 Welcome everybody to V-MON 2021. You're watching theCUBE. My name is Dave Vellante. You know, in 2020, cyber adversaries, they seize the opportunity to really up their game and target workers from home and digital supply chains. It's become increasingly clear to observers that we're entering a new era of cyber threats where infiltrating companies via so-called island hopping and stealthily living off the land, meaning they're using your own tools and infrastructure to steal your data. So they're not signaling with new tools that they're in there. It's becoming the norm for sophisticated hacks. Moreover, these well-funded and really sophisticated criminals in nation states are aggressively retaliating against incident responses. In other words, when you go to fix the problem, they're not leaving the premises. They're rather, they're tightening the vice on victims by holding your data ransom and threatening to release previously exfiltrated and brand damaging information to the public. What a climate in which we live today and with me to talk about these concerning trends. And what you can do about it is Gil Vega, the CISO of Veeam. Gil, great to see you. Thanks for coming on. Great to see you, Dave. Thanks for having me. Yeah, so you know, you're hearing my intro. It's probably understating the threat. You are a Veeam's first CISO. So how do you see the landscape right now? That's right, yeah. And I've been with the company for just over a year now, but my background is in financial services and spent a lot of time managing cybersecurity programs at the classified level in Washington DC. So I've gleaned a lot of scar tissue from lots of sophisticated attacks and responses. But today, I think what we're seeing is really a one-upmanship by our sophisticated, potentially nation-state sponsored adversaries. This idea of imprisoning your data and charging you to release it is quite frightening. And as we've seen in the news recently, it can have devastating impacts, not only for the economy, but for businesses. Look at the gas lines in the Northeast right now because of the colonial pipeline, a ransomware attack. I just, the government just released an executive order this morning that hopes to address some of the nation's unpreparedness for these sophisticated attacks. And I think it's time, and I think everyone's excited about the opportunity to really apply a whole-of-government approach to helping critical infrastructure, to helping and partnering with the private sector, and imposing some risk, frankly, on some of the folks that are engaged in attacking our country. You know, a number of years ago, I often tell this story, I had the pleasure of interviewing Robert Gage, the former Defense Secretary. And it was a while ago, we were talking about cyber, and he sits on a number of boards, and we were talking about how it's a board-level issue. And we were talking about cyber crime and the like, and nation-states. And I said, but wait, cyber warfare even. And I said, but don't we have the best cyber tech? I mean, can't we go on the offense? And he goes, yeah, we do, and we can, but we have more to lose. And to your point about critical infrastructure, it's not just like, okay, we have the most powerful weapons. It's really, we have the most valuable infrastructure and a lot to lose. So it's really a tricky game. And this notion of having to be stealthy in your incident response is relatively new, isn't it? It is, it is. And there are, you mentioned it, and I was surprised you mentioned it, because a lot of people really don't talk about it. As you're going into your response, your adversaries are watching, they're watching your every move. You have to assume in these days a perpetual state of compromise in your environments, which means that your adversaries have access to your environment, to the point that they're watching your incident responders communicate with one another and they're countering your moves. So it's sort of a perverse spin on the old mutually assured destruction paradigm that you mentioned. The United States has the world's largest economy and quite frankly, the world's most vulnerable critical infrastructure. And I would concur with Director Gates or Secretary Gates rather in his assessment that we've got to be awfully careful and measured in our approach to imposing risk. I think the government has worked for many years on defining red lines. And I think this latest attack on the colonial pipeline, affecting the economy and people's lives and potentially putting people's lives at risk is towing awfully close to that red line. And I'm interested to see where this goes. I'm interested to see if this triggers even a new phase of cyber warfare retaliation, proactive defense by the national security community of the United States government. It'd be interesting to see how this plays out. Yeah, you're absolutely right, Gil. You've got this sort of asymmetric dynamic now, which is unique for the United States. It's the strongest defense in the world. And I want to get into ransomware a bit. And specifically this notion of ransomware as a service, it's really concerning where criminals can actually outsource the hack as a service. And the bad guys will set up on the dark web. They'll have help desks and phone lines. They'll do the negotiations. I mean, this is a really concerning trend. And obviously, Veeam plays a role here. I'm wondering as a SecOps pro, what should we be doing about this? Yeah, you mentioned ransomware as a service or RAS, RWAS. It's an incredibly pernicious problem perpetrated by sophisticated folks who may or may not have nation-state support or alliances. I think at a minimum, certain governments are looking the other way as it relates to these criminal activities. But with ransomware as a service, you're essentially having