(upbeat electronic music) >> Announcer: Live from New Orleans, it's theCUBE. Covering VeeamOn 2017, brought to you by Veeam. >> Welcome back to New Orleans, everybody, I'm Dave Vellante with my co-host Stu Miniman. There's been a lot of talk of course this week because of WannaCry about ransomware. Edward Haletki is here, he is the principal at TVP Strategy and he and I were having a conversation the other night about ransomware. Edward is a security expert, strategist, been around a long time, Edward, good to see you, thanks for coming on theCUBE. >> Thank you for having me again. >> Let's riff on this a little bit. You had some really, I thought, thought-provoking ideas about ransomware. I was making the point that look, if you got an air gap, you're good, right, and you said, "Well, no," I said, "Well, what if you have an offsite tape?" And you said, "Well, it's not that simple." >> Edward: It really isn't. >> What's the deal with how to protect myself against ransomware? >> Well, let's just start with a few things. This particular about of ransomware is actually in version 2.0. So the guy found the kill switch for the first version, they already fixed that bug and put it out again. So now it's hitting over 200,000 machines in 99 countries. It's spreading around the world like crazy. The only way that I found to protect yourself is to actually have the ability to do, in a lot of ways, versioned writes. In other words, you keep a version of everything. That's important, but you got to first figure out what's important. But it's more than that. It's an entire architecture around data protection, security and even your business. You need to start with, if you're talking about from the security perspective, you need to start with a way to prevent what's known. If I can prevent what's known from getting to you, like phishing attacks and other attacks, I can prevent you from spreading ransomware into your company. So that's kind of a gate, but if that comes through the gate which it could and it did, you need something able to detect ransomware. And that is a detection that data protection's prime to do. >> But like, okay, explain this. Sort of revisit the conversation we had. If I have an air gap, meaning I've got a separate data center that's disconnected somehow or periodically disconnected, as some vendors have suggested, I'll rotate the connection. And I've got data off site. Let's say I've even got it off site in tape, even though I would ideally not like to recover from tape. Why am I not protected in that scenario? >> It depends on the retention schedule. If the retention schedule's long enough, you'd probably be fine. Most people don't find out there's ransomware until they reboot a machine. >> Dave: And they've rotated through their tapes by then, you're saying. >> They could possibly do that. Some of the smaller businesses, they probably have. Some of the larger businesses that keep yearly and monthly and so forth, and they keep them for seven years probably haven't. But as we move move further and further away from tape and more to the connected universe, even multiple copies of something doesn't necessarily protect you, unless they're immutable copies. >> Well, Phil, Bill Philbin said it today, he said, in a different way, he said, "When we make boo-boos "and we replicate the boo-boos, we replicate really fast," and I tweeted out, I said, well, if there's malicious encryption, that probably replicates really fast. >> Edward: It does. >> Okay, and so. I mean, maybe we should explain the basics here as that's really what the ransomware folks are doing, right, they're encrypting your data and then saying, "Hey, you want the keys back, you got to pay us," is that-- >> Well, and actually, the new breed is, "Hey, pay us and we won't even give you the keys." >> Well, you know, I was watching CNBC the other day when WannaCry hit and one of the experts that they had on, the CNBC analysts asked them, the anchor's asked them, "Well, what do you do?" And they said, "Well, unfortunately, "you just might have to pay the ransom," which was surprising to me because there's no guarantee you're going to get the keys. >> The keys, but it's actually 60 million dollars worth of ransom right now. That's a lot of money. >> Okay, so-- >> I mean, this is, it's 300 dollars a bitcoin to get your key. >> Dave: Right, you're paying in bitcoin, obviously. >> Which is also, that's expensive to get. And a lot of companies just don't have bitcoins lying around, so they have to go out to either mine them or-- >> Dave: Or go to a marketplace. >> Go to marketplace and buy them. >> Especially the people that are still running Windows XP aren't necessarily the people that are bitcoin experts. >> Exactly. >> Okay, so now, what you had suggested to me was that the backup software vendor, we're here at VeeamOn and we're at a Veeam event, backup software vendor actually has data because they're pushing change data to the network periodically. And in theory, they could use analytics to identify anomalous behavior. >> Edward: Exactly. >> In terms of encryption activity that's higher than normal. Explain that. >> Well, there's a couple of ways you can do that. One is that you could look at the CPU utilization, say hey, it's a high CPU utilization, something's going on. Unfortunately, you can't tell if that's a normal action or a non-action, an encryption action, especially with the new chipsets, encryption's very very fast. And the overhead's very very little, could just hide in the noise. When you look at data though, as it gets encrypted, when I do data protection, normally in a virtualized environment or even in a physical environment these days we do something called change block tracking. Or the equivalent thereof in the physical world. And what that does is that, for every block that changes of the file system, I can, that gets sent over to be protected. So as those increase because I'm encrypting more and more and more, you're going to see an increase in the number of blocks that have changed. You could say normally that machine does maybe a kilobyte per backup. And suddenly you're doing a