There was a time some years ago when some storage vendors, especially the object storage ones, started calling themselves the “last line of defence”. And even further back, when the purpose-built backup appliances (PBBAs) first appeared, a very smart friend of mine commented that they shouldn’t call it “backup appliance”, but rather they should call it “restore appliance”. That was because the data restoration part, or to be more relevant in today’s context, data recovery is the key to a crucial line of defence against cybersecurity threats to data, especially ransomware. We have a saying in the industry. “Hundreds of good backups are not as good as one good restore.” Of course, this data restoration part has become more sophisticated in the data recovery processes.
In recent years, we also seen the amalgamation of both data protection species – the backup/restore side and the cybersecurity side – giving rise to the term and the proliferation of Cyber Resilience.
Dialing Cyber Resilience (Picture from tehtris.com)
I have no qualms or lack of confidence of the cyber resilience technologies. I am pretty sure they can do the job extremely well, so much so, that some give million dollars guarantees if ever their solution failed. Druva announced their Data Resiliency Guarantee of USD$10 million and Rubrik has their Ransomware Recovery Warranty.
Of course, these warranties and guarantees come with terms and conditions, and caveats and not everyone is besotted by these big numbers’ payout. My friend, Andrew Martin, wrote a tongue-in-cheek piece last year about Rubrik’s warranty guarantee in his Data Storage Asia blog last year, which discussed whether it was Rubrik’s genuineness or spuriousness that might win or lose customers’ affections. You should read his blog to decide.
I like to think of the cyber resilience market presence and its effectiveness a bit deeper. After all, almost every backup vendor that is worth its salt – Rubrik, Druva, Cohesity, Catalogic Software, Veeam, Commvault, many more – is making a cyber resiliency play. There is nothing wrong with that, and yet, the ransomware scourge continues to leave its trails of destruction everywhere, its tentacles of sinisterness unabated. Just last week, the Digital Ministry of Malaysia just informed that the data breaches surged 1,192% between 2022 and 2023. I am pretty sure a big bulk of it is ransomware related.
With the unabated digital threats to data, this begs the question. Is Cyber Resilience our last line of defence?
Don’t worry. AI is here.
AI-washing or not, cyber resilience vendors are incorporating “AI” technology into their marketing speak. And some of these cyber resilience vendors are genuinely AI-driven, bringing together strong deep learning technologies to combat ransomware and other digital threats.
The AI-presence (I am not using the more powerful “AI-powered” marketing term as every vendor is using right now) in each respective cyber resilience vendors right now is still in its nascent stage. Their initial offerings are mostly AI co-pilot assistants helping to simplify search and aiding in configuring and deploying a task or set-up in a more human-like conversation through NLP (natural language processing). Veeam AI and Cohesity GAIA come to mine. As Cohesity puts it eloquently – “have a conversation with your data”.
Then these AI-presence technologies moved to provide better insights into the protected data. Commvault Arlie for instance, provide “active insights” into the data, probably evolved from a past technology called Commvault Activate, which I blogged about back in 2018.
Druva has several offerings in Dru, Dru Assist and Dru Investigate in the same but different frame of the others whilst Rubrik’s Ruby is building up their data security offering with future AI developments. You can catch more of what Rubrik has in store from their talks at their Data Security Summit 2023. Most of the videos are available here at this link (registration required). I am not sure if all those fantastical mentions of Rubrik’s “AI-powered” solutions and technologies are here today but I am sure that Rubrik is leading the way of where the cyber resilience industry is heading at present.
But on the flip side of the coin, AI is used by the threat actors and cyber criminals as well. With the AI tools and assistance so easily available, it is not a wonder that digital threats and ransomware are getting more sophisticated, more advanced and more potent as well. Generative AI, or GenAI, the magical word right now, is cultivated to develop more virile and more damaging cyberattacks. This was reported by CRN Asia, citing the finding of Microsoft Digital Defense Report 2024.
AI is definitely a double-edge sword when it comes to data security. And most end users, even with the most advanced cyber resilience technology, may not be ready for it.
Good AI vs Bad AI? Hmm … the thought of Mad Magazine‘s comic strip Spy vs Spy comes to mind.
