00:06
So yesterday Charlie talked about cars and Shaq talked about cars. So today I'll talk a little bit about a car. I'm in the middle of moving and I ship my car down to where I'm gonna end up. And along the way, I got a call from the transport company saying your car has been damaged and it needs to be fixed and yes, insurance will take care of it.
00:32
The car will get fixed. I have some minor inconvenience that I have to uber around for a bit, but it was a risk that I wasn't really materially thinking was actually going to happen, but it ended up being manifesting. Right. And now luckily I'm here to this week with you all.
00:47
But when I get back home, I have a whole bunch of hassles to deal with and logistics to work out. Right. And that's something that I wasn't planning for or preparing for because yeah, I didn't think it was gonna happen to me. Right. It's just, it's just a thing that happened and really a lot of organizations are in the same kind of predicament when they're thinking about
01:07
a security threat and specifically ransomware as well. It's like, I think I'm good enough for this, probably wouldn't naturally materialize in my organization. So, you know, I'm not necessarily going to do anything more or anything less than I'm currently doing. If I'm ok now I should be ok later.
01:24
And the truth is, is that at any point in time, it's not a, it's not an, if it's more of a, when your organization gets attacked and what happens when that attack happens? And because of that, we're introducing and we've introduced auto on safe mode. It's really intended to provide a zero trust architecture around your storage to protect
01:48
you for these types of events. When something breaks down an unexpected event happens, a couple of things get bypassed in your organization and now you have to figure out what your next steps are. My name is Juan Mojica. I am director of security product management here at pure storage in particular. I'm in the flash ray business unit and I'm very
02:09
excited to be with you today and thank you for taking the time and sitting with this session. So I'll start a little bit about the advances that are being made from the competitor side, right from the ransomware perspective. And really why it's going to be even harder for current vendors in the security space to keep up. Then we'll talk about really the evolution of
02:37
these ransomware attacks. How do they, how have they historically been manifesting? And what we're seeing in the more advanced cases nowadays that I've seen and I talk to customers on a day to day basis and this is really where safe mode fits in. So I want to make sure we all have a common understanding of what it is. And so a couple of slides there and then auto
02:59
on and why we're turning it on for our customers automatically, so they're able to recover accordingly. And then lastly, how do we make this even more operationally simple? How do we tie in the benefits of pure one and the management that it has there with safe mode and some of the some of the digital transformations that were happening that are
03:20
happening internal to pure to make this even simpler as well. Big number 30 billion just for this year because of ransomware, right? And this is not only the ransoms that companies are paying out to ransomware gangs or groups, this is also the disruption of business continuity. You can imagine when you experience a
03:44
ransomware attack, you're going to have to answer a lot of questions to a lot of different people, especially if you have a cyber insurer, they're going to want to know whether or not you actually applied all the terms and conditions in that policy of that cyber insurance policy that they gave you, whether you're following all these things, they're going to want to go in your environment and actually do the forensic analysis to go in
04:06
there. So you're talking about probably 2 to 3 weeks when this happens that it's taking up of your time and the amount of data that you have throw on top of that, any of the additional penalties that would come from potentially public information disclosure, personal information, disclosure, given GDPR or hip or whatever other regulation comes into play.
