1. Page 1 of 18
Disaster Recovery to Cyber
Recovery--What is the New
Best Future State?
A transcript of a discussion on new ways of protecting data backups first and foremost so that
cyber recovery becomes an indispensable tool in any IT and business security arsenal.
Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: Unisys and
Dell Technologies.
Dana Gardner: Hi, this is Dana Gardner, Principal Analyst at Interarbor Solutions and
you’re listening to BriefingsDirect.
The clear and present danger facing businesses and governments from cybersecurity
threats has only grown more clear and ever-present as we enter 2021.
As the threats from runaway ransomware attacks and state-sponsored backdoor access
to networks deepen, too many businesses have a false sense of quick recovery using
traditional business continuity and backup measures.
That’s because the criminals are increasingly compromising vulnerable backup systems
and data first -- before they attack. As a result, visions of flipping a switch to get back to
a ready state may be a dangerous illusion that keeps leaders under a false sense of
business as usual.
Stay with us now as we explore new ways of protecting the backups first and foremost
so that cyber recovery becomes an indispensable tool in any IT and business security
arsenal. We will now learn how Unisys and Dell Technologies are elevating what was
data redundancy to protect against natural disasters into something much more resilient
and powerful.
To learn more about the latest in rapid cyber recovery
strategies and technologies, please join me in welcoming
our guests, Andrew Peters, Director of Global Business
Development for Security at Unisys. Welcome, Andrew.
Andrew Peters: Hi. Thank you, Dana.
Gardner: We are also here with David Finley, Director of
Information Assurance and Security in the Data
Protection Division at Dell Technologies. Welcome,
David.
Peters

2. Page 2 of 18
David Finley: Thank you, Dana. I’m glad to be here.
Gardner: David, what’s happened during the last few years -- and now especially with
the FireEye and SolarWinds attacks -- that makes cyber recovery as opposed to disaster
recovery (DR) so critical?
The best defense is a good offense
Finley: I have been asked that question a few times just
in the last few weeks, as you might imagine. And there
are a couple of things to note with these attacks,
SolarWinds and FireEye.
One, especially with FireEye, it was demonstrated to the
entire world something that we didn’t really have our
eyes on, so to speak, and that is the fact that folks that
have really good security -- where they sit back and the
Chief information security officer (CISO) and the security
team say, “We have really good security, we spent a lot
of money, we have done a lot of things, we feel pretty
good about what we have done.” That’s all great, but
what was demonstrated with FireEye is that even the best can be compromised.
If you have a nation state-led attack or you are targeted by a cybercrime family, then all
bets could be off. They can get in and they have demonstrated that with these latest
attacks.
The other thing is, they were able to steal tools. Nothing worse can happen than the bad
guys having new toolsets that they can actually use. We believe that with the increased
threat from the bad actors because of these things, we really, really need the notion of a
cyber vault or the third copy, if you will. Think about the 3:1 rule -- three copies, two
different locations, one off-site or offline. This is really where we need to be.
Gardner: Andrew, it sounds like we have to assume that we are going to be or are
already attacked. Just having a good defense isn’t enough. What’s the next level that we
need to attain?
Peters: A lot of times organizations think
their security and their defenses are strong
enough to mitigate virtually anything that
happens to the organization. But what's
been proven now is that the bad guys are
clever and are finding ways in. With
SolarWinds, they found a backdoor into
organizations and are coming in as a
trusted entity.
Finley
A lot of times organizations think
their security and their defenses
are strong enough to mitigate
virtually anything that happens to
the organization. But what’s been
proven now is that the bad guys
are clever and are finding ways in.

