(upbeat music) >> Welcome everybody to VeeamON 2021 you're watching theCUBE. My name is Dave Villante. You know in 2020 cyber adversaries they seize the opportunity to really up their game and target workers from home and digital supply chains. It's become increasingly clear to observers that we're entering a new era of cyber threats where infiltrating companies via so-called Island Hopping and stealthily living off the land meaning they're using your own tools and infrastructure to steal your data. So they're not signaling with new tools that they're in there. It's becoming the norm for sophisticated hacks. Moreover, these well-funded and really sophisticated criminals and nation States are aggressively retaliating against incident responses. In other words, when you go to fix the problem they're not leaving the premises they're rather they're tightening the vice on victims by holding your data ransom and threatening to release previously ex filtrated and brand damaging information to the public. What a climate in which we live today. And with me to talk about these concerning trends and what you can do about it as Gil Vega, the CISO of Veeam Gil great to see you. Thanks for coming on. >> Great to see you, Dave. Thanks for having me. >> Yeah. So, you know, you're hearing my intro. It's probably understating the threat. You are a Veeam's first CISO. So how do you see the landscape right now? >> That's right. Yeah. And I've been with the company for just over a year now, but my background is in financial services and spent a lot of time managing cybersecurity programs at the classified level in Washington DC. So I've gleaned a lot of scar tissue from lots of sophisticated attacks and responses. But today I think what we're seeing is really a one-upmanship by a sophisticated potentially nation state sponsored adversaries, this idea of imprisoning your data and charging you to release it is it's quite frightening. And as we've seen in the news recently it can have devastating impacts not only for the economy, but for businesses. Look at the gas lines in the Northeast right now because of the quality of a pipeline, a ransomware attack. I just, the government just released an executive order this morning, that hopes to address some of the some of the nation's unpreparedness for these sophisticated attacks. And I think it's time. And I think everyone's excited about the opportunity to really apply a whole of government approach, to helping critical infrastructure to helping and partnering with private sector and imposing some risks, frankly, on some of the folks that are engaged in attacking our country. >> A number of years ago, I often tell this story. I had the pleasure of interviewing Robert Gates the former Defense Secretary. And it was a while ago we were talking about cyber and he sits on a number of boards. And we were talking about how it's a board level issue. And, and we're talking about cyber crime and the like and nation States. And I said, well, wait, cyber warfare, even. And I said, "But don't we have the best cyber tech. I mean, can't we go on the offense?" And he goes, "Yeah, we do. And we can, but we have more to lose." And to your point about critical infrastructure, it's not just like, okay, we have the most powerful weapons. It's really we have the most valuable infrastructure and a lot to lose. So it's really a tricky game. And this notion of having to be stealthy in your incident response is relatively new. Isn't it? >> It is. It is. And you know, there are, you mentioned that and I was surprised you mentioned because a lot of people really don't talk about it as you're going into your response your adversaries are watching or watching your every move. You have to assume in these days of perpetual state of compromise in your environments, which means that your adversaries have access to your environment to the point that they're watching your incident responders communicate with one another and they're countering your moves. So it's sort of a perverse spin on the old mutually assured destruction paradigm that you mentioned the United States has the world's largest economy. And quite frankly the world's most vulnerable, critical infrastructure. And I would concur with Director Gates or Secretary Gates rather it is assessment that we've got to be awfully careful and measured in our approach to imposing risks. I think the government has worked for many years on defining red lines. And I think this latest attack on the colonial pipeline affecting the economy and people's lives and potentially putting people's lives at risk is towing also the close to that red line. And I'm interested to see where this goes. I'm interested to see if this triggers even a, you know a new phase of cyber warfare, retaliation, you know proactive defense by the National Security Community of the United States government. Be interesting to see how this plays out. >> Yeah, you're absolutely right though. You've got this sort of asymmetric dynamic now which is unique for the United States as soon as strongest defense in the world. And I wanted to get it to ransomware a bit. And specifically this notion of ransomware as a service it's really concerning where criminals can actually outsource the hack as a service and the bad guys will set up, you know, on the dark web they'll have, you know, help desks and phone lines. They'll do the negotiations. I mean, this is a really concerning trend. And obviously Veeam plays a role here. I'm wondering as a, as a SecOps pro what should we be doing about this? >> Yeah, you mentioned ransomware as a service, whereas RWS it's an incredibly pernicious problem perpetrated by sophisticated folks who may or may not have nation state support or alliances. I think at a minimum certain governments are looking the other way as it relates to these criminal activities. But with ransomware as a service, you're essentially having very sophisticated folks create very complex ransomware