 Live from New Orleans, it's theCUBE. Covering VeeamON 2017, brought to you by Veeam. Welcome back to New Orleans, everybody. I'm Dave Vellante with my co-host Stu Miniman. There's been a lot of talk, of course, this week because I want to cry about ransomware. Edward Haletki is here. He is the principal at TVP Strategy and he and I were having a conversation the other night about ransomware. Edward is a security expert, a strategist, been around a long time. Edward, good to see you. Thanks for coming on theCUBE. Thank you for having me again. So let's riff on this a little bit. You had some really, I thought, thought-provoking ideas about ransomware. I was making the point that, look, if you got an air gap, you're good, right? And he said, well, no. I said, well, what if you had off-site tape? Off-site tape? And he said, well, it's not that simple. It really isn't. What's the deal with how to protect myself against ransomware? Well, let's just start with a few things. This particular bout of ransomware is actually in version 2.0. So I found the kill switch for the first version. They already fixed that bug and put it out again. So now it's hitting over 200,000 machines in 99 countries. It's spreading around the world like crazy. The only way that I found to protect yourself is to actually have the ability to do, in a lot of ways, version rights. In other words, you keep a version of everything. That's important. But you got to first figure out what's important. But it's more than that. It's an entire architecture around data protection, security, and even your business. You need to start with, if you're talking about from the security perspective, you need to start with a way to prevent what's known. If I can prevent what's known from getting to you, like phishing attacks and other attacks, I can prevent you from spreading ransomware into your company. So that's kind of a gate. But if that comes through the gate, in which it could, and it did, you need something able to detect ransomware. And that is a detection that data protection is prime to do. But okay, explain this. So sort of revisit the conversation we had. If I have an air gap, meaning I've got a separate data center that's disconnected somehow, or periodically disconnected, as some vendors have suggested, I'll rotate the connection. And I've got data off-site. Let's say I've even got it off-site and tape, even though I ideally not like to recover from tape, why am I not protected in that scenario? It depends on the retention schedule. If the retention schedule's long enough, you'll probably be fine. Most people don't find out this ransomware until they reboot a machine. And they've rotated through their tapes by then, you're saying? They could possibly do that. Some of the smaller businesses they probably have. Some of the larger businesses that keep yearly and monthly and so forth, and they keep them for seven years, probably haven't. But as we move further and further away from tape and more to the connected universe, even multiple copies of something doesn't necessarily protect you unless they're immutable copies. Well, Bill Philbin said it today. He said, in a different way. He said, when we make boo-boos, and we replicate the boo-boos that it's replicate, we replicate really fast. And I tweeted out, I said, well, and if there's malicious encryption, that probably replicates really fast. It does. Okay, and so, I mean, that's maybe we should explain the basics here, is that's really what the ransomware folks are doing, right? They're encrypting your data, and then saying, hey, you want the keys back, you got to pay us. Well, and actually the new breed is, hey, pay us and we won't even give you the keys. Well, you know, I was watching CNBC the other day when WannaCry hit, and one of the experts that they had on, the CNBC analysts asked them, the anchors asked them, well, you know, what do you do? And they said, well, unfortunately, you just might have to pay the ransom, which was surprising to me because there's no guarantee you're going to get the keys. But it's actually $60 million worth of ransom right now. That's a lot of money. Okay, so. I mean, it's $300 of Bitcoin to get your key. Yeah, right, you're paying in Bitcoin, obviously. That's expensive to get. And a lot of companies just don't have bitcoins laying around, so they have to go out to either mine them or. Or go to a marketplace. And go to a marketplace and buy. Especially the people that are still running Windows XP aren't necessarily the people that are Bitcoin experts. Exactly. Okay, so now what you had suggested to me was that the backup software vendor, we're here at Veeamon and we're at a little Veeam event, backup software vendor actually has data because they're pushing change data through the network periodically. And in theory, they could use analytics to identify anomalous behavior. Exactly. In terms of encryption activity that's higher than normal. Explain that. Well, there's a couple of ways you can do that. One is that you could look at the CPU utilization and say, hey, it's a high CPU utilization. Something's going on. Unfortunately, you can't tell if that's a normal action or a non-action. An encryption action. Especially with the new chip sets, encryption's very, very fast. And the overhead's very, very little. It could just hide in the noise. When you look at data though, as it gets encrypted when I do data protection normally in a virtualized environment or even in a physical environment these days we do something called change block tracking or the equivalent thereof in the physical world. And what that does is that for every block that changes of the file system, I can, that gets sent over to be protected. So as those increase because I'm encrypting more and more and more, you're going to see an increase in the number of blocks that have changed. You could say normally that machine does, like, you know, maybe a kilobyte per backup. And suddenly you're doing a gigabyte. You know, that's a huge difference. That's a big