very sophisticated folks create very complex ransomware code and distribute it to people who are willing to pay for it. And oftentimes, take a part of the ransom as their payment. The issue with obviously ransomware is the age old question, are you gonna pay a ransom or are you not gonna pay a ransom? The FBI says don't do it. It only encourages additional attacks. The Treasury Department put out some guidance earlier in the year advising companies that they could be subject to civil or criminal penalties if they pay a ransom and the ransom goes to a sanctioned entity. So there's danger on all sides. Wow, okay, and then the other thing is this infiltrating via digital supply chains. I called it island hopping and the like, we saw that with the solar winds hack. And the scary part is different malware is coming in and self-forming and creating different signatures. Not only is it very difficult to detect, but remediating one combined self-formed malware. It doesn't necessarily take care of the others. And so you've got this sort of organic virus-like thing, create mutating. And that's something that's certainly relatively new to me in terms of its prevalence, your thoughts on that and how to deal with it. Yeah, exactly right. The advent of polymorphic code that changes the implementation of advanced artificial intelligence and some of this malware is making our job increasingly difficult, which is why I believe firmly you've got to focus on the fundamentals. And I think the best answers for protecting against sophisticated polymorphic code are found in this cybersecurity framework. And I encourage everyone to really take a close look at implementing that cybersecurity framework across their environments, much like we've done here at Veeam, implementing technologies around zero trust. Again, assuming a perpetual state of compromise and not trusting any transaction in your environment is the key to combating this kind of attack. Well, and you know, as you mentioned, zero trust used to be a buzzword. Now it's like become a mandate. And, you know, it's funny. I mean, in a way I feel like the crypto guys, I know there's a lot of fraud in crypto, but anybody who's ever traded crypto, it's like getting into Fort Knox. I mean, you got to know your customer and you got to do a little transaction. I mean, it's really quite sophisticated in terms of the how they're applying cybersecurity and you know, most, even your bank, isn't that intense. And so those kinds of practices, even though they're a bit of a pain in the neck, I mean, it's worth the extra effort. I wonder if you could talk about some of the best practices that you're seeing, how you're advising your clients and your ecosystem and the role that Veeam can play in helping here. Yeah, absolutely. As I mentioned, there's so many recommendations. And I think the thing to remember here, so we don't overwhelm our small and medium-sized businesses that have limited resources in this area is to remind them that it's a journey, but it's not a destination, that they can continually improve and focus on the fundamentals. As I mentioned, things like multi-factor authentication, you know, a higher level topic might be micro segmentation, breaking up your environment into manageable components that you can monitor real-time. Real-time monitoring is one of the key components to implementing a zero trust architecture and knowing exactly what good looks like in your environment in a situation where you've got real-time monitoring, you can detect the anomalies, the things that shouldn't be happening in your environment and spin up your response teams to focus and better understand what that is. I've always been a proponent of identity and access management controls and a key focus. We've heard it in this industry for 25 years is enforcing the concept of least privilege, making sure that your privilege users have access to the things they need and only the things that they need. And then of course, data immutability, making sure that your data is stored in backups that verifiably have not been changed. And I think this is where Veeam comes into the equation where our products provide a lot of these very easily configured ransomware protections around data and your ability to instantly back up things like Office 365, emails, support for AWS and Azure, your data can be quickly restored in the event that an attacker is able to imprison that with encryption and ransom demands. Well, and so you've certainly seen the CISOs that I've talked to, they had to obviously shift their priorities thanks to the force march to digital thanks to COVID, but identity access management, endpoint security, cloud security kind of overnight, zero trust. We talked about that and you can see that in some of these high flying security stocks, Octa, Zscaler, CrowdStrike, they exploded. And so, but in these, many of these changes seem to be permanent. So you're, I guess deeper down in the stack, if you will, but you compliment these, these, these toolings with obviously the data protection approach, the ransomware, the cloud, the cloud data protection, air gaps, immutability, maybe you could talk about how you fit in with the broader spate of tools. I mean, your eyes bleed when you look at all the security companies that are out there. Yeah, yeah, for sure. I'm just going to take it right back to the NIST cybersecurity framework and the five domains that you really need to focus on, identify, protect, detect, respond and recover. And until recently, security practitioners and companies have really focused on, on the protect, identify and protect and defend rather, where they're, where they're focused on building, modes and castles and making sure that they've got this, you know, hard exterior to defend against attacks. I think there's been a shift over the