code and distributed to people who are willing to pay for it. And oftentimes take a part of the ransom as their payment. The, issue with obviously ransomware is you know the age old question, are you going to pay a ransom or are you not going to pay a ransom? The FBI says, don't do it. It only encourages additional attacks. The Treasury Department put out some guidance earlier earlier in the year, advising companies that they could be subject to civil or criminal penalties. If they pay a ransom and the ransom goes to a sanction density. So there's danger on all sides. >> Wow okay. But so, and then the other thing is this infiltrating via digital supply chains I call it Island Hopping and the like, we saw that with the solar winds hack and the scary part is, you know different malware is coming in and self forming and creating different signatures. Not only is it very difficult to detect, but remediating, you know, one, you know combined self formed malware it doesn't necessarily take care of the others. And so, you know, you've got this sort of organic virus, like thing, you know, create mutating and that's something that's certainly relatively new to me in terms of its prevalence your thoughts on that and how to do it. >> Yeah, exactly right. You know, the advent of the polymorphic code that changes the implementation of advanced artificial intelligence and some of this malware is making our job increasingly difficult which is why I believe firmly. You've got to focus on the fundamentals and I think the best answers for protecting against sophisticated polymorphic code is,are found in the NIST cybersecurity framework. And I encourage everyone to really take a close look at implementing that cybersecurity framework across their environments, much like we've done here, here at Veeam implementing technologies around Zero Trust again assuming a perpetual state of compromise and not trusting any transaction in your environment is the key to combating this kind of attack. >> Well, and you know, as you mentioned, Zero Trust Zero Trust used to be a buzzword. Now it's like become a mandate. And you know, it's funny. I mean, in a way I feel like the crypto guys I know there's a lot of fraud in crypto, but but anybody who's ever traded crypto it's like getting into Fort Knox. I mean, you got to know your customer and you've got to do a little transaction. I mean, it's really quite sophisticated in terms of the how they are applying cybersecurity and you know, most even your bank isn't that intense. And so those kinds of practices, even though they're a bit of a pain in the neck, I mean it's worth the extra effort. I wonder if you could talk about some of the best practices that you're seeing how you're advising your clients in your ecosystem and the role that Veeam can play in helping here. >> Yeah, absolutely. As I mentioned so many recommendations and I think the thing to remember here so we don't overwhelm our small and medium sized businesses that have limited resources in this area is to remind them that it's a journey, right? It's not a destination that they can continually improve and focus on the fundamentals. As I mentioned, things like multi-factor authentication you know, a higher level topic might be micro-segmentation breaking up your environment into manageable components that you can monitor a real time. Real time monitoring is one of the key components to implementing Zero Trust architecture and knowing exactly what good looks like in your environment in a situation where you've got real-time monitoring you can detect the anomalies, the things that shouldn't be happening in your environment and to spin up your response teams, to focus and better understand what that is. I've always been a proponent of identity and access management controls and a key focus. We've heard it in this industry for 25 years is enforcing the concept of least privilege, making sure that your privileged users have access to the things they need and only the things that they need. And then of course, data immutability making sure that your data is stored in backups that verifiably has not been changed. And I think this is where Veeam comes into the equation where our products provide a lot of these very easily configured ransomware protections around data and your ability to the ability to instantly back up things like Office 365 emails, you know support for AWS and Azure. Your data can be quickly restored in the event that an attacker is able to in prison that with encryption and ransom demands. >> Well, and so you've certainly seen in the CISOs that I've talked to that they've had to obviously shift their priorities, thanks to the force march to digital, thanks to COVID, but Identity access management, end point security cloud security kind of overnight, you know, Zero Trust. We talked about that and you could see that in some of these, you know, high flying security stocks, Okta Zscaler, CrowdStrike, they exploded. And so what's in these many of these changes seem to be permanent sort of you're I guess, deeper down in the stack if you will, but you, you compliment these toolings with obviously the data protection approach the ransomware, the cloud data protection, air gaps, immutability. Maybe you could talk about how you fit in with the broader, you know, spate of tools. I mean, your, my eyes bleed when you look at all the security companies that are out there. >> Yeah for sure. You know, I'm just going to take it right back to the NIST cybersecurity framework and the five domains that you really need to focus on. Identify, protect, detect, respond, and recover, you know and until recently security practitioners and companies have really focused on on the protect, identify and protect, right and defend rather where they're focused on building, you know, moats and castles and making sure that they've got this, you know hard exterior to defend against attacks. I think there's been a shift over the past couple of