Ctera CEO: Cyber-resilient Storage Key As Security ‘Not Good Enough’

‘What we’re offering is full protection with Ctera Ransom Protect. It allows you to identify the attack, block the attack, and then if needed to recover from the attack. And the fact that we can actively identify and block the attack as quickly as possible, maybe less than 30 seconds, means the recovery time will be almost instant,’ says Ctera CEO Oded Nagel.

Last Line Of Defense

Storage vendors led by Cohesity and Rubrik have over the last couple years moved to add ransomware protection to nearly all their primary and secondary storage technology, whether hardware-based or software-based. The move is driven by concerns that ransomware, driven in part by users accidently allowing ransomware to enter their data undetected, will get past other security measures and remain hidden until it eventually attacks the data.

Oded Nagel, who this March became CEO of Ctera, a New York-based provider of edge-to-cloud global file services, told CRN that the storage industry is moving to adopt ransomware protection because traditional recovery from data snapshots no longer works when customers have millions or billions of files subject to attack.

“Even if you have a very fast storage and huge performance, it will take you hours or sometimes days to restore the data,” Nagel said. “And that’s why we believe that being much more proactive, and actually moving from protection to detection, is the right approach for customers. You want to be much more responsive and be able to identify these types of attacks before they actually happen.”

To that end, Ctera this week unveiled Ctera Ransom Protect, an AI-powered cyber protection engine the company said is natively integrated into the Ctera global file system, which Nagel called an “edge-to-cloud solution that allows enterprise customers to manage their data and collaborate on data from remote locations to their co-lo or to their cloud.”

Ctera Ransom Protect goes beyond traditional ransomware protection by being proactive in detecting ransomware activity and identifying malicious activities based on machine learning technology, Nagel said.

“We identify these activities in less than 30 seconds and either alert the admin or automatically block the user from accessing any more data on the global file system until we remove the ransomware threat,” he said. “It’s a very advanced technology based on AI protection and machine learning. There is no dependency on specific signatures. ... And since we can run it on the file system level, there is no performance overhead to the detection.”

While early availability customers are already using Ctera Ransom Protect, it will officially launch in July, he said.

Ctera expects Ctera Ransom Protect to be a 100-percent channel offering, and its introduction comes just a week after the company introduced a new partner program.

To better understand the new technology, and to learn more about Ctera, click through thr slideshow.

Define Ctera. How do you describe the company?

Ctera is a leader in the space of what we call cloud file storage. We have an edge-to-cloud solution that allows enterprise customers to manage their data and collaborate on data from remote locations to their co-lo or to their cloud.

You mentioned cloud file storage. There’s a lot of companies in this space. What’s unique about Ctera?

So we focus on three main things. First is scalability and performance, the ability for us to deploy a very scalable, global file system. We have customers today with hundreds or even thousands of remote locations, and petabytes and petabytes of data that is managed in our global file system in billions of files. Second is security. We have a lot of security capabilities in our platform, and [this week’s news] is about how we are adding more security capabilities in our global file system. And the third is our data services. We allow our customers to integrate to different types of enterprise platforms, like AI, cloud analytics, elastic search, and many others, so they can easily access and manage their data through our global file system.

Does Ctera have its own cloud? Where is the customer data stored?

We do have an offering we can offer to customers. But our main business is selling a software-defined solution so the customer can run our platform on any cloud, either fully on-prem, or hybrid cloud, or in a VPC (virtual private cloud) in their public cloud like Amazon, Azure, and so on. And they build their own global file system solution. So we work mainly with very large enterprise customers that want full control of their data, including where the data is stored, how to protect their encryption keys, and making sure they’re complying with different regulations like GDPR.

Tell us about the new Ctera Ransom Protect ransomware protection?

Ransomware is creating a lot of headaches for almost any customer we are talking to in the enterprise space on a daily or weekly basis. There are many solutions in the market that can give you different levels of protection. But you just need one weak link in your protection and then ransomware can actually take down your ‘castle.’ Ctera is now providing a built-in AI agent solution in our global file system that will allow customers to have not just full protection and recovery. We already have that. For many years, our global file system has had snapshot capabilities which allows customers to have a granular recovery point. However, if someone is attacked by ransomware, imagine having billions of files in your file system and being affected. Even though you have the ability to recover data from a backup, it can take you a while to recover large datasets.

