Grey Beards on Systems - 145: GreyBeards talk proactive NAS security with Jonathan Halstuch, CTO & Co-Founder, RackTop Systems
Episode Date: April 4, 2023Sponsored By: We’ve known about RackTop Systems. since episode 84, and have been watching them ever since. On this episode we, once again, talk with Jonathan Halstuch (@JAHGT), CTO and Co-Founder, R...ackTop Systems. RackTop was always very security oriented but lately they have taken this to the next level. As Jonathan says on the podcast, … Continue reading "145: GreyBeards talk proactive NAS security with Jonathan Halstuch, CTO & Co-Founder, RackTop Systems"
Transcript
Discussion (0)
Hey everybody, Ray Lucchese here with Keith Townsend.
Welcome to another sponsored episode of the Greybeards on Storage podcast,
a show where we get Greybeards bloggers together with storage assistant vendors
to discuss upcoming products, technologies, and trends affecting the data center today.
This Greybeards on Storage episode is brought to you today by Racktop Systems, and now it's my great pleasure to introduce Jonathan Helstuck, CTO of Racktop Systems.
So, Jonathan, why don't you tell us a little bit about yourself and what's new at Racktop Systems?
Sure. I'm Jonathan Halstuch. I'm one of the co-founders and the CTO of Racktop,
and we're excited to be the leaders in
cyber storage which is a new class of storage that was labeled by Gartner about two years ago
where it talks about having proactive or embedded security within the storage itself so we offer
a NAS solution or file share solution there's lots of deployment options and we're the only
one that offers an all-in-one solution
to proactively defend your data
against any sort of cyber threat or attack,
including ransomware or insider threats.
So why don't you tell us a little bit about
what Racktop means by proactive security storage?
Yeah, so for a long time,
NAS and storage systems
have really just been effectively
storing your data.
And there's been some audit logs that are sometimes taken to show who's accessing the
data when, and that can be sent off to third party systems to be analyzed later to see
if there was any nefarious or malicious activity.
But as we've seen over the past few years with the rise in ransomware attacks, that,
you know, the bad guys are after your data.
Cybersecurity has been very network focused in the past, but now people are moving towards
a data-centric security architecture or data-centric zero trust architecture. And so
what we want to do is put the protections as close to the data as possible. And so we're offering
proactive protection where the data is stored on that NAS or the file share. And what I
mean by proactive is taking action when we see suspicious or malicious activity. And it relates
to zero trust, right? NIST defines zero trust as the move from implicit trust based on your
position within the network to dynamic trust evaluation for each transaction with an enterprise
resource. So if you think about files, right, everyone's accessing these files.
So in a traditional NAS,
you're given read-write permissions
by an admin to a folder, for instance,
and you have read-write permissions
to that folder until the admin
goes in there and takes them away.
So whatever you're doing between that,
you could be encrypting files
or stealing data or doing whatever.
With a zero-trust approach
and with what we're doing
with proactive security,
we're actually evaluating trust
for each file operation.
So after you've been given permissions
to go read files in that folder,
if all of a sudden you start
to read those files and encrypt them,
well, that looks like a ransomware attack.
So we can actually stop
and block your user account
and your client IP
from accessing any further data.
Most systems typically,
they may monitor
this sort of thing, but they're very reluctant to stop access like that. That's a pretty serious
step to take. Are you guys, is that something that can be, I don't know, configured or is that
something that's automatically done anytime you detect what you consider to be inappropriate
access? Yeah, so there's flexibility there. Out of the box, we have some default rules that are set
in a certain way. And you can even put it in the beginning in an observe only mode, where it's just
going to alert you and show you, hey, this is what's going on. And you can see, you know, do you have
good cyber hygiene? Because a lot of times we realize, you know, when people deploy our solution in the beginning that they're using a lot of admin accounts in areas maybe they shouldn't and things like that.
And so they get visibility into what's happening in their environment that they didn't have before.
Right, right, right, right. you know, the nature of not just your customers, but I think universally, these are,
these types of tools that inject some capability that didn't exist before also has, have the
chance of injecting friction into the relationship between IT consumers and IT providers. What's like the,
what are the steps for remediation? And if either something is malware or a new application,
malware versus a new application, how does a user get access to their right capability again?
