Veeam Acquires Coveware, Adds Incident Response To Data Protection

“A lot of backup companies are buying security companies. Our view is, we want to buy something in the prevention business, not in the ‘aftereffects’ business. If you suffer from an incident, what you do after the incident of course is hugely important. But whatever you can do prior to the incident is even more beneficial,” says Dave Russell, Veeam’s acting CTO and vice president of enterprise strategy.

Data protection technology developer Veeam Tuesday said it has acquired Coveware, a developer of cybersecurity incident response technology.

In the deal, for which no dollar value was provided, the entire Coveware team, including its co-founder and CEO, Bill Siegel, has joined Veeam.

Backups and data protection traditionally have been done on the back end of cyberattacks, said Dave Russell, acting CTO and vice president of enterprise strategy at Seattle-based Veeam.

“With Coveware, we want to get on the more proactive front end,” Russell told CRN. “Veeam wants to democratize cyber incident response. If you think about what goes on in the anatomy of a cyberattack, it is leveraging multiple failures that took place in the data center. Someone clicked on a link they should not have, fell for a phishing scam which exploited a patch that was probably a known vulnerability, but the patch wasn’t updated. Intrusion detection didn’t catch what the issue was, and potentially other dominoes had to fall as well to get to the point where the cyberattack was unleashed. And then the attackers could have moved around laterally.”

At that point, a compromised business would have to recover to a known good state, which is a focus of Veeam to make sure backups are protected and are not compromised in any way, Russell said.

For Veeam, the acquisition of Coveware is a way to get ahead of the security curve, Russell said.

“A lot of backup companies are buying security companies,” he said. “Our view is, we want to buy something in the prevention business, not in the ‘aftereffects’ business. If you suffer from an incident, what you do after the incident is of course hugely important. But whatever you can do prior to the incident is even more beneficial. That’s how we want to get ahead of the curve, how we want to democratize these capabilities for hundreds of thousands of customers.”

Coveware provides several important incident response and recovery capabilities, including identifying and assessing ransomware and its threat, providing secure negotiations in case of an attack, working with customers to settle the attack, and providing decryption of the ransomed data as well as documentation, Russell said.

“All these things could be happening in parallel, and Coveware in Veeam’s opinion was absolutely brilliant in doing up-front threat hunting and detection,” he said. “They have some unique software that enables that. Then there’s this great middle area of services around negotiation and settlement discussions with the bad actors. And then there’s a decryption tool to unwind from an event. And all this is over and above what Veeam believes it can bring to the table.”

Coveware for the time being will continue to be run as a stand-alone operating company, Siegel told CRN.

The services that Coveware provides related to negotiation and settlement is a boutique business that was not grown by design, including prior to the acquisition by Veeam, he said.

“And we’re probably not going to grow it dramatically after,” he said. “The purposes of our incident response business has never been to do and handle more incidents. That’s never been the goal. From the moment we founded Coveware six years ago, the goal has been intelligence-gathering for the purpose of doing something about this problem. We don’t need to do double or triple or quadruple the number of incidents just to do more. There’s no point in that, especially with how homogenous and repetitive ransomware attacks are.”

Once Coveware gets the requisite volume of intelligence, it can identify how threat actors are behaving and then formulate that into actionable advice for customers to prevent those same tactics from being effective against them, Siegel said. The whole goal, he said, is to strengthen a business before a cyberattack rather than make money on responding to a successful attack.

“Coveware has never approached this business like a lot of the consulting firms in the incident response space, where the approach is just grow, grow, grow, more utilization is better, bigger is better, get as much reach as possible,” he said. “We’ve always viewed our business as an intelligence-gathering apparatus. And that’s really not going to change. We’re a small company. At the end of day, doubling or tripling Coveware’s incident response is not going to move the needle. It’s not going to change the volume or value of the intelligence that’s gathered.”

Siegel used the analogy of car safety, where having seatbelts and collapsible airbags are very important in case of a crash, but implementing crash avoidance is much more important to prevent the crash in the first place.

“More and more companies are finding themselves in a cyber incident,” he said. “It’s not going to go away. We need to do something different to get on the front end of this. We think together we can both try to provide best practices in shoring up known vulnerabilities and issues, and then if there should be an escape [of ransomware], if the worst should happen for whatever reason, be able to respond to that very effectively and very rapidly.”

Bringing Veeam And Coveware Together

Russell said that prior to the acquisition there were no overlaps in the two companies’ capabilities.

“Veeam has done a lot in our last release to bring in additional detection capabilities,” he said. “But that’s detection after an incident. We’ve done a number of things to make sure backups are safe and highly usable. But what we love about Coveware is that front end where they can understand what’s going on with a production environment and comment on ways to make production safer. And Coveware can comment on ways to make secondary copies, backups, disaster recovery safer. And then if something should happen, Coveware offers a decryption capability over and above Veeam’s, bringing back known good copies of data.”

For Coveware, which is profitable and has no outside private equity investors, the decision to be acquired stemmed from the need for scale, Siegel said.

“While we felt we were able to have a positive impact on the incident response industry and with our clients that have chosen to work with us proactively, we never had an installed base of hundreds of thousands of customers,” he said. “We could shout from the rooftops and from our blog and make public appearances and things like that. But our ability to actually influence large numbers of individual organizations and compel them to be safer has always been constrained by just how small of an organization we are.”

When Coveware started talking to Veeam and got an understanding of just how large its installed base was, it opened the company’s eyes, Siegel said.

“It was like, ‘Oh, my God, we can really make a difference here,’” he said. “We could really put a dent in cybercrime and the cost of disruption that these attacks inflict upon companies by combining what we know and our experience of handling thousands of incidents over the years with the installed base of Veeam. That’s a distribution path we never thought was possible. So it was really exciting.”

Coveware currently is offered on a subscription basis, an arrangement expected to continue as the company is integrated into Veeam, Russell said. Veeam is committed to serving Coveware’s existing customers as they are currently served, he said.

Russell said he expects Veeam over time will take parts of Coveware—such as its reconnaissance capability in production environments and potentially even the decryption capabilities—and infuse them where they make sense in the Veeam platform. The overall Coveware technology will be available to Veeam customers for an additional subscription fee, he said.