red flag saying, hey, something's gone wrong. That's not normal. What about this idea of like, honeypot files, like, here's where we store all the credit cards file. We call them canary files. Canary files, great. And canary files are another way you can detect things. If you have a file server, you should just put a canary file out there, nice juicy name, you know, CEOs, whatever. Something like that, a spreadsheet. It could be an expense report that you know is ancient. It doesn't make any difference. What that canary file is used for is you just periodically query the file site. Can I read you? It doesn't have to be a big file. It just means I can read you because it's going to encrypt the whole thing. Once I can't read it anymore, you know, you've been hit by ransomware usually. Right, because there's no reason you would have encrypted that file. Or even touched it. No one should be touching it. All right, some zombie file. Exactly. Okay, and now for a company like Veeam to put a solution, I mean, I'm making the case that there should be specific solutions in the marketplace for ransomware. Oh, absolutely. Not just to sort of hand waving and buy our product because of ransomware. That should be a specific solution geared toward solving the problem. What does that solution look like? How would a company like Veeam, who would the partners be that they would put that together or what types of companies would they need? What type of capabilities would be required? For Veeam, I think you need four general capabilities. They have one of them. That's the recovery stage. They have the capability to do instant recoveries. That is a must. So if you have ransomware to recover the business, you just do an instant recovery of a known good source. The other one is that on the front end, you really need the prevention. In other words, I'm going to prevent people from doing phishing or I'm going to prevent people attacks coming in with that type of payload. So if it's an encrypted payload, don't let it through. Those are possible. The middle of it is the detection and then what we call legal hold. In other words, I want to say, okay, I detected the possibility of ransomware and then I want to mark this recover point, the one that I'm currently backing up as potential for ransomware. So the one before that is the one I say, hey, don't delete that one until I've inspected it. And that's the one you may do the instant recovery off of. Okay, so prevention, I mean, that's just good practice. Let's assume for a second. That's a security company has those capabilities. Some of them do a really good job at that but even with something like WannaCry, you can't prevent someone from clicking on a link. Right, so assume for a second that I didn't prevent it. So I should do that as best practice but assume I didn't prevent it. So I got to have detection. Absolutely. So that's, they've penetrated. Now I'm using what, analytics to look for anomalous? I'm either using a Canary file or I'm using analytics at the data protection layer. I could even use analytics at the storage layer to say, hey, there's a lot of changes happening. That's going to go down the storage path and I'm going to be able to see it there as well. Okay, and then legal hold in 2006 when the federal rules of civil procedure changed and they said electronic documents are now admissible. Yes. Most large companies and certainly large companies in regulated industries began to implement techniques to do legal holds particularly around email archiving which was just one piece of the problem. So that's a complicated problem. It is, but it's really legal hold like. It's the concepts of legal hold but applied specifically to data protection. In other words, you want to say the recover point that I'm currently writing to could be bad. We don't know. So mark the recover point previous to that as don't delete. Don't mark the one you're just doing. It's the one previous to that. Because what could happen is you may not do the instant restore because they're fine but three days later when that one's going to roll off it rolls off and it may go away. And if it goes away you're sunk. Okay, and then fast recovery which is the capability that you said, Veeam has obviously. Instant recovery, yeah. So instant recovery, so am I to infer that an air gap is not required? Well, when you start doing the, it is an isn't. If you have a good architecture that architecture is going to include things like going to an immutable storage source. So I'm going to store my backups on an immutable source or target. And that immutable target, the best one today is really an object store where it has versioned writes. Every version that gets written is immutable. So as you do data protection you write to a new version a full image. So it's a synthetic full image that gets put into that blob of storage. So I have my target for, my Veeam target let's say and then Veeam would replicate that or do something to put that on this object store for versioned writes. Then what happens is I can either restore from the Veeam target, but let's say that gets corrupted. Now I can go back to the object store as the ultimate source saying, hey, I used to go back to the immutable versions. Okay, when I hear immutability I often think of blockchain. Can blockchain, does it fit in here in the future? Can it help solve problems like this? Yes and no, blockchain's actually very old. We've been doing blockchain encryption for ages. EBC was an electronic blockchain for encryption. So I'm not sure it's actually going to solve that problem, but immutable is basically non-writeable. That's what I'm talking about. You can't change it once it's written. And if you can protect that using block change and the metadata and all that, that's fine. But I don't think that's necessary. It's like containers too. Everything's been around forever. It has been. I mean, when you think about, but this particular one is really taking advantage of what store, object stores have to offer today. And