Yeah, so definitely we focus on not having a lot of false positives and it can be
configured to only alert and not block depending on what the type of event is. And there's a rules
engine, almost like a data firewall where you can configure that. So to recover or restore access,
an admin can go in and quickly enable or unblock that user from accessing data. You'll still have
a record of what happened, but it's very easy to, just as quickly as we stop it, we can restore access for the user. And that's
typically done by either a storage admin or a security admin, depending on how the organization
is set up. And we also support webhooks. So these alerts can be sent as an email to someone,
like a team or into the SIM or to whatever tools the SOC or storage
team is using to manage and monitor the environment.
Now, there's plenty of different styles of attacks these days, and they're getting more
and more sophisticated.
I mean, it goes all the way from, you know, data theft to data encryption to, you know,
data deletion, those sorts of things.
I mean, there's lots of different ways that bad actors can act in these sorts of environments. Are you able to try to detect a lot of these
different approaches? Yes, we are. So we have what we call assessors that are looking for
different malicious activities. So things like the use or abuse of an admin credential is one
type of assessor. So we can clearly indicate, right, you're going to know, hey, this was an admin account and it was used to write or it was used
to read files or it was used to delete files. And we take different actions based on the assessor
and the type of path. So automatically, if an admin account is used to delete a bunch of files,
we use our rolling snapshot capability to also put a hold on those immutable snapshots
around the time
of the incident. And in the incident management window, we can identify these were the files that
were deleted by this admin account. And do you want to restore them? And we can quickly restore
those files. Or if it was approved, you can acknowledge that and close out the incident.
But it's important to note, you also have the ability to have, you know, white lists and rules and allow temporarily certain things to happen, right?
Because you might be doing a data move and you're going to use the admin credential to do that.
So you can put in a rule to say, I want to allow this admin credential to use this data set and move data for this period of time.
Then this ignore is going to be only allowed for the next 24 hours or whatever period of time the move is going to take.
So that's one type of assessor we have. We also have assessors for ransomware to detect things. And because we're
using user behavior and entity analytics, we can detect, you know, even a zero-day type ransomware
deck. We don't only detect, you know, known ransomware variants. We know the behavior patterns
of things like ransomware and can protect against that. And then we can also protect against things like data theft and other threat vectors.
So do these assessors integrate
with third-party DLP definitions or
applications? Can I expand beyond
or expand the capability of the onboard assessors?
So we update the onboard assessors today based on,
and we can update those at any time.
We don't currently integrate with other DLP products.
However, we can tip or alert those products out.
But our vision as part of our hub architecture
is to extend the ecosystem of what we're doing on box to off box
and then have integrations with
those type of DLP technologies and source as well. And do you offer like visibility into,
I don't know, you know, account permissions and account access and things like that? I mean,
reporting types of things as well as, you know, proactively detecting what's going on?
We do. And we call that kind of the cyber hygiene
part of it, right? Being able to have integrated compliance reports to show you by user what data
sets and permissions they have access to, or by data set, what, you know, users and groups have
access to that data set. And that can become valuable. You know, you want to, before a cyber
attack, reduce, you know, the blast radius or your risk, right? You want to improve your cyber hygiene.
And so with the integrated compliance reports, you can put this information that previously was kind
of locked in the bowels of things like AD and the sysadmins and the help desk and give these reports
to the data owners and to managers and say, hey, is this person still on the project? Do they still
need access to this data? And they can say, oh, actually that person left, you know, because if you've worked at a company for a long period of time, especially if you talk about large agencies or large corporations, you know, you tend to go project to project.
And then by the time you've been there 20 years, it's like you have access to data all across the organization.
And if your account gets compromised, it could be a bad day for the organization.
That is interesting because I'm thinking of like challenges that I've had with firewall rules.
I love the comparison to firewalls. And one of the features that I used to ask for all the time
is time-based access. Like the ability to say there's a project and this person or team should
have access to this system and data for this time period so i
don't have to manually go back and remember that uh the the to revoke the access right yeah because
it rarely happens right we forget we get busy and then get distracted yeah it never happened to me
in the past so you have that sort of capability in the system to provide time-based rewrite controls and things of that nature?
So the time-based rewrite permissions is coming, and that's part of what we'll be doing with our hub technology.
But we do have the rule.
We do have now the ability to have time-based rules to allow certain behaviors that would normally trigger to be allowed.
So kind of a time-based ignore or whitelist rule.
So if I have a process that, if I have a process that encrypts data at night, because I want to,
I don't want the system overhead of encryption, that's a good type of encryption. So I can allow
that and the system will automatically shut down as a result. It won't, yeah. It'll allow that to happen because you've said,
hey, we expect this process or this to happen
at this particular time by these accounts.