years where companies have recognized that the focus needs to be on and respond and recover activities, right? Assuming that people are going to breach or near breach, your entities is a safe way to think about this and building up capabilities to detect those breaches and respond effectively to those breaches are what's key in implementing a successful cybersecurity program where Veeam fits into this since with our suite of products that that can help you through the recovery process, right? That last domain of the NIST cybersecurity framework it'll allow you to instantaneously. As I mentioned before, restore data in the event of a catastrophic breach. And I think it provides companies with the assurances that while they're protecting and building those Zero Trust components into their environments to protect against these pernicious and well-resourced adversaries there's the opportunity for them to recover very quickly using the VM suite of tools? >> Well, I see, I think there's an interesting dynamic here. You're pointing out Gil. There's not no longer is it that, you know, build a moat the Queen's leaving her castle. I always say, you know there is no hardened perimeter anymore. And so you've seen, you know, the shift obviously from hardware based firewalls and you I mentioned those other companies that are doing great but to me, it's all about these layers and response is a big in recovery is a huge part of that. So I'm seeing increasingly companies like Veeam is a critical part of that, that security cyber data protection, you know, ecosystem. I mean, to me it's just as important as the frontline pieces of even identity. And so you see those markets exploding. I think it's, there's a latent value that's building in companies like Veeam that are a key part of those that data protection layer you think about you know, defense strategies. It's not just you, the frontline it's maybe it's airstrikes, maybe it's, you know, C etcetera. And I see that this market is actually a huge opportunity for for organizations like yours. >> I think you're right. And I think the proof is in, you know in the pudding, in terms of how this company has grown and what we've delivered in version 11 of our suite, including, you know features like continuous data protection, we talked about that reliable ransomware protection support for AWS S3 Glacier and Azure archive the expanded incident recovery, and then support for disaster recovery and backup as a service. You know, what I found most interesting in my year here at Veeam is just how much our administrators the administrators in our company and our customers companies that are managing backups absolutely love our products that ease of use the instant backup capabilities and the support they receive from Veeam. It's almost cultish in terms of how our customers are using these products to defend themselves in today's pretty intense cyber threat environment. >> Well, and you talked about the NIST framework, and again big part of that is recovery, because we talked about earlier about, do you pay the ransom or not? Well, to the extent that I can actually recover from having all my data encrypted then I've got obviously a lot more leverage and in many ways, I mean, let's face it. We all know that it's not a matter of if it's, when you get infiltrated. And so to the extent that I can actually have systems that allow me to recover, I'm now in a much much stronger position in many respects, you know and CISOs again, will tell you this that's where we're shifting our investments >> Right. And you've got to do all of them. It's not just there's no silver bullet, but but that seems to me to be just a a misunderstood and undervalued part of the equation. And I think there's tremendous upside there for companies like yours. >> I think you're right. I think what I'll just add to that is the power of immutability, right? Just verifiably ensuring that your data has not changed because oftentimes you'll have attackers in these low and slow live off the land types of attacks change your data and affect its integrity with the Veeam suite of tools. You're able to provide for immutable or unchanged verifiable data and your backup strategy which is really the first step to recovery after a significant event. >> And that's key because a lot of times the hackers would go right after the backup Corpus you know, they'll sometimes start there is that all the data, you know, but if you can make that immutable and again, it, you know there's best practices there too, because, you know if you're not paying the cloud service for that immutability, if you stop paying then you lose that. So you have to be very careful about, you know how you know, who has access to that and you know what the policies are there, but again, you know you can put in, you know so a lot of this, as you know, is people in process. It's not just tech, so I'll give you the last word. I know you got to jump, but really appreciate.. >> Yeah, sure. >> You know, the only, the only thing that we didn't mention is user awareness and education. I think that is sort of the umbrella key focus principle for any successful cybersecurity program making sure your people understand, you know how to deal with phishing emails. You know, ransomware is a huge threat of our time at 90% of ransomware malware is delivered by phishing. So prepare your workforce to deal with phishing emails. And I think you'll save yourself quite a few headaches. >> It's great advice. I'm glad you mentioned that because because bad user behavior or maybe uninformed user behaviors is the more fair way to say it. It will trump good security every time. Gil, thanks so much for coming to the CUBE and and keep fighting the fight. Best of luck going forward. >> Great. Thank you, Dave. >> All right. And thank you for watching everybody. This is Dave Villante for the CUBEs continuous coverage VeeamON 2021, the virtual edition. We will be right back. (upbeat music)