04:26
These things start mounting up. So it's not only about the ransom anymore, but it's about the down time that you take the stress in your life. And in some cases, obviously, these could be resume generating events if you know, negligence, negligence is found, right? And that's where we don't want to be. That's what we're trying to prevent so big
04:47
number, big impact. And that's just this year. Basically all the security vendors are saying, yeah, we got you, we got you and the ransomware gangs are saying, hold my beer. So let's talk about the attacks, right? And so with chat GP T now you could get a lot of condensed information out of it very quickly. So very quickly,
05:11
Attackers could ask and query, how does uh a va antivirus vendor a detect that a ransomware or that ransomware is acting in an environment and then can start circumventing those means and procedures that are already in place, find a different way just to execute the same behavior. And that's really here with polymorphic and metamorphic malware is what we're trying to do
05:36
a lot of the anti virus has historically worked on signatures. It's a very easy, quick way of validating whether or not a piece of software is valid and you just check the, the signature of the software. And so that's where these new wave of malware are coming into play. So, what polymorphic malware really does is it encrypts the majority of the
06:00
ransomware payload. And so you'll have basically a, a bootloader or a bootstrapping mechanism in in the beginning that will be able to decode the rest of the encrypted payload, which actually contains the virus. But because of the way encryption works, you provide a new encryption cree to encrypt that
06:20
that bad payload, you effectively will generate a new signature for that malware. A very simple way to try to bypass some of the A V signature checks. Now the A VS have to get smarter and now start looking at sub sections of the actual program that is being loaded onto a given uh system or running on a given system to make sure that it's now looking for just that boot loader in the beginning that is inserting a key to
06:49
decrypt the rest of the contents to actually execute the malware in it of itself. Take that a step even further is that if you've ever had to compile software, right. In my previous life, I was a software developer, you can ask the compiler in it of itself to do optimizations make this as efficient as possible to run on the system and what it'll do, it'll do some analysis of your code and extract
07:16
any extraneous instructions out of there to have the minimal set, the minimal actually code produced by it and then it'll run as efficiently as possible. Right? You could also ask it not to do any of those optimizations and any bogus instructions that you put in there that are basically nonsense that don't do anything or just move uh a value from one variable to another.
07:40
And you can continuously do that in a loop and doesn't effectively change the behavior of your software. It will ultimately generate a different binary. And that's effectively what metamorphic malware is doing, it can automatically generate nonsense code to then again, make that signature look different.
08:00
The the the in of itself, the byte code produced will be different. And as such, bypass the the A V vendors as well. And so you can imagine as we get into quantum computing, it's even more interesting as there's already concerns about breaking encryption and the ability to try many different possibilities to actually execute something.
08:23
It's just going to be harder to be perfectly honest to start detecting this stuff. So we're starting from a defensive position to be perfectly honest. So this is the type of payload that's gonna go into your organization. And what will happen is at some point a portion of your supply chain. It will be compromised. That could be your hardware supply chain.
08:48
That could be your software supply chain. That could be your service supply chain or your human supply chain. Right. One of those things, right. And one of those things is going to break down and eventually they're going to get access into your environment. And what they'll do is reconnaissance in the very beginning,
09:08
look around to see what they have access to what potentially they could reach, what potentially they could escalate their privileges on to do bigger, worse damage. So they're in your environment. And what they'll do is really for the most part on the traditional ransomware attack,
09:27
not go after the storage, they'll go after the host where your application is where you're actually serving up, uh where you're actually making the data even more useful, right? And so on the host on your VM, they'll go and start deploying their payload or running against that particular service as well. So they'll start encrypting the data on the
09:51
host which will then in and of itself eventually be reflected back on the volume that's stored on your array more than likely for most applications. Once you start encrypting large portions of it, it starts behaving weirdly. That's probably your first signal that something is wrong. Like if you start thinking, OK, why is this application potentially behaving abnormally?
10:15
It's because some of the data may be unavailable and it's trying to, it's trying to process something on encrypted payload. Now, that might be your first signal. And if you've ever been in a ransomware attack, you might think, ok, that might have been when the point of the infection might have started. So, something just to keep in mind in and of itself.
10:32
So the application will start behaving weirdly or stop working at all. And then once that happens, the ransomware attacker knows, uh, that they got you. Ok. The application is working as long as they figure out if you don't have any snapshots, you don't have any backups, you don't have a proper data protection strategy.