That's an approved known thing.
If something happened that wasn't approved
and was an unknown, that would create an alert.
Something you said earlier, Jonathan,
about entity analytics kind of thing. It seems like you're looking at,
I don't know, file access or file read-write patterns and things of that nature and trying
to determine whether the new accesses are similar to the old. Is that what you're doing?
So we know kind of the behavior pattern of normal behavior, right, for normal users. And then we also know the behavior patterns of what we would call abnormal or malicious type behavior. So ransomware is an
easy one to explain, right, where you're all of a sudden, you're reading files, overwriting them
with an encrypted version. And so that type of pattern can be exploited as well for other types
of suspicious behavior. And we don't openly broadcast all of what we're doing for OPSEC reasons to protect our
customers.
But essentially, yeah, we have different methods that we know based on here's how a normal
application opens files, writes files, reads files, versus how a malicious actor might
go about doing that.
And that will start to not look like a normal behavior.
And once we see that, we build up confidence, hey, this is bad behavior and we can take the appropriate action,
whether that is, you know, just alerting on it or actually blocking it as well, depending on
how the rules are configured and the type of behavior. So one thing we haven't talked about
is use cases for, you know, application use cases. Is this mainly for, you know, kind of profile,
home directory, file, traditional file sharing? What are some of the typical applications that are
using this as a backend? Yeah, so it's very flexible for how it can be used. And I'll talk
a little bit about the deployment and then how that fits into the use cases, right? So we are used for things like the file shares, medical imaging,
but we can be deployed as a traditional turnkey appliance with direct attached disk, and we can
support hybrid or all flash pools. We can also deploy as a virtual machine in the cloud and your
favorite hyperscaler on your favorite hypervisor on-prem, or in HCI-type
deployments as well.
And so it's the same software deployed in all those methods.
So it's completely interoperable, which means you can have an Edge VM deployed on Nutanix,
for instance, and replicating that data back to a physical instance in your core data center.
And so we have customers in a wide variety
of verticals. You know, obviously the ones that tend to be the fastest growing are the ones that
have been targets of a lot of these cyber attacks. So things like the government that want to protect
data and data theft. You have also areas like healthcare where you have medical images and
a critical need to be able to deliver care even while under attack, right? We've heard of lots of attacks against healthcare organizations and hospitals.
They have a lot of sensitive data.
We want to protect that not only against theft, right,
but also create cyber resilience so that while under attack,
they can continue to perform and deliver care.
But yeah, people are using us for general network file shares as well.
And then also, you know, we have,
we're used for large backup and
archive type situations where you want to protect that data, keep it for a long time. As more and
more organizations realize that their data has value even in the long term, or they have to
keep it for regulatory requirements, they want to have that kind of access to it and still have the
visibility into who's accessing it and when, right? A lot of times we're very focused on protecting that, you know, recent or near-term data that's currently being used. But sometimes
we take our eye off the archive. However, the archive has lots of sensitive data. So we want
to make sure we're looking at that too. Yeah, yeah, yeah. There's not, yeah,
historically these sorts of capabilities have been provided by independent appliances or independent software and those sorts of things.
And I always thought the rationale behind that was that some of these things take up processing power and storage power, IO power, and that sort of thing to scan files and things like that.
I mean, historically, you know, NAS systems may scan for viruses, but that's about it. They
were doing so much trying to get the file access to be supported and that sort of thing. Have you
guys, I guess the question is, how are you guys being able to do this sort of thing and still
maintain, you know, decent levels of performance? Is it all because it's Flash and computers gotten
so, so performant these days that you don't, don't have those sorts of problems anymore, Jonathan?
Yeah. So I think we're definitely taking advantage of the fact that the x86 architecture has come a
long way and, and we're running on, on those platforms, right? And so we're able to take
advantage of those improvements in, in that architecture and their ability to use a lot of RAM.
So we're able to right size our systems to do security as part of its normal workload, right?
We thought of security as a forethought as we built and designed the system.
And actually, it's more efficient because we're doing the security operations in real time as you're writing and reading data to the system. So
it's only a few more steps to do it there versus the other way of doing it is where you're basically
doing all this file, you know, servicing, right? Servicing the IO and request. But then after the
fact, you have some other tool that comes in and then scans the system. And we all know just to
your comment about the virus scanning, that's problematic. You're now doubling your IO and you're doubling performance. The other one was around protocol support. What,
you know, what, what types of file-based access protocols are we talking about?
