Cohesity Unveils Three-Pronged Threat Defense Architecture

Cohesity has announced three more elements of what it’s calling its Threat Defense Architecture:

1. Cohesity Data Govern: Automated sensitive data tagging and access anomaly detection
2. Disaster Recovery as-a-Service: An AWS-based cloud recovery location for DR failover and failback.
3. Project Fort Knox: An isolated cloud vault for immutable backup copies and ransomware recoverability testing.

Download this report as a PDF to share with your team.

It reflects the wider trend we’re seeing from all data protection vendors to position their offerings as relevant to customers looking for ransomware solutions.

Cybersecurity now has board level attention, driven by the major success of ransomware campaigns that have drawn mainstream media attention and high-level government responses. Since it’s top of mind for customers, vendors would be foolish to ignore the increase in interest.

Cohesity’s announcements need to be viewed against this backdrop, but it’s not merely a cynical marketing response to a shift in media coverage. Cohesity offers real value, but the devil is in the details and customers should carefully look at the problem they actually need to solve and then measure vendor offerings against those needs.

Cohesity Data Govern

Cohesity Data Govern is a way to automate detection of sensitive data and anomalous access patterns that could indicate an active cyber-attack. It claims to use AI/ML to do so, but like most claims of the sort, we’ll assume this is three linear regressions in a trench coat until proven otherwise.

The system automates discovery and flagging of sensitive data, which saves having people manually tagging data. This is good because we know that people mostly never bother with data classification, and that’s not going to change, because it’s repetitive and boring and humans are mostly terrible at anything that is repetitive and boring.

This is combined with policy definitions (and what Cohesity calls shields) to warn whe reality differs from policy.

“As an example, what we call a wide access shield, would detect anomalous behaviour that’s triggered off of people inadvertently having access to data that they shouldn’t,” said Matt Waxman, Cohesity head of product.

This is better than “whoops, you’re probably pwned” anomaly detection because it does actually help customers prevent attacks from succeeding in the first place, rather than just noticing quickly.

Cohesity intends to partner with the wider infosec ecosystem for remediation, rather than attempt to do it all itself, which we think is prudent given Cohesity is mostly a data protection vendor, not a security vendor, and working well with what customers already have is smart business, particularly for enterprise.

Disaster Recovery as-a-Service

Cohesity’s new Disaster Recovery as-a-Service (DRaaS) offering extends its existing SiteContinuity feature to support AWS as a recovery location for failover and failback.

It provides a cloud recovery point in the event of a problem at the primary site, without having to maintain a full set of infrastructure at the remote site. AWS cloud infrastructure means only paying when you actually need to spin up the recovery site, which provides DR with costs aligned with the value delivered. Automation from Cohesity makes it easier and more reliable than more manual methods or having to install third-party tools.

This is a feature that’s been available from competitors for a while, so it’s good to see Cohesity add this to its lineup. We look forward to learning more about how the automated failover works in practice, and the kinds of infrastructure stacks it supports.

This will only become more important as organisations move to using more cloud-native/Kubernetes applications as part of what they do, and have a foot in both camps for a while. These setups can lead to very complex application recovery scenarios when the business workload is served by multiple internal applications that join together as an internal supply-chain.

Project Fort Knox

Cohesity is signalling a new product that is not yet released but uses the internal codename Project Fort Knox. It will be “a service that will allow customers to maintain an isolated copy of their data in a Cohesity-managed vault to improve data resiliency in the face of ransomware attacks”.

This cloud-based service will differ from the DRaaS offer by being a Cohesity managed, ‘immutable’ copy of data, akin to an offsite tape service from days of yore. It’s pitched as an extra layer of protection from ransomware, but also against more prosaic data loss scenarios like disgruntled admins deleting the backup master server and corrupting the production database that gets instantly replicated to your DR site, breaking both of them in real time.

The most interesting part of this service to us is the “recovery sandbox”, which is an isolated cloud location to rest your recovery scenarios safely, without the potential to accidentally break real systems you’ve inadvertently left connected to the DR test.

“For years, people have tested their DR infrastructure by periodically failing over and running their production from another site. But for ransomware, there is no equivalent,” said Waxman. “No one’s going to go inject malware into their production environment to validate that they can recover.”

“By having a separate, isolated environment that’s in a completely different space, that’s actually in a Cohesity account in the cloud, gives you the assurance that now you can periodically go and actually test things,” he said.

Setting this kind of thing up yourself is hard work, so being able to just buy the service, and hopefully combine it with the automation from Cohesity’s investments in SiteContinuity, would be a tremendous boon. It should make it much easier for customers be able to prove they can recover, not just to themselves, but also to any auditors or regulators who might actually ask for proof, rather than just a document asserting that everything is okay.

Well, we can hope, right?

Firstly, we recommend assembling your team to run a tabletop exercise of “what if?”. Sometimes called a pre mortem your goal is to pretend that the worst has happened and role-play your recovery. Be brutally honest with yourself about what could go wrong, and play out your worst nightmares in the cold, harsh lights of the conference room (or ring lights for those of us still 100% remote).

Find the critical weaknesses, and only then look for solutions.

Secondly, every vendor is very aware of how much money is available at the moment to attempt to tackle the problem of ransomware, so they are all trying to get your attention. They often have good solutions for the problems they’re trying to solve, but those problems may not be your problems.

The challenge is inherently complex because of how many ways things can go wrong. Solving all of them may not be necessary for you, and different vendors have focused on different things.

The information environment is very messy at the moment, so don’t be afraid to seek help in understanding what the various vendors really do, and what they don’t. PivotNine would be only too happy to assist you, so contact us today.