10:56
Your only recourse at that point in time is to exchange Bitcoin for the key that they gave you uh for the key that they, they have to decrypt your data. One of the interesting things is that these decrypt aren't necessarily going to be fast just going to take a while to decrypt your data. So that's kind of the, the, the first principle, the other kind of interesting thing that's not
11:22
really talked about. So when you talk about security, you typically the the the historical mantra of security is confidentiality, integrity and availability. The one dirty little thing that nobody is talking about is the integrity of the data. So in these events, when people are using the decrypt to actually decrypt the data,
11:42
how can you guarantee the integrity of that data? Like how do you know that they haven't already tweaked it or tweaking it on the way back out to a value, maybe close enough that your, your application still works. But potentially, now your business logic is doing something entirely different. And so it's a really scary situation if you ever find yourself in without snapshot,
12:04
without a backup in and of itself because you can't really guarantee anything, uh from my perspective. So that's kind of the traditional. Now, then it's the plus plus version of this, right? OK. We, we have some smart customers, we have smart people in this room. You're using snapshots,
12:24
you're using some sort of data protection. So what does the attacker know that they have to do is escalate their privileges or compromise an array administrator? And in that case, once you have those level of permissions, then, well, you can go to town deleting everything around it except the date on the host
12:47
because they're still gonna want to be paid. They need something to hold captive. So once your estate is wiped clean of any remnants of any sort of ability to recover attack is probably already underway if, if not, it's going to start right then and there. And so what, what can you do?
13:13
And this is where really safe mode brings its own value. So there's snapshots and there's snapshots in and of itself. I think most vendors have some flavor of snapshots and it's not that these are safe mode, snapshots. It's, these are snapshots protected. By the capability of safe mode and so safe mode. Like I said in the beginning is
13:34
really a zero trust data center architecture because it assumes that your ransomware detection is going to be bypassed. It assumes polymorphic uh malware, metamorphic malware. It assumes that your administrator on your device has been compromised. And not only that, it assumes that your entire identity and access management solution has
14:00
been compromised. And that by itself is probably the the the biggest differentiator that we have with safe moan. And really, what is it? It's just configuration configuration that removes privileges from administrators. So you can't just blow away all the data all at once.
14:23
And basically blitz Creig your way into getting a ransom. It's these protected snapshots that we keep on the system that allow you to recover. And what do we do? We, we still allow some operational capabilities that we have within the product. So we have a natural two step deletion as part of any of the objects within purity and so effectively, what will happen is most of
14:53
most of us would want to OK? I do want to delete this. I have a right to delete this. And what safe mode says is like, OK, we will allow you to delete this only and you know, it'll clean up only after the retention, the specified retention period, which is 0 to 30 days passes. So after that,
15:15
you know, we'll clean it up, we'll take care of it for you, but until then it's locked in there and you can't accelerate the deletion of it, you can restore it back, but we'll make sure that it's there. So there are certain applications, there are certain integrations that do depend and do execute, destroys.
15:31
And so we didn't want to break any of that functionality. And so we would allow the destroy, but we would retain the data in this eradication bin accordingly in case it needed to be restored. What we made sure also is from a configuration perspective, once you opted in to a certain level of protection that you would maintain at least that level of protection,
15:55
but we would not hinder you from increasing or making it better. So you can without any sort of intervention, go ahead and make those changes yourself. Now, in order to really make this operationally efficient and different from some of the other products in the market, we basically have a separate identity that we manage for you as part of safe mode and effectively what this allows is if your identity access management
16:25
platform gets compromised, we're still doing a secondary check with our own to make sure that you are who you say you are and we are validated against our system. This is on top of the existing multi party approval process. So you need multiple people to approve the action to take place. But there are going to be cases where Absolutely. Absolutely.
16:50
You have the right to control your data, you have the right to make modifications to your system. We just want to make sure we dot our I's and cross our TS and we have an efficient process to make sure we're validating you validating, that's intentional and allowing you to make those changes accordingly on the array. And it's really, there's no other, there's, there's this looming thing.
