Data protection vendor Commvault has released Metallic Threatwise, a SaaS add-on for Metallic that detects intruders when they first enter the environment.
ThreatWise is based on Commvault’s TrapX acquisition in February 2022. It is a combined canary/honeypot system that sets up fake systems to lure in attackers and keep them busy while operators are alerted to their presence. Think of it as a way to boobytrap your environment like in the movie Home Alone.
“When you’ve discovered the bad guys in your network, everybody’s on deck trying to get things sorted out,” said Sanjay Mirchandani, President and CEO, Commvault. “At that point, it’s possibly too late. The whole time they’re in your network, you could be infected. You could be backing up assets that are infected.”
With ThreatWise, Commvault wants to help operators detect an intrusion quickly so they can protect the backups that will be needed for a recovery.
“I want to make sure that we’re as early in the process as possible so that you’re not backing up bad data,” said Mirchandani.
ThreatWise is available as a Metallic marketplace add-on, and quickly spins up a console for operators to use. The ThreatWise appliance installs as an OVF virtual appliance in the customer’s environment with minimal operator action required.
Fake it ’til you trap them
Commvault has put a lot of work into creating lures, decoys and traps that appear to be Commvault backup infrastructure which operators can quickly deploy, either singly or en-masse with the Mass Deploy option. These are available as inbuilt options alongside the existing array of switches, servers, and other standard traps and decoys already present in the ThreatWise product. Customers can also add their own traps that mimic their proprietary apps and infrastructure, if they want to dive into the detailed configuration options.
These traps provide a high-confidence signal that something nefarious is going on, because there’s no legitimate reason for anyone to be trying to connect to a fake backup server. Attackers can’t easily tell the difference, though, so unless they’re incredibly careful, even taking a look around is likely to trigger an alarm. The sooner admins know there might be a problem, the sooner they can take action.
A dashboard view provides summary information on detected threats is available in the ThreatWise console, and large amounts of detail can be explored with just a few clicks. ThreatWise can provide data feeds into standard information security systems such as Security Information and Event Management (SIEM) and Security Orchestration, Automation and Response (SOAR) tools.
ThreatWise has been released fairly early, and integrations with Metallic are limited at this stage. The main benefit is to have the traps and decoys in your environment so that operators can get early warnings of suspicious activity. The alerts can plug into existing automated responses, but Commvault plans to add deeper integrations with Metallic so that known-good responses are automatically triggered by the base product. Things like quarantining backups ready for rapid restore, scanning backups for detected malware so you don’t restore bad data, etc.
Despite the early release, I think this is a really smart approach by Commvault. I love the whole concept of booby-trapping your environment so that attackers have a really hard time going unnoticed. Why should red teams have all the fun? Defenders can create all kind of fun mazes and dungeons for attackers to flounder around in.
ThreatWise has a graduated range of options from simple alerts all the way to full environments that can soak up an attacker’s time as they merrily encrypt a fake server with ransomware. But unlike home-built honeypot systems, the ThreatWise technology makes them safe to deploy, with a low risk of accidentally giving attackers a helping hand.
Given Commvault only acquired TrapX seven months ago, it’s unsurprising that the integrations are limited at this stage. I do want to see more backup operator oriented features quickly, though, or Metallic risks splitting itself into a backup and recovery part and an infosec part, rather than an integrated data protection company. The integrated company is Mirchandani’s goal, though, so we should see this soon.
“I’m not trying to security-wash my company. I’m protecting the data at whatever point in the lifecycle I can to make it safer for my customers,” said Mirchandani.
And I, for one, believe him.