Our approach is centred around three essential objectives:
- Identifying suspicious activity that could be an early indicator of a ransomware breach, enabling swift action before ransomware detonates.
- Detecting malware, not only on live systems but also within backups, to ensure that recovered data does not reintroduce infections.
- Distinguishing between infected data and good data within backups, facilitating the automatic recovery of clean data at scale.
With the escalating risk of ransomware attacks, there’s an urgent need for a solution that provides comprehensive insights into these three areas, equipping you with the tools needed to be cyber resilient and respond effectively to cyber threats.
Commvault Threat Scan is purpose-built to tackle these challenges and assist users in handling ransomware incidents. It’s built on a smart foundation that harnesses the power of artificial intelligence (AI) and machine learning (ML) to spot malware and infected data. Let’s delve into how this solution utilises intelligent techniques to address the aforementioned challenges and support data recovery efforts.
1. Early Detection of Suspicious Activity: Leveraging AI for Proactive Defense
Effective cybersecurity hinges on promptly identifying potential ransomware breaches. The quicker you can detect initial signs, the better prepared you are to respond effectively. Ransomware attackers often target data protection platforms to hinder future recovery efforts, attempting to compromise access keys or deleting critical backup copies.
Commvault tackles this challenge by employing advanced AI and ML techniques. Our system meticulously monitors events within your backup environment and utilizes AI algorithms to analyse event timelines. It excels at spotting anomalies like unusual login activity, failed login attempts, and atypical data deletion requests.
Intelligent time series analysis of data plays a central role. Applying ML over such time series data by monitoring events over a time period to identify trends and seasonality so that data points that deviate from the established patterns are flagged, signalling potential ransomware activity. The result is a vigilant ML-driven system that can distinguish regular activity from the irregular, providing an early-warning system for proactive defence against ransomware.
2. Unmasking the Malicious: AI-Powered Malware Detection in Backups
When ransomware infiltrates your system’s defences, it’s highly likely that malware has also seeped into your backups. The task at hand is to identify and remove this malware from your backups before initiating data recovery – without which you are risking reinfections post recovery. Conventional malware detection tools operate on production workloads and lack the reachability to backup copies. Hence data protection software must embed malware detection capabilities, so data recoveries bring back safe and sanitised data.
Commvault addresses this challenge by leveraging advanced threat detection engines for deeper inspection of data to detect malware. Backups are periodically scanned, performing spot checks to look for traces of malware. These scans inspect both file data as well as metadata, analysing several hundreds of features and feeding them into an intelligent engine searching for telltale signs of malware. This AI-enabled malware detection engine is also continuously updated for latest threat intelligence ensuring that the latest malware definitions are used for detection.
Importantly, this analysis takes place in a secure and isolated environment without affecting production workloads and without hydrating data to the production environment. The result is a proactive and secure approach that scans for malware without introducing additional risks. Also, this process remains within the secure boundaries of your enterprise data center, ensuring compliance with data residency requirements. Commvault’s open architecture also allows seamless integration with supplementary tools for advanced or customized scanning methodologies to suit your organisation’s unique needs.
3. The Art of Data Recovery: AI-Enhanced Detection of Infected Data
Once malware has been meticulously removed from your backup copies, the focus shifts to the intricate process of data recovery. Central to this process is the identification of data affected by ransomware. This is a technically nuanced task that requires precision to safeguard data integrity during restoration.
Commvault’s methodology incorporates a mixture of advanced techniques leveraging AI and ML, to accomplish this. We initiate the process with file anomaly detection as the primary filter, seeking to identify when file data has undergone significant and potentially malicious alterations. Through machine learning, we track macro-level metrics such as the number of file changes, file deletions, and alterations in file data sizes. This approach enables our system to differentiate regular data behaviour from suspicious activity and approximate when such activity occurred and for how long.
Moving to micro-level analysis of file data for deeper inspection, we examine more granular attributes such as file MIME type irregularities, file signature similarities through SimHash comparisons, and even content within the file to determine if a file has been modified by ransomware. Most files, whether human or machine-generated, typically exhibit predictable changes, but when subjected to ransomware encryption, their content transforms unpredictably, resulting in increased entropy (dissimilarity). Commvault’s AI-driven algorithms make precise comparisons of file versions, measuring their similarity—or conversely, their entropy. This precision allows us to confidently pinpoint infected files with unparalleled accuracy. Even in scenarios where files are moved or renamed by ransomware, the algorithm intelligently tracks data lineage and establishes associations between a good version of the original file and an infected file that has been moved or renamed. The result is the selection of a version for each file with the least entropy compared to previous iterations, ensuring a comprehensive recovery process that maximises the chances of restoring pristine, untarnished data.
Cyber resilience is crucial
In summary, Commvault is committed to your cyber resiliency by continuously innovating the data protection platform with the adoption of AI and ML methodologies where applicable. In an era dominated by relentless and increasingly sophisticated cyber threats, your organisation deserves a robust and intelligent solution. Commvault’s data protection platform stands as the epitome of ransomware defence and remediation, providing you with the cyber resiliency required to protect and recover your critical data and digital assets.