gigabyte. That's a huge difference, that's a big red flag saying hey, something's gone wrong, that's not normal. >> What about this idea of like, honeypot files, like here's where we store all the credit cards file. >> Edward: Oh, we call them canary files. >> Canary files, great. >> And this is, canary files are another way you can detect things. If you have a file server, you should just put a canary file out there, nice juicy name, you know, CEO's whatever, something like that, a spreadsheet, it could be an expense report that you know is ancient. It doesn't make any difference. What that canary file is used for is you just periodically query the file, like, can I read you? It doesn't have to be a big file, it just means I can read you, 'cause it's going to encrypt the whole thing. Once I can't read it anymore, you know, you've been hit by ransomware usually. >> Right, because there's no reason you would've encrypted that file. >> Or even touched it, no one should be touching it. >> Dave: Right, some zombie file. >> Exactly. >> Okay. Now, for a company like Veeam to put a solution, I mean, I'm making the case that there should be specific solutions in the marketplace for ransomware. >> Edward: Oh, absolutely. >> Not just a sort of hand waving and buy our product because of ransomware, it should be a specific solution geared towards solving the problem. What does that solution look like, how would a company like Veeam, who would the partners be that they would put that together, what types of companies would they need, what type of capabilities would be required? >> Well, for Veeam, I think you need four general capabilities. They have one of them, that's the recovery stage. They have instant, the capability to do instant recoveries. That is a must, so if you have ransomware, to recover the business, you just do an instant recovery of a known good source. The other one is on the front end, you really need the prevention. In other words, I'm going to prevent people from doing fishing or I'm going to prevent attacks coming in with that type of payload. So if it's an encrypted payload, don't let it through. Those are possible. The middle of it is the detection, and then what we call legal hold. In other words, I want to say, okay, I detected the possibility of ransomware. And then I want to mark this recover point, the one that I'm currently backing up, as potential for ransomware so the one before that is the one I say, "Hey, don't delete that one "until I've inspected it," and that's the one you may do the instant recovery off of. >> Okay, so prevention, I mean, that's just good practice. But let's assume for a second-- >> That's a security company has those capabilities, some of them do a really good job at that, but even with something like WannaCry, you can't prevent someone from clicking on a link. >> Right, so assume for a second that I didn't prevent it. So I should do that as best practice, but assume I didn't prevent it, so I got to have detection. >> Edward: Absolutely. >> They've penetrated, now I'm using what, analytics to look for anomalous behavior? >> I'm either using a canary file or I'm using analytics at the data protection layer. I could even use analytics at the storage layer to say, "Hey, there's a lot of changes happening," that's going to go down the storage path and I'm going to be able to see it there as well. >> Okay, and then legal hold, in 2006 when the federal rules of civil procedure changed and they said electronic documents are now admissible. Most large companies and certainly large companies in regulated industries began to implement techniques to do legal holds, particularly around email archiving, which was just one piece of the problem. That's a complicated problem. >> It is, but it's really legal hold like. It's the concepts of legal hold, but applied specifically to data protection. In other words, you want to say the recover point that I'm currently writing to could be bad. We don't know, so mark the recover point previous to that as don't delete. Don't mark the one you're just doing, it's the one previous to that. 'Cause what could happen is you may not do the instant restore 'cause they're fine. But three days later when that one's going to roll off, it rolls off and it may go away. And if it goes away, you're sunk. >> Okay, and then fast recovery, which is the capability that you said Veeam has, obviously. >> Edward: I would say some recovery, yeah. >> Am I to infer that an air gap is not required? >> Well, when you start doing the... It is and isn't. If you have a good architecture, that architecture's going to include things like going to an immutable storage source. So I'm going to store my backups on an immutable source or target. And that immutable target, the best one today is really an object store where it has versioned rights. Every version that gets written is immutable. So as you do data protection, you write to a new version a full image, so it's a synthetic full image that gets put into that blob of storage. So I have my target for, my Veeam target, let's say, and then Veeam would replicated that or do something to put that on this object store for versioned writes. Then what happens is I can either restore from the Veeam target, but let's say that gets corrupted, now I can go back to the object store as the ultimate source saying, "Hey, I'll just go back "to the immutable versions." >> Okay, when I hear immutability, I often think of blockchain. Can blockchain, does it fit in here in the future, can it help solve problems like this? >> Yes and no, blockchain is actually very old. We've been doing blockchain encryption for ages. EBC was an electronic blockchain for encryption. I'm not sure it's actually going to solve that problem. But immutable is basically non-writable, that's what I'm talking about, you can't change it once it's written. And if you can protect that using blockchain and the metadata and all that, that's fine. But I don't think that's necessary. >> It's like containers too. Everything's been around forever. (laughs) >> It has been. I mean, when you think about, but this particular one is really taking