past couple of years where companies have recognized that focus needs to be on the respond and recover activities, right? Assuming that people are going to breach or near breach your entities is a safe, is a safe way to think about this and building up capabilities to detect those breaches and respond effectively to those breaches are what's key in implementing a successful cybersecurity program. Where Veeam fits into this is with our suite of products that can help you through the recovery process, right? That last domain of the NIST cybersecurity framework, it'll allow you to instantaneously, as I mentioned before, restore data in the event of a catastrophic breach. And I think it provides companies with the assurances that while they're protecting and building those zero trust components into their environment to protect against these, you know, pernicious and well-resourced adversaries, there's the opportunity for them to recover very quickly using the Veeam suite of tools. Well, I think there's an interesting dynamic here you're pointing out, Gil, there's no longer is it that, you know, build a moat, the Queen's leaving her castle, I always say, you know, there is no hardened perimeter anymore. And so you've seen, you know, the, so it's moved, there's shift obviously from hardware-based firewalls and I mentioned those other companies that are doing great. But to me, it's all about these layers and response is a big, and recovery is a huge part of that. So I'm seeing increasingly companies like Veeam as a critical part of that security, cyber, data protection, you know, ecosystem. I mean, to me, it's just as important as the frontline pieces of even identity. And so you're seeing those markets exploding. I think it's a, there's a latent value that's building in companies like Veeam that are a key part of those, that data protection layer. You think about, you know, defense strategies. It's not just, you know, the frontline. It's maybe it's airstrikes, maybe it's, you know, C, et cetera. And I see that this market is actually a huge opportunity for organizations like yours. I think you're right. And I think the proof is in, you know, in the pudding in terms of how this company has grown and what we've delivered in version 11 of our suite, including, you know, features like continuous data protection. We talked about that reliable ransomware protection, support for AWS S3 Glacier and Azure Archive, the expanded instant recovery and then support for disaster recovery and backup as a service. You know, what I found most interesting in my year here at Veeam is just how much our administrators, the administrators and our customers companies that are managing backups absolutely love our products, the ease of use, the instant backup capabilities and the support they receive from Veeam. It's almost cultish in terms of how our customers are using these products to defend themselves in today's pre-intense cyber threat environment. Well, and you talk about the NIST framework and again, big part of that is recovery, because we talked about earlier about do you pay the ransom or not? Well, to the extent that I can actually recover, you know, from having all my data encrypted, then I've got obviously a lot more leverage. And in many ways, I mean, let's face it, we all know that it's not a matter of if, it's when you get infiltrated. And so to the extent that I can actually have systems that allow me to recover, I'm now in a much, much stronger position. In many respects, in CISOs again, we'll tell you this, that's where we're shifting our investments and you've got to do all of them. It's not just there's no silver bullet, but that seems to me to be just a misunderstood and undervalued part of the equation. And I think there's tremendous upside there for companies like yours. I think you're right. I think what I'll just add to that is the power of immutability, right? Just verifiably ensuring that your data has not changed because oftentimes you'll have, you'll have attackers in these low and slow, live off the land types of attacks, change your data and affect its integrity. With the Veeam-Sweeted tools, you're able to provide for immutable or unchanged, verifiable data in your backup strategy, which is really the first step to recovery after a significant event. And that's key because a lot of times hackers will go right after the backup corpus, they'll sometimes start there, because that's all the data. But if you can make that immutable, and again, there's best practices there too, because if you're not paying the cloud service for that immutability, if you stop paying, then you lose that. So you have to be very careful about who has access to that and what the policies are there. But again, you can put in a lot of this, as you know, as people in process, it's not just tech. So I'll give you the last word. I know you got to jump, but really appreciate it. Yeah, sure. The only thing that we didn't mention is user awareness and education. I think that is sort of the umbrella, key focus principle for any successful cybersecurity program, making sure your people understand how to deal with phishing and else. Ransomware is the huge threat of our time. And 90% of ransomware malware is delivered by phishing. So prepare your workforce to deal with phishing emails. And I think you'll save yourself quite a few headaches. That's great advice. I'm glad you mentioned that because bad user behavior or maybe uninformed user behavior is the more fair way to say it. Well, Trump good security every time. Gil, thanks so much for coming to theCUBE and keep fighting the fight. Best of luck going forward. Great, thank you, Dave. All right, and thank you for watching everybody. This is Dave Vellante for theCUBE's continuous coverage of VeeamON 2021, the virtual edition, we'll be right back.