Grey Beards on Systems - 160: GreyBeard talks data security with Jonathan Halstuch, Co-Founder & CTO, RackTop Systems
Episode Date: January 4, 2024Sponsored By: This is the last in this year’s, GreyBeards-RackTop Systems podcast series and once again we are talking with Jonathan Halstuch (@JAHGT), Co-Founder and CTO, RackTop Systems. This time... we discuss why traditional security practices can’t cut it alone, anymore. Listen to the podcast to learn more. Turns out traditional security practices are keeping … Continue reading "160: GreyBeard talks data security with Jonathan Halstuch, Co-Founder & CTO, RackTop Systems"
Transcript
Discussion (0)
Hey everybody, Ray Lucchese here.
Welcome to another sponsored episode of the Greybeards on Storage podcast,
a show where we get Greybeards bloggers together with storage assistant vendors
to discuss upcoming products, technologies, and trends affecting the data center today.
This Greybeard on Storage episode is again brought to you today by Racktop Systems.
And now it's my great pleasure to once again introduce Jonathan Helstuck, co-founder and CTO of Racktop Systems.
Jonathan, this is our last in our Racktop podcast series.
And as always, we appreciate the support.
Jonathan, why aren't traditional security approaches sufficient anymore?
I think it's all because the world's changed and because people predominantly relied on perimeters and doors to protect their critical soft GUI core, which is where they keep their data.
And what we've seen is that a lot of the cybersecurity industry has been born out of the network and perimeter type defenses, but things like insider threats and other ways of getting inside
the network and past those perimeter defenses show that you need a solution that's going to protect
your data wherever it resides. And, you know, I believe you want to put those protections as
close to the data as possible, because when you think about it, the bad guys are after your data.
They're not trying to steal your network.
They're trying to steal your data.
So in the traditional sense, you're thinking perimeter security, network security,
those sorts of things that kind of eliminate people from getting into the system.
But there's more than just exterior threats in this world today.
Exactly.
You have to kind of assume even that exterior threat eventually is going to look like an insider. They're going to gain internal credentials or
something or try to become internal either by remote network means or physical means by a
physical intrusion into the office space or things like that. And so I think people really have to
think about the new threat landscape that exists today versus in the 90s. Yeah, yeah, yeah.
So that new threat is much more, landscape is much more serious than it used to be and
much more prevalent than and predominant or I was going to say popular, but actually more
frequent.
Yeah, I think it's more frequent.
I think people, because largely people are naive or have been previously about what people are willing to
do and the sophistication level of these adversaries and hackers and criminal organizations.
There's nation state actors, which are state bodies that try to go and steal secrets,
excuse me, or do other things to meet their means? And sometimes that's stealing data. Sometimes that's
doing things to steal money, to fund programs, you know, like North Korea might be doing a lot
of their stuff to steal secrets, but also to, you know, get money to fund weapons of mass destruction,
for instance. Other organizations and states might be looking for intellectual property or secrets on
citizens. And then you have criminals that do things on behalf of them to make money because they're getting paid to do that. And then you actually
have criminals that are out for their own benefit, often to make money through means of either
selling intellectual property, selling information about people. And so what we've seen is people
kind of realize that's a problem, but instead of thinking about, okay, how is the adversary or how
are today's hackers going about trying to steal this data?
They're really just kind of spending and making more investments in more of the same things that they've made in the past.
And so you're seeing people invest or do things they're comfortable doing instead of looking at the problem and saying, I need to change my approach. We need new technologies, new tools to defend against a hacker in 2023 and even something different potentially in 2024, right?
I'm not saying you don't want to do those other things, but you need to do more.
Yeah, yeah. So that's what you mean by traditional approaches. Things that seem to have worked in the past, but in the current time where state actors and other very sophisticated organizations are going after their data, it's a different world today.
Yeah, those approaches aren't sufficient alone.
And let me give you an example.
You're going to run endpoint and virus on your laptop or desktop.
You still want to do that, right?
You want to detect any sort of malware or something bad as soon as it gets onto your device. So that makes sense to have
that type of protection. You want to have perimeter network security to keep the bad
stuff out that you can. And then now you got to take it a step further, right?
The first things people started to do was they implemented multi-factor authentication.
Do I think you should do that? Yes, that's definitely good. However, we've seen in the past, there's ways people get around
multi-factor authentication. People will SIM swap your phone to try to get access to your email.
They'll take over your email and then they'll bias the multi-factor authentication or they'll
do man and mineral attacks. So now they get past those different things. So now it's the next layer
and they're after the data. So just like you want to put that antivirus on your endpoint, you need to put some active protections on the data storage
itself, right? We want not just passive protections of shipping logs to something else, but active
security that's in real time looking at how that data is being accessed by users' applications and
being able to alert on it for one thing, but also proactively stop and prevent those attacks
before they become a big problem.
