipating attacks that are becoming increasingly complex with the growth of AI. Yeah. I mean, we we are you know, as I said, these attacks are getting more sophisticated, and so, you know, your detection algorithm and your, your tools have to get more sophisticated with this. And so I mentioned the the next upgrade will be, you know, about identifying the user and blocking the user. But in q four, we're augmenting our detection again to incorporate AI and and ML detection. And so right now, I mentioned we we first had, cross referencing, you know, known ransomware signatures and that, you know, we'd update that many times a day. And now we're you we're looking at still that, but behavior and different patterns within the file system that would hint at a ransomware attack within the system. And it's this is just a a made up example, but it's looking at different kinds of patterns of file activity, repetitive patterns. So if the the system is seeing, in rapid recession or if there was the right word to use, but rapidly, in the system, someone reading a file, renaming it, deleting it, or something like that, like a pattern like that happening a hundred times in a few minutes, it will tell you that something is going on based on a a confidence threshold that that the user will set, but we have default thresholds as well. Okay. Let's see. K. What is the performance impact of your agent on servers and computers? It really is a, really not noticeable impact on performance of the system What I know. And, you know, for our users that have Nasuni, there's no nothing additional to spin up when you when they buy this ransomware protection solution, which is, you know, the detection mitigation and reporting. It's easy as just an on and off switch, which is great. And we could follow-up with a