17:13
And if you can, if you talk to anybody in security, if, if your domain control or your identity access management platform gets compromised, what do you do? What happens, what will happen? Uh Do you have any sense of trust in your system? And like 99% of the time is like, well, you burn the thing to the ground and you stand it
17:31
up new somewhere else, right? Like it's gone if it's already been compromised. And so at least what we're saying here is that you should have access to your data accordingly even in those very extreme cases, which brings us on to auto on safe mode. So we've had a traditional way of doing safe mode, auto on leverages.
17:56
Some of the newest technology that we've integrated in purity 63 is specifically the per P group safe mode. But it's, it's the same, it's the same principles at the top of around zero trust. But this is a secure by default configuration. And what does secure by default really mean? It's, it's not that we're going to force you to live with this for the rest of your life is
18:21
that we're going to give you a configuration that we believe is secure right off the bat. So you don't actually have to figure anything on the system to start with a secure stance, but we will allow you to remove that configuration if you so wish to accept the risk that comes with removing that configuration with some stipulations depending on where you are in the process. And we'll talk about those uh in,
18:45
in a second. The idea is, is that if you don't do anything, you'll be protected, you'll create a new volume, the new volume in it of itself will have safe mode protections for the snapshots generated by the P group. And this is where some of the differences come from traditional safe mode.
19:03
And really these new volumes will be, you'll have a point of recovery for these new volumes. And that's, that's really the premise, the belief behind auto one safe mode, it so it does not affect, it will not affect existing volumes on the system. So that's one of the crucial things. It's going to be forward forward looking for, for new volumes created on those systems.
19:33
Um If you are familiar with 63 in the P groups and the protection groups, there's a setting and there's a safe mode setting. Now you could look it in the gooey and it's called retention locked. So it's either retention lock, unlocked or ratcheted. Ratcheted is a very English word. Uh It doesn't quite translate in some other
19:55
cases to be honest. And we've gotten some feedback around that. But the idea is again, it's that basic principle that you can make it better without any of the additional overhead that requires two party approval. And what will happen is is that you'll get a ratcheted protection group that is taking four snaps shots a day and for the first three days and then one snapshot for the next five days,
20:21
this protection group is going to be applied effectively to the pods within the system as their default protection. Default protection is also another feature we introduced in the 63 timeline. The idea is is that any volume that is created gets associated with whatever protection group is listed as part of default protection set and there's a setting as well and there's a gooey
20:44
component to this that will just show you which which volumes are or which protection groups are part of the default protection set. Now, here's a nuance and this is a big nuance from where we learned from our traditional safe mode. We learned from some of the integrations that we had some of the integrations that we have with backup vendors.
21:07
For example, these backup vendors will take a snapshot, create a volume or take a snapshot directly on the volume spin up that that snapshot into a volume in and of itself and try to wipe everything clean accordingly. So any volume can still be manually destroyed and eradicated. We're assuming that the ransomware attacker and this is kind of the basic gist of it
21:38
will want to get paid for their ransom. So they need to keep the main thing that's going to get them paid around, which is the primary volume. Now, our applications in it of itself as well will take snapshots of that volume directly. And so our integrations do that take care of snapshots directly of that volume.
21:59
And so those snapshots taken directly on the volume do not have the safe mode protection. So it's only the snapshots taken by the protection group on that schedule that are going to be protected, you can delete a volume that has a snapshot taken. So the snapshot in and of itself will live in the protection group. Uh but the volume in it itself can go away
22:24
accordingly. So you will have a recovery point for that volume as part of that protection group. So to reiterate this again, it's the auto on safe mode protection group is assigned as default protection and then automatically when a new volume is created, it gets associated with that protection group and then automatically new snapshots will be
22:52
taken of that new volume. There is an ability to on a per volume by per volume basis to opt out of the additional protection. There's additional flags that you can take or in the gooey, there's an option to opt out of default protection. So you can create volumes, new volumes as well without uh the auto on protection
23:16
if you so well. Uh So wish. But our belief is, is again that this is basic value, just basic checks and balances for that, you know, 11 in a million event or whatever it more likely is nowadays. So there's the opting out individually on volumes. There is the ability to after you get the system and there is no
23:44
volumes with auto on safe mode protection. Before any new volume is created, you have the ability as long as there's no volumes associated within that P group. And there's no snapshots within that P group, you can back out all that configuration. That is your another ability for you to opt out of auto on safe mode. So you can remove the configuration as long as you've not created a new volume.