Yeah. So we support SMB and NFS and we support SMB actually, you know, SIFS 1 all the way up
to SMB 3.1.1 with sign-in encryption. And we can show you, you know, in the audit log, what versions
of protocols we're using. If you do use SMB1, sometimes there's manufacturing that need to
still continue to use that because they have embedded systems that require that,
but you can mostly monitor and access that. And then we also support NFS 3 up to NFS 4.2.
Oh, that's good. I noticed you used the word SIFS properly, which is kind of unusual for our listening audience, but that's good as well.
So the security game, you guys have been playing in the security game for quite a while.
Racktop systems seem to have started in the more, I call it, security-intensive environments.
Is that true?
That is true. We, coming from our background,
realized that the commercial industry vendors weren't really providing solutions that really
met the standards of the federal government and other organizations that had high sensitivity
to security and compliance. And so we wanted to be able to build a product that thought about that
from the beginning and didn't bolt it on.
You'll even see today vendors, as the rise in ransomware attacks went way up, they started to add marketing language to their sheets saying, oh, we provide ransomware protection or we do this.
But these were add-on solutions.
Sometimes they're not even a product they own.
It's a third-party product they're adding to their solution set to create this kind of bolt-on monster. By doing security as a forethought, it's a much more elegant deployment and it's meeting
the requirements.
And because we're focused on security, we continue to evolve.
And unlike other vendors, in typical commercial industry, if you're building a product, you
want to be ahead of your competitor.
That's your biggest concern.
But in the security space, really, you have to be ahead of your competitor. That's your biggest concern. But in the security space, really, you have to be ahead of the adversary.
So we need to continue to evolve the product and stay ahead of the different threat actors
and make sure that our product is enabling every organization to protect their data as
if it were a national secret.
So as we, you know, kind of that natural secret piece, you folks are based out of Maryland
and I can't help but ask the question around what type of agencies, what range of agencies use your solutions, and how is this helping them meet
their compliance goals, and actually OMB efforts as they change from administration to administration.
Right, yeah, and so you saw like the cybersecurity executive order that came out in May of last year. And so, and it specifically calls out implementing a data centric zero trust architecture. So our solution applies to all of the agencies, both, you know, you look at the DOD and the civilian agencies. Of course, we do have a lot of customers across the DOD and those types of areas. And we continue to expand. But what we're seeing
is that everybody realizes that they are a potential victim of these attacks. And I think
it's been a fallacy. A lot of people think, oh, nobody's interested in the data I have or who
would really care to go after this. But what people are starting to see is that they've been
going after and stealing that data for a very long time. It was when ransomware attacks came that it became a visible attack, right? Traditionally, advanced persistent
threats wanted to get into your network and steal data and go undetected. With ransomware, they said,
hey, I want to prove to you I have your data. And we're even seeing now ransomware attacks turn more
into extortionware attacks where they're stealing the data first and getting it. But yeah, we have
customers across the federal government
and can meet the most stringent security requirements.
That's impressive.
That's impressive.
It's kind of like in the old days,
the HPC kind of workloads were very specialized,
but nowadays with AI and stuff like that,
those workloads are becoming more mainline,
more enterprise-based workloads.
The same thing is happening to some extent with security.
Security was always a pretty intensive occupation for three-letter agencies
and that sort of stuff, and they had specialized software and solutions to do it.
But ransomware emergence has sort of changed that whole dynamic.
Now everybody has the problem.
Everybody has the need for more secure storage.
Ray, I think you've just created a new tag.
Every company is a three-letter agency.
Okay, well, I'll see if I can't work that in.
So, Keith, any last questions for Jonathan before we close?
No, it's been a great conversation, Jonathan.
Thanks a lot.
And, Jonathan, anything you'd like to say to our listening audience before we close? Thanks for having me. I enjoyed the
discussion and we'll be at HIMSS in April as well as HPE Discover. So if you're there, come check us
out. Oh, that's great. That's great. All right. Well, this has been great, Jonathan. Thanks again
for being on our show today. And thanks again for Racktop Systems for sponsoring our podcast.
That's it for now.
Bye, Jonathan.
Bye, Keith.
Bye, Ray.
Thanks.
All right.
Thanks, guys.
Until next time.
Next time, we will talk to the most system storage technology person.
Any questions you want us to ask, please let us know.
And if you enjoy our podcast, tell your friends about it please review us on apple podcast google play and spotify as this
will help get the word out Thank you.