Good AI vs Bad AI? Spy vs Spy.
So, is AI-powered cyber resilience solutions the last line of defence?
There has to be more than cyber resilience
As readers may already have already known, I am a big advocate of Data Governance. I have written a few blogs about it.
- [ August 2024 ] Nurturing Data Governance for Cyber Security and AI
- [ April 2024 ] NIST 2.0 brings Data Governance into the light
- [ July 2023 ] A Data Management culture to combat Ransomware
- [ June 2022 ] Is there no end to the threat of Ransomware?
As defined by the Digital Government Agency of Thailand (because I am in Thailand now while completing this blog),
The term “Data Governance”, in official language, means defining rights, duties, and responsibilities in data management, starting from the preparation, storage, classification, processing or use of data, data disclosure, inspection, and destruction, along with defining measures to control and develop the quality of data to be accurate, ready for use, and keeping data current, including rules for granting access to and utilizing data that are clear, have security measures, and prevent personal data from being violated.
Therefore, having the policies and the frameworks to define the structures of the data in an organization within its lifecycle and usage to facilitate data management processes and procedures should be the foundational piece of data security and protection. Data Governance should be the primary tasks to safeguard data of every organization, even before the shiny techs of cyber resilience are brought into the data defense and security postures.
In addition, having a data governance framework in place, along with the constant applications of the processes and procedures the tenets of data governance in data management also creates an experience-based learning and awareness educating the end users as an important piece of data security, privacy and protection. Some might even call this the “human firewall”, contributing to a data security first mentality. It tag teams cyber resilience measures to make the organization safe, tough and adaptable to data security incidents.
It makes me mad when organizations and end users do not take an active and proactive approach in protecting data. It is easy to be impressed through shiny techs thrown at the ransomware and digital threats challenges. Tons of dollars, resources and time have been spent with all the techs available in the past and present to combat all these digital threats, especially ransomware. And yet, with each passing year, these damages of ransomware are getting bigger, more devastating and more expensive than ever. So, what gives?
Thus, it is the opinion of this blogger, that the last line of defence should be knowing your data first. Data Governance is the guiding principle of knowing your data first. Then only after that, allied with the cyber resilience technologies and its respective solutions, the war against the infections of ransomware and other digital data cancers can be more effective. It may turn the tide we have been wanting for so long.
With a little help from the law
Many organizations look at regulations as an inconvenience. I remembered when EU GDPR (General Data Protection Regulation) was in effect and how many Malaysian companies doing business with European companies find it a nuisance to comply to this and that. As of last week, on October 17th, 2024, a new EU directive called NIS2 (Network and Information Systems 2) was activated. It focuses on various activities requiring IT Governance and Risk Management. This requirement also extends to suppliers and resellers to the organizations which are required to comply to NIS2.
Beginning of next year, EU DORA (Digital Operational Resilience Act) will be required for many financial organizational in Europe to prepare and enact the ability to response and recover business operations related to cyber attacks and situational emergencies that may affect critical operations of these financial institutions.
Back home here in Malaysia, a few things also kicked into gear, even though the Malaysian cyber security laws and activities are less mature than the European ones. There are 3 critical ones as far as I am concerned.
- Malaysia Cyber Security Act 2024 (Act 854) came into effect as the law on August 26, 2024
- As part of Act 854, the recognition and requirements of industry sectors as part of CNII (Critical National Information Infrastructure)
- Amendments to the Malaysia PDPA (Personal Data Protection Act) 2010, which also updated in August 2024.
Even though, I opined that Malaysia missed the chance to enforce Data Governance into these bills, the intentions and the objectives to develop cyber security and cyber resiliency to protect the data of subjects and to recover from these incidents are clear. We should be developing our prepareness and not to be a John McClane in a Die Hard 4 Fire Sale. (It’s a joke I speak of once in a while, when talking about the cyber resilience topic).
It’s never over
The job to combat the scourge of ransomware and digital threats will always be there. As long as the digital data is valuable to the criminals. As they always say, “It is not a matter of if, but when”. And thus it won’t be just “Prevention is better than cure”. It will be both prevention and resilience, over and over again.
And it starts with thinking about data. Your data.