24:09
Because as soon as you create a new volume, we start locking things down, we start taking snapshots, we start protecting. But before that happens, you still have the ability to opt out which we're not recommending. But I want to make sure that again, the belief is secure by default, but you have control of your system.
24:27
Now, let's say you, you, you want to make changes. This was is being announced or was announced in a session yesterday as Well, uh and I just want to walk you through kind of a more uh kind of technical perspective. They had a nice little demo. I will tell you the basic principles of these and kind of more of a Power point slide.
24:48
But the idea is not all of our customers are currently taking advantage of safe mode and we want them to, we want them to enroll, we want them to participate and we want them to make these changes so that we've had more or less a more manual process up until now. And trans digitally transform that process to make it an online process and capture everything in pure one.
25:15
So we start with an enrollment process, some bootstrapping to get the first set of approvers that allow that can make changes or authorize changes for your organization within safe mode. And this is basic enrollment for the first two users of your organization. You don't have safe mode yet, but you want to start using it in pier one,
25:38
you'll go in each one as long as they're a pier one admin, they can assign these privileges to users. They must enroll in the step up authentication mechanism. This is we will provide the kind of the separate identity that we have and manage and the validation that we will do for the users to make sure they are who they say they are.
25:56
And then once that happens, once those two pure one admins have assigned themselves their approval roles, they enrolled in authentication. We'll make sure that the members of the organization are accordingly notified as well. So now you have two safe mode of prover. You can go in now and make safe mode related changes.
26:21
And this is again, multiparty authorization is still a key component of this. We want two people to approve. So not one single person in your organization can take down all your storage. So a request is made to make a change to enable or disable uh safe mode. Make a modification on a protection group, make a modification on the eradication delay,
26:45
you know, make it shorter. Maybe you were overly aggressive. You started at 30 days and you realized maybe 14 is good enough for your organization. You'll schedule a time and then notifications go out to the other members that can approve these changes. This also gives us very good traceability, auditability as to who in your organization approve these changes,
27:08
making these enhancements is not better only for us but for you as well. So if somebody goes back and says, hey, who authorized to do this, we will have all this captured and directly available for you as well. So you'll the, the two approvers log back into pier one, they'll review the changes. And here's another additional benefit of
27:30
digital transformation is that up until now, you could get on the call with the TSC and basically say, hey, on the call. I want you to do this, this and this, it wasn't necessarily preplanned with the TSC. And you could ask the TSE to basically, you know, Bob's your uncle at a certain point and he would try to make sure that you're ok.
27:47
These will be more very, very granular and specific as to what you're authorizing the TSC to do. So the TSC will know exactly what you're requesting for and will perform only those actions accordingly. This ratcheted down the security even more because now your approvers are approving distinct changes that the TSC will only be making on the array itself,
28:09
right? So it's more granular, more precise, there's more auditability, more traceability accordingly. And so review the changes again, go through the step up process of authentication to validate who they are, prove, you know. Yes, I'm I'm this person, you know, and in my I am whether or not it's compromised pure is doing the secondary check
28:32
and only after that will the changes in and of itself then be able to take place. And after the first two users added, we understand the organizations have multiple other people that they want to enroll as well. So you can add additional safe mode approvers as well. And these will have to go through this multi party approval process as well.
28:55
So after you bootstrap the first two, you're basically in this compliant safe mode state because you have enough people to say whether or not, you want to bring on a third one. And the idea is, is that these people then additionally approve any additional uh folks in your organization.