advantage of what object stores have to offer today. And there's several companies that have that capability and it adds a nice layer, we think it's archive, but it's not, to me it would be the intermediary. It's the pre-archive, it's kind of like, okay, put it there, and then I may archive that off on a retention schedule. >> Excellent, Edward, great analysis, thank you very much, appreciate that, so Stu, let me bring you into the conversation, put a bow on VeeamOn 2017, what are you takeaways? >> So Dave, we go to a lot of shows and love when you have a community that's excited. That term love is not one that you hear at many shows, I mean, I'm sure Edward probably-- >> Edward: I would agree. >> I love VMware bumper stickers that people have. Technology is, you know, we're down in the weeds here. I mean, here's people that are passionate about availability and backup. The thing that I was looking for coming on to this show, Dave, is what they addressed, you know, day one and the main keynote. Which is the big wave of virtualization has kind of gone past, you know, the peak of where it is. And how can they look at that next generation, can they hop on the waves? The things that I really liked, we got to talk to a lot of customers, Dave, customers, passionate, not only the enterprise where they've been getting into, but talked to a number of service providers including some interviews that we did where they like what they're doing, they keep building. Public cloud and where Veeam fits, I think it's early days. Want to see how that develops, want to see how customers use it, we did talk to one customer that was really excited about where that'll fit in. I like that Veeam has, you know, clear eyes as to where their future is and they're embracing that change. I always hear, sometimes you hear that term embrace and you're like, yeah yeah yeah, sure, you're kind of giving it lip service, but are you going to be able to move forward on that new trend, because as we talked, Dave, in a couple of segments here during our two days of interviews, usually when there's a shift in the landscape, the players change, the previous incumbent will not be the leader going forward. And Veeam has a strong team, they've put a lot of new people in place, and they know where the battles will be fought. Early days in some of this next wave, but it was exciting to be here and happy to share it with you. >> Yeah, I mean, I learned a lot about Veeam. Most of my interaction with the company have been either informal or kick in the tires, v tugs and v mugs where you've seen them for years. I came in knowing that the press releases talked about 600 million dollars in bookings, ambitions to become a billion dollar company. Very rapid growth rate, 45,000 partners. So that was quite interesting, to see that in action. This company's got real big ambitions, this idea of being sort of the availability expert for whatever use case you want, whether it's in the cloud or going to the cloud or coming from the cloud or between clouds, is very ambitious. I think that's a wide open space. I suspect it's a big market, although it's really emerging, and I suspect all the individual cloud vendors are going to be going, trying to protect their little parts of the world, companies like VMware are going to want to try to own that inter-clouding space and other startups are trying to get in there. It's a sort of jump ball in my view there, but I like the ambition. It was interesting to hear Peter McKay talk about Veeam in the context of software companies that are growing and growing fast, getting to 800 million which they're not there yet, the likes of Workday and Salesforce and ServiceNow. Of course, those are all public companies and Veeam is a private company, so it can write its own narrative. >> They've got enough revenue, Dave, that they could be public. There've been plenty of companies that have IPOed with much less revenue. I'm shocked you haven't mentioned it, Dave, profitability. I mean, in today's day and age, a company of the size that they are, and they're still growing at a rapid pace and they are profitable. So you know, kudos there. >> Yeah, and then the other thing that struck me was the pace of product announcements, I always look for that. At a lot of the shows that we go to, you hear a lot of hand waving about digital transformation, but you don't see a lot of products coming out. So there was some excitement around the products, so that's a good sign that they can turn strategy into R&D into products that sell that the partners are taking and uptaking. So it was a good sort of first experience certainly for me at VeeamOn and theCUBE, and Stu, always a pleasure working with you, we got, excuse me, get to take a break. The boys get to go home after 20 days on the road, and then, you know, we're cranking up again. We got shows every single week in June, multiple shows, US, international, so to to siliconangle.tv, check that out, check out our schedule. Go to siliconangle.com for all the news, wikibon.com is cranking some stuff out as well. Edward, thanks for sitting in. >> Oh, my pleasure. I do have one thing to interject, I've actually looked at Veeam from a totally different perspective. I've been watching them and monitoring them for about 10 years. From their technology perspective. Actually over 10 years, I started with them. So I went through the virtualization, backup wars with them and all the other companies. Their rate of innovation, their rate of change has actually been far greater than many other data protection companies. It's not just their new releases, it's their whole, they've gone through several shifts in messaging. And several shifts in what their products do. And it's been fascinating to watch. >> Well, and that's a really good point, because a lot of the traditional backup software companies are living on maintenance. And it seems like Veeam is trying to, as Pat Gelsinger says, catch the wave and not be left in the dust as driftwood. All right, we're going to leave it there, thanks for watching, everybody. We will see you next time, and take care. (upbeat electronic music)