Extend Threat Hunting to Your Backups with Rubrik Security Cloud

Historically, threat hunting has been an exercise conducted at great expense by only the most sophisticated security organizations. Security analysts use this approach to find specific indicators of compromise (IoC) across large sets of workloads. If an IoC is a particular binary package on one workload out of 100 workloads, the organization is hunting for a needle in a haystack. The trick is to find that indicator quickly.

Because threat hunting can be expensive and requires mature capabilities, most organizations don’t do it. There’s a vast gap between organizations that have done this for decades — mainly massive enterprises such as Microsoft and Google — and everyone else. Often, even large organizations find it challenging to maintain their threat-hunting capabilities. Professionals trained and proficient in this skill are in such high demand that retaining them is difficult. 

Small to midsize organizations, on the other hand, are often surviving on bare-bones IT staffing. If the IT department has only a handful of people, they’re likely already overworked, with little to no capacity to conduct any proper threat-hunting analysis. At best, they’re playing catch-up. For these organizations, Rubrik Security Cloud’s threat-hunting features — which were recently added to the platform — can be a game changer.

Threat hunting provides insight into a point when things began to go wrong. If I ask a threat-hunting tool, “Is this IoC here?” the answer will be yes or no. But most threat-hunting tools are unable to answer the next logical question — “When did it get here?” — because they don’t have the visibility that Rubrik offers. 

Rubrik Security Cloud analyzes data from a backup archive, not from production workloads. This provides two key benefits:

• First, when our platform analyzes backup archives, it doesn’t touch live production workloads. This avoids the impact threat hunting can have on workloads. 
• Second, if cybercriminals are on a production workload, they could see the threat-hunting activity and realize they’ve been spotted. They might detonate their malware and get out. Organizations can inadvertently expedite an attack by tipping their cards. Rubrik Security Cloud is stealthy, and it can search for IoCs without alerting attackers.

Using this feature doesn’t require a steep learning curve. There’s no new infrastructure to deploy. The platform provides the threat-hunting capability within a simple, centralized dashboard.

Rubrik is refining its Security Cloud platform to deliver more proactivity and automation. Organizations want to know what to search for, which is driving our ongoing iteration of the platform.

The platform’s first iteration can identify where an IoC is and how long it’s been there. The platform can’t remove it from the archive because one of the core tenets of our data security platform is immutable file systems. They can’t be tampered with. However, the platform’s next iteration will include a quarantine feature. Users will be able to mark entire images or individual files as quarantined, so they won’t be eligible to be restored. If someone tries to restore an image from a known bad workload, those files will not come back with it. 

The next near-term iteration will support more proactive searches by integrating threat intelligence data from extended detection and response endpoints and third-party platforms. For instance, if an extended detection and response platform detects attempted attacks, organizations can use that information to search for known issues trending in their environments.

Story by Rich Eicher, a cyber resilience architect for Rubrik.