3. Page 3 of 18
Just because you have signed Security Assertion Markup Language (SAML) tokens and
signed certificates that you trust, you are still letting them in. It’s just been proven that
you can’t exactly trust them. And when they come inside an organization and they win,
what do you do next? What do you do when you lose? The concept here is to plan to
win, but at the same time prepare to lose.
Gardner: David, we have also seen an uptick in the success of ransomware payouts.
How is that also changing the landscape for how we protect ourselves?
Finley: I was recently was thinking about that and I saw something written, it might have
been a Wall Street Journal article, on security recently. They said CISOs in
organizations have a decision to make after these kinds of attacks. The decision really
becomes pretty simple. Do they pay the ransom or do they not pay the ransom?
We would all like to say, “Don’t pay the ransom.” The FBI says don’t pay the ransom,
because of the obvious reasons. If you pay it, they may come back, they are going to
want more, and it sets a bad precedent, all those things. But the reality is when this
actually happens to a company, they have to sit down and make the hard decision: Do I
pay or do I not pay? It’s based upon getting the business running again.
We want to position ourselves together with Unisys to create a cyber vault that is
secured in a way that our customers will never have to pay the ransom.
If we have a protected set of data that is the most important data to the firm – the stuff
that they have to have tomorrow morning to actually run the business -- and it’s in a
protected vault secured by zero trust, through Unisys Stealth software, to be able to
secure it and get it back out and put it back into play, that’s the best answer.
So that means not paying the ransom and
still having the data available to bring the
business back into play the next day. A lot
of these attacks, as we know, are not only
stealing data, like they did recently with
FireEye, but also encrypting, deleting, and
destroying the data.
Gardner: Another threat vector these days is that more people are working remotely, so
there are more networks involved and more vulnerable endpoints. People are having to
be their own IT directors in their own homes, in many cases. How does the COVID-19
work-from-home (WFH) trend impact this, Andrew?
Work from home opens more doors
Peters: There are far more points of entry. Whereas you might have had anywhere
from 10 percent to 15 percent of your workforce remotely accessing the network, and
If we have a protected set of data
… That means not paying the
ransom and still having the data
available to bring the business
back into play the next day.

4. Page 4 of 18
that access was fairly controllable, now you have up to 100 percent of your knowledge
workers working remotely and accessing the network. There are more points of entry.
From a security perspective, more rules need to be addressed to control access into the
network and into operations.
Then one of the challenges an organization has is that once they are on the inside of
these big, flat networks the bad guys can map that network. They learn the systems that
are there and they learn the operations extremely well and manipulate them, taking
advantage of zero-day vulnerabilities in the systems and so operate within that
environment without even being discovered. Once again, going back to the SolarWinds,
they were operating for about eight months before they were eventually discovered.
Gardner: And so are we at a point going on 30 years of using wide area networks
(WANs), and we are still under a false sense of security. David, do we not understand
the threats around us?
Finley: There is the notion within our organizations and within the public sector that we
believe what we have done is good enough. And good enough can be our enemy. I can’t
tell you the number of times I have spoken with folks during incident response or after
incident response from a cyberattack where they said, “We thought we were secured.
We didn’t know that this could happen to us, but it did happen to us.”
That false sense of security is very real,
evidenced by these high-level attacks on firms
that we never thought it would happen to. It's not
just FireEye and it's not just SolarWinds. We have
had attacks on COVID-19 clinical trial providers,
we have had attacks on our own government
entities. Some of these attacks have been
successful. And a lot of these attacks don’t even
get publicized.
Here is the most dangerous thing in this false sense of security we are talking about. I
ask customers what percentage of the attacks do you actually believe you have visibility
into within your own region? And the answer, the honest answer, is usually probably less
than 20 percent.
But because I do this every day for a living, as does Andrew, and we probably have
visibility to maybe 50 percent, because a lot of times these attacks happen and they get
swept under the rug. They quietly get cleaned up, right? So we don’t know what’s
happening. That also leads us to a false sense of security.
So again, I believe that we do everything we can upfront to secure our systems, but in
the event that something does get through, we need to make sure that we have a secure
offline copy of these backups and of our data.
That false sense of security
is very real, evidenced by
these high-level attacks on
firms that we never thought
it would happen to.