So we’re introducing another layer allowing us to be much more proactive in detecting ransomware activity and being able to identify malicious activities based on machine learning technology that we have developed. We identify these activities in less than 30 seconds and either alert the admin or automatically block the user from accessing any more data on the global file system until we remove the ransomware threat. It’s a very advanced technology based on AI protection and machine learning. There is no dependency on specific signatures. A lot of ransomware protection mechanisms are based on signatures. But this is not enough. There are many ways to bypass signature protection. And you really need a more advanced technology that actually tracks user activity on even to the second to identify different activities on the file system. And since we can run it on the file system level, there is no performance overhead to the detection. So from a user perspective, you just need to enable the feature, and the data is fully protected.

How does it work?

What we’re offering is full protection with Ctera Ransom Protect. It allows you to identify the attack, block the attack, and then if needed to recover from the attack. And the fact that we can actively identify and block the attack as quickly as possible, maybe less than 30 seconds, means the recovery time will be almost instant.

First of all, we will block an attack in advance, so if an attack is happening, the effect on the global file system would be really minimal. And then with our snapshot capabilities, we can quickly restore the data. We also have an incident management platform that allows users to see exactly which files were attacked, which user generated the attack, and many other events that allow the admin to understand what’s going on in the network. There AI sensors running in real time at the edge. So even if you have hundreds of locations globally, the technology will identify a single user in a single location in less than 30 seconds and generate this type of protection. That’s at a high level how the architecture looks. At the edge in remote offices, we have our secure Edge Filer. When the new version of Ctera Ransom Protect is released, customers can just upgrade the software to automatically have these capabilities available for them.

The edge filer is a virtual appliance. Most of our customers are running it as a virtual appliance either on VMware, Hyper-V, KVM, whatever they want, on their own hardware. It’s a software-defined solution. Our engine is based on what we call event-driven technology. The engine is running on the edge where we collect all the file events on the file system. So if you open a file, read a file, change a file, modify a file, depending on type of events that are generated, we know how to filter these events based on our machine learning agent, and then classify the event and identify if it can trigger a malware attack. Once we identify an event as a ransomware attack, the system either alerts the user and continues to allow the user to work regularly, or blocks the user from accessing the data and automatically disconnects from the data share. The IT admin will then get a notification and can investigate and decide whether to reopen access to that user after fixing the issue.

A lot of storage hardware and software vendors are offering ransomware protection. Why are the storage vendors all getting into ransomware protection?

I think that cyber-resilient storage in general is getting a lot of demand because customers understand that protecting the perimeter with firewalls or EDR (endpoint detection and response) solutions is good, but it’s not good enough. You only need one user that will click an email or something that was sent by SMS to a mobile device to create holes in protection and allow access to your data. … Most vendors today on the storage side provide what they call protection because they have capabilities for snapshots and version control. So in case you were attacked, they can easily help you go to a snapshot and restore the data from a day before. But that’s not enough. Because if you were attacked, and now you have 1 billion encrypted files, even if you have a very fast storage and huge performance, it will take you hours or sometimes days to restore the data. And that’s why we believe that being much more proactive, and actually moving from protection to detection, is the right approach for customers. You want to be much more responsive and be able to identify these types of attacks before they actually happen. That’s what we see today in the market.

Different vendors provide different layers of protection. Some of them are recommending customers do backups, like Commvault and Veeam and so on. I think Veeam just published information that 85 percent of attacks are happening on the backups themself. So hackers are actually first of all doing ransomware attacks on backups and then encrypting your production data. So when you try to recover from your backup, you realize your backup was already attacked and encrypted before you actually know it. So that’s not a very good experience. … So that’s why we believe that we need to be able to identify these type of attacks before they happen as soon as possible, and to be able to identify and block the users before most of the data is encrypted.