We talked before about some of the things that Racktop Systems is capable of doing.
And a lot of that seems to be almost at the storage level, understanding IO patterns and
looking at what's going on from an administration perspective and trying to trap and trigger these things.
But you also have sort of like, I'm not sure it's antivirus, but procedural specifications for what sort of things people are doing to try to get around security and things of that nature.
I'm not sure what the terminology would be.
It's almost like it kind of aligns itself more to user entity behavior
analytics. How are people interacting with the data? So it's obviously you can scan for malware
and stuff that's stored, right? But usually once you're detecting data that's bad, like malware or
virus, it's too late. It's there, right? So really what you want to do is detect the bad behaviors,
how users or an application is interacting with the data, how they're operating on the files.
Are they opening a lot of files and reading them? That could be something like data exfiltration.
Are they opening, reading, and then encrypting the file and deleting previous copies? Well,
that behavior looks like ransomware. So we want to block that type of behavior.
So it's more entity and behavior analytics or user activity monitoring.
And there's two parts of that.
One is user activity monitoring to understand how users interact with the files and understand
and get a view of what's happening in your environment so you can make decisions.
And then the other part is moving towards AI and automation so that you can detect this malicious and bad behavior automatically
and in that sub millisecond speed, not send this data to some other third party tool that's going
to churn through a bunch of logs. And then hopefully somebody is going to go look at that
and detect it. That also is too late. It has to be much more near time today, right? Because a lot of times people don't really
understand kind of the way attacks work. And ransomware is very popular today. So I'll just
talk about that a little bit and kind of how kind of that attack profile looks and where you want
to stop and why you want to stop that early. So let's say somebody clicks on a phishing email or something like that. With that phishing email,
they basically now have beaconed out to a command and control center that says,
hey, you now have control of my laptop, essentially, right? And so now the adversary
says, oh, I have a laptop inside that network that I can use and control. And I have credentials that are a significant amount.
So I'm going to basically go in there and then I'm going to escalate and see if I can get into an admin level credential.
Well, I look around on that laptop.
It happens that that laptop has local admin accounts and things like that.
So I escalate privilege.
So now I have admin credentials so I can go around and look on the network.
I can talk to AD and I can do other things. They start to do things like look for data they might
want to steal. A criminal type organization, they might be looking for cryptocurrency wallets or
private keys or those one-time password keys that people download for multi-factor authentication
that they're supposed to save in case they lose their credentials and things like that. So they
want all that information and any other sensitive information. So first they're supposed to save in case they lose their credentials and things like that. So they want all that information and any other sensitive information. So first, they're
going to look around for all that. And then when they feel they've gotten enough of that and they've
exfiltrated that data, then they might say, hey, what's the ransomware campaign or extortionware
campaign against this organization? That's at the moment where they start to download the payload
that has the malware. That's the only time where they're bringing the malware into the environment
that you're going to detect with something like an endpoint agent or something else,
possibly, assuming they detect it.
And then from there, they're going to launch that ransomware attack against those file shares.
And so you can see that you want to be able to detect that earlier.
When you really want to detect those, of course, when they start to,
you know, the phishing email gets clicked, or you want to prevent that. But let's say you don't get to that point.
Now they're looking around the network with admin credentials, looking for data to steal.
You want to be able to detect that. And those are the things that we can detect with what we're
doing because we're analyzing how, you know, users and applications are interacting with the data
stored on us. So when we see an admin credential be used that wasn't prior proved to be doing that type of work, we can set a flag and then it can be
looked at very quickly. If all of a sudden that admin credentials used to read a lot of data or
delete a lot of data, we can even block that so that somebody can investigate it further before
it goes more and it can alert the existing security operation center infrastructure,
the knock infrastructure. But we want to do that very quickly.
And if they eventually get to the point where they do start to encrypt the data, we want
to stop that encryption attack very early before they encrypt a lot of files.
And not only that, we want to be able to get them to that pre-attack state very quickly
by showing, hey, these were the files that got encrypted before we stopped it.
Delete this file from the live file system and restore the pristine file from the pre-attack
phase using our immutable snapshots. This is the version you want. Not here's all the snapshots
available. This is a specific file in the snapshot you should restore to so that you can get
everything back to where it was very quickly. And go ahead.
Yeah. So two things about that.
Number one is that you've got quite a lot of sophistication for recovery
that's built into the system to try to recover after the fact that things start.
And you've detected the problem.
You've stopped it from happening.
But there's a certain amount of things that have gone on at this point.