there's several companies that have that capability and it adds a nice layer. We think it's archived, but it's not to me, it would be the intermediary. It's the pre-archive. It's kind of like, okay, I put it there and then I may archive that off on a retention schedule. Excellent, they were great analysis. Thank you very much. I appreciate that. So Stu, let me bring you into the conversation. Put a bow on Veeamon 2017. What are your takeaways? So Dave, we go to a lot of shows and love when you have a community that's excited, that term love is not one that you hear at many shows. I mean, I'm sure Edward probably remembers to use the meeting. I love VMware bumper stickers that people have. Technology is, we're down on the weeds here. I mean, here's people that are passionate about availability and backup. The thing that I was looking for coming on to the show, Dave, is what they addressed day one in the main keynote, which is the big wave of virtualization has kind of gone past the peak of where it is and how can they look at that next generation? Can they hop on the waves? The things that I really liked, we got to talk to a lot of customers, Dave, customers passionate, not only the enterprise where they've been getting into, but talk to a number of service providers, including some interviews that we did, where they like what they're doing, they keep building public cloud and where Veeam fits. I think it's early days, want to see how that develops, want to see how customers use it. We talked to one customer that was really excited about where that'll fit in. So I like that Veeam has clear eyes as to where their future is and they're embracing that change. I always hear sometimes you hear that term embrace and you're like, yeah, yeah, yeah. Sure, you're kind of given it lip service, but are you going to be able to move forward on that new trend? Because as we talked, Dave, in a couple of segments here, during our two days of interviews, usually when there's a shift in the landscape, the players change. The previous incumbent will not be the leader going forward and Veeam has a strong team. They've put a lot of new people in place and they know where the battles will be fought. So early days in some of this next wave, but it was exciting to be here and happy to share it with you. Yeah, I mean, I learned a lot about the, most of my interactions with the company have been either informal or kicking the tires at Vtugs and Vmugs where you've seen them for years, but I came in knowing that the press releases talked about $600 million in bookings, ambitions to become a billion dollar company, very rapid growth rate, 45,000 partners. So that was quite interesting to see that in action. Companies got real big ambitions, this idea of being sort of the availability expert for whatever use case you want, whether it's in the cloud or going to the cloud or coming from the cloud or between clouds is very ambitious. I think that's a wide open space. I suspect it's a big market, although it's really emerging and I suspect all the individual cloud vendors are going to be trying to protect their little parts of the world. Companies like VMware are going to want to try to own that inter-clouding space and other startups are trying to get in there. So it's a sort of jump ball in my view there, but I like the ambition. It was interesting to hear Peter McKay talk about Veeam in the context of software companies that are growing and growing fast, getting to 800 million, which they're not there yet, the likes of Workday and Salesforce and ServiceNow. Of course, those are all public companies and Veeam is a private company so it can write its own narrative. They've got enough revenue, Dave, that they could be public. So, you know, there's plenty of companies that have IPO'd with much less revenue and I'm shocked you haven't mentioned it. They have profitability. I mean, in today's day and age, a company of the size that they are and they're still growing at a rapid pace and they are profitable. So, you know, Kudo's there. Yeah, and then the other thing that struck me was the pace of product announcements. You know, I always look for that. A lot of the shows that we go to, you hear a lot of hand-waving about digital transformation, but you don't see a lot of products coming out. So there was some excitement around the products. So that's a good sign that they can turn strategy into R&D into products that sell, that the partners are taking and uptaking. So it was a good sort of first experience, certainly for me at Veeamon and theCUBE and Stu, always a pleasure working with you. We got, excuse me, get to take a break. The boys get to go home after 20 days on the road and then, you know, we're cranking up again. We got shows every single week in June. Multiple shows, U.S., international. So go to siliconangle.tv. Check that out, check out our schedule. Go to siliconangle.com for all the news. Wikibon.com is cranking some stuff out as well. Edward, thanks for sitting in. Oh, my pleasure. Really a pleasure having you. I do have one thing to interject. I've actually looked at Veeamon from a totally different perspective. I've been watching them and monitoring them for about 10 years, as from their technology perspective. Actually over 10 years, I started with them. So I went through the virtualization, backup wars with them and all the other companies. Their rate of innovation, their rate of change has actually been far greater than many other data protection companies. It's not just their new releases. It's their whole, they've gone through several shifts and messaging and several shifts in what their products do. And it's been fascinating to watch. Well, and that's a really good point because a lot of the traditional backup software companies are living on maintenance. And it seems like Veeam is trying to, as Pat Gelsinger says, catch the wave and not being left in the dust as driftwood. All right, we're going to leave it there. Thanks for watching everybody. We'll see you next time and take care.