And your solution, Racktop Storage,
provides identification of what files may be corrupted
and how to go about fixing them.
That's right.
And so you're going to have that through our user activity monitoring,
or what we call user behavior analysis.
We're going to basically show you historically everything that happened.
So we're going to show you, hey, these are the files to restore
and what's happened.
But you can also look further back to say, hey, what was happening with this account?
Or what did this user do or this account do prior to the time we detected the ransomware attack? So
I mentioned about the time when they were looking at data, reading files and things like that. You'd
want to know that too, to see, hey, what data could have been stolen or compromised if we didn't alert or stop that prior to it.
Yeah, yeah.
And the other thing was that malware is often the last thing that happens before literally the stuff hits the fan kind of thing.
It wasn't apparent to me that a lot of security breaching has already gone on long before the malware hits the system.
Exactly.
The average is basically nine months that they're on your network doing things before they launch that attack or they're detected like that.
So they're trying to avoid being noticed, right?
And so they're not going to bring those payloads and malware that they think are likely to raise alarms in, except for very brief times
when they have to. And they quickly try to cover their tracks as well, right? Once they bring that
in, they're going to quickly delete it. They don't leave that stuff lying around because they know
that those are signatures and indications of compromise. So they want to minimize that
exposure. And so they tend to use it and clean it up as quickly as possible.
That's interesting. So they're actually cleaning up the malware after it's,
after it's done its 30th job.
And so you hardly even, you know,
the exposure there is fairly limited to see it.
And then by that time, it's too late.
That's exactly.
And that's why, you know,
I have a chart that I kind of show where the latency leads to bigger destruction.
You want to detect that breach or compromise as early as possible to reduce the threat window.
So if, for instance, you're detecting bad behavior by scanning your backups or your air-gapped copy looking for malware as an indication of compromise, it's too late.
It's already happened.
And you might even miss it because it's so quickly in and out. They might be
shorter than your recovery point objective.
Well, if you've got a chart, send it to me. I could certainly put it in the
podcast as well. Podcast posts and stuff like that.
So talk to me a little bit about, so we've talked at length
actually about some of the user behavior analysis and stuff that goes on, but how is that stuff maintained? I mean, obviously you're looking for, I guess, bad actors opening, right? Things like excessive file activity for reads and overwrites and deletes, as well as things looking for ransomware. We'll still detect that. The assessors just build up confidence based on the number of points or indicators to say,
hey, I believe this is this.
And then as that builds, then we fire off an alert and perform the reaction.
I think that it's key to note that we're able to assess for all these behaviors in parallel
as we're monitoring the activity.
And the other key thing that we get a lot of questions about is like,
am I getting a lot of false positives, right? And nobody wants that because that's another way
an adversary can get in is that they throw a lot of false alarms and then the last one's the real
one and nobody pays attention to it. So what we don't want to do is overburden the staff. We want
our product to be administered by an IT generalist that can be performing both a storage administration function and a security function.
And so we don't have a lot of false positives for two reasons.
Some of the things we're detecting don't really have any sort of gray area, right?
We know if it's an admin credential that's being used.
So if an admin credential is being used and it wasn't approved to be used in that manner, we know that.
And that's like a hard answer. Yes, this just happened. The other side is looking for things like
ransomware or the things that might have a little bit of fuzziness to it, things like data
exfiltration. But we are able to use a higher fidelity number, a higher fidelity amount of data
that we're using to analyze for each assessor. Traditionally, what
happens is when you're doing this type of analysis, the storage system would be doing log shipping
to some third-party SIM or tool that then either responds back to the storage and says, okay,
this is all right, or it just receives it and then eventually crunches on that information
and then says, hey, there might
be something bad that could have happened five minutes ago or could happen three days ago, which
is usually more the case. And that's because there's so much information and metadata about
what's happening that it's hard to ship that much data off box. With our architecture, all that
information is being analyzed in real time on the controller node
itself. And so that's why, you know, we have a lot of horsepower in each one of our storage
controllers and we're using, you know, a modern x86 processor in RAM. So as you're writing and
reading data to the system in RAM, we're able to analyze that using the assessors as well as
perform the normal storage functions as well.
Yeah, so effectively you're providing sort of a multi-factor,
a multi-functionality here from both a security perspective as well as a storage perspective doing all this in real time on the system.
Yeah.
And the amount of data that you have to look at is significantly more
than what might be available from a log shipping kind of function. Exactly right. And that's really
the heart of why we're the only solution in the cyber storage category that does all of this
analysis on the controller itself. The other solutions require you to, like you said,
log, ship, or use multiple systems and servers to do that, which adds complexity, which can add
latency if you're doing it in real time, or false positives. By doing it all in the single product,
which we also call cyber convergence, which is basically that convergence of the storage,
security, and compliance features, we can be more efficient, eliminate attack vectors, and simplify the whole design and deployment.
When you say compliance, you're talking about a lot of different definitions of compliance,
but you're talking about making sure that users only access the data that they're supposed to
and that sort of thing. Is that how I read that?
So the way, yes, that's true. And the way I think about compliance
too is really, you have the security controls in place. So those would be access controls,
those would be rules around the data and controls around that. Compliance is like the demonstration
that those controls are continuously in place. So when you go through an audit, you can demonstrate,
hey, these were the only people that access this data. Or if you did have some sort of perceived breach or insider threat, you'd have the reports and information to demonstrate,
you know, the controls were there, here's what was accessed, and this is what happened. And these
were the actions that were taken by the admin to change the settings or do anything to manipulate
the system. So you have that demonstration or proof that the controls were properly in place.
Oh, so you would provide like almost an art report.
I hesitate to say users are accessing the data that they're supposed to be accessing.
And when there's a breach, obviously you can detect what went outside that.
Exactly.
Yeah, and I think that's important too.
Like sometimes people just make it,
you know, there's times where
there's the malicious intent
and then there's the,
it was good intent,
but, you know, mistakes are made, right?
And so sometimes maybe somebody
provides wide open access
to a particular share, right?
You can then go and look and see,
okay, well, that was a mistake.
We gave all domain users access
to this file share
that had sensitive information.
Then you can go look at the user activity report
and see, did anyone that was not supposed to access it?
And so that's a nice feature
that a lot of customers like as well.
Right, right, right, right, right.
And we've mentioned in the past that Racktop Systems
is available in a number of different deployment models.
Obviously, as an appliance, it can be
a storage system as well as a cybersecurity
file services solution, but it's also
available to front-end other devices.
It can be deployed, the same software as a virtual machine in a hyperscaler
or on-prem in your favorite hypervisor. It can be deployed the same software as a virtual machine in a hyperscaler or on-prem in your favorite hypervisor.
It can be deployed as a turnkey appliance with direct attached storage, like a traditional NAS would be deployed.
Or it can be deployed in what we call our SAN gateway approach, where you provide LUNs via iSCSI or Fiber Channel from block storage you like.
It can be heterogeneous, different brands, whatever, to us.
And we put our software on an x86 server or servers for high availability.
And then we present out SMB and NFS cyber storage.
It's very much deployed like a traditional NAS or as a file server.
So it can replace Windows and Linux file servers and give you that added security with cross-protocol support, or it can replace
your existing NAS solution too.
The nice thing about having that be there is that you could potentially scale it up to
a fairly sizable solution and have all your files coming through that system
and being scanned and the users being scanned and behavioral analysis being
done across your whole
data environment. Yep, exactly. And it is interesting because a lot of customers today
don't have a good feel or picture for, you know, what data is hot, how much data is even being
accessed, what data that's on flash maybe could be archived or moved to a cheaper tier of storage,
which we also have a solution for. And then, you know, on top of that, it kind of paints that picture of what's happening
in your environment at any time.
Yeah, yeah, yeah.
So you have that sort of view on that perspective.
And you plug into, I'm not sure, is security.
It's not a NOC, but it's almost a security version of a NOC, right?
I mean.
Yeah, the Security Operations Center, for sure.
Yep.
Yeah.
So through webhooks, we can basically tie into the existing tools that are already in place with the SOC.
So it doesn't force any rework of workflows for either the SOC or the NOC, and it really is that drop and replacement with open interfaces.
Okay. Yeah, yeah, yeah.
Well, this has been great, and it's been a great series of Racktop.
Once again, thanks for having us.
Is there anything you'd like to say to our listening audience before we close?
Jonathan?
Well, thanks for having us.
It's been a pleasure.
I think one thing, if you want to go to our website, and you can even check out our Jumpstart program and download the virtual edition of our software for free, so you can try it out in your environment and see how active defense can work to protect your data against any threat.
So you've got a free version of it that customers could run and try it out and stuff like that.
That's new.
Yep.
It's been around for a little while.
Okay.
Okay.
All right.
Well, this has been great, Jonathan.
Thanks for being on our show today.
And thanks again to Racktop Systems for sponsoring our podcast series.
Thanks for having us.
Appreciate it, Rick.
That's it for now.
Bye, Jonathan.
Bye.
Until next time.
Next time, we will talk to the most system storage technology person.
Any questions you want us to ask, please let us know.
And if you enjoy our podcast, tell your friends about it.
Please review us on Apple Podcasts, Google Play, and Spotify,
as this will help get the word out.