5. Page 5 of 18
Be prepared, or be prepared to pay ransom
Peters: An interesting dynamic I have noticed since the pandemic is that organizations,
while they recognize it’s important to have that cyber recovery third copy to bring
themselves back from the brink of extinction, say they can’t afford to do it right now. The
pandemic has squeezed them so much.
Well, we know that they are invested in backup. We know they are invested in DR, but
they say, “Okay, we may table this one because it’s something that is a bit too expensive
right now.”
However, on the other side, there are organizations that are picking up on this at this
time, saying, “You know what? We see this is way more critical because we know the
attacks are picking up.”
But the challenge here is the organizations that are feeling squeezed, that they can’t
afford to invest in a solution like this, the question is, can they afford not to invest in this
given all the exposure of the threats to their organizations. And we keep going back to
SolarWinds, which is a big wake-up call.
But if we go back to other attacks that happened to organizations in the recent past --
such as the WastedLocker backdoor and the procedures the bad guys are using to get
into organizations to learn how they operate, to find additional backdoors and operate
within that environment, and to even learn to avoid the security technologies that were
put in there specifically to detect such breaches – they can operate with impunity within
that environment. Then they eventually learn that environment well enough to shut them
down enough so that the company has two choices. That company can either pay the
ransom or go out of business.
And if you are a bad guy, what would be
your goal? Do you want to expose the
company’s information and embarrass
them? No, you want to make money. And
if they are in the process of making
money, how do they do it? You have to
squeeze an organization as much as possible. And that’s what ransomware and these
backdoors are designed to do -- squeeze an organization enough to where they are
forced to pay the ransom.
Gardner: So we need a better, fuller digital insurance policy. Yet many organizations
have insurance in the form of DR designed for business continuity, but that might not be
enough.
So what are we talking about when we make this shift from business continuity to cyber
recovery, David? What are the fundamental challenges organizations need to overcome
to make that transition?
Ransomware and these backdoors
are designed to squeeze an
organization enough to where they
are forced to pay the ransom.

6. Page 6 of 18
Cyber meltdown more likely than natural disaster
Finley: The number-one challenge I have seen over the past four or five years is that
we need to realize that DR -- and all the tenets of DR -- will not cover us in the event of a
cyber disaster. So those are two very different things, right?
Oftentimes I challenge people with the notion of how they differ. And just to paint a
picture, we have been doing DR basically the same way for many decades. The way it
normally works is we have our key systems and their data connected to another site
outside of a disaster radius, such as for earthquakes, floods, tornados, and hurricanes.
We copy that data through a wide-open pipe to the other side on a regular basis. It’s an
always-open circuit to the other side, and we have been doing it that way for 40 years.
What I often ask customers is based on that, how much do you spend every year to do
DR? What does it really cost? Do you test? What are the real costs for DR for you? And
there is usually a tangible answer.
With that in mind, the next question is, “If you look at the probability of something
happening in the future to you, what do you think is more probable -- a natural disaster
event or a cyber disaster? What’s more probable?” And the answer is unanimously, it’s
been 100 percent in recent years, it’s going to be a cyber disaster.
Of course, the next question is, “How do you
deal with cyber recoveries and is it a function of
DR within your organization?” And the answer
usually is, “Well, we don’t deal with it very well.”
So the IT infrastructure and security groups have in the last year been making cyber
recovery part of DR planning -- and it’s taken a long time to get there. When you think
about that, if the probability of cyber events is much higher than disaster events -- and
we spend $1 million a year on DR -- how much do we spend for cyber recovery? The
answer historically has been that they spend very little on true cyber recovery.
That’s what has to change. We have to change how we approach this. We have to bring
the security and risk folks into those decisions on protecting data. We need to look at it
through the lens of a cyber event destroying all of the data, just as a hurricane may
destroy all of the data.
Peters: You know, Dave, in talking to a lot of organizations on what exactly they are
going to do if they have a ransomware meltdown, we ask, “How are you going to
recover?” They say, “We are going to go to our DR.”
Hmm, okay. But what if you discover in your recovery process those files are polluted?
That’s going to be a bad situation. Then they may go find some tapes and stuff. I ask,
How do you deal with cyber
recoveries and is it a function of
DR within your organization?

7. Page 7 of 18
“Okay, do you have a runbook for this?” They say, “No.” Then how will they know exactly
what to do?
And then the corollary to that is, how long is this recovery going to take? How long can
you sustain your operations? How long can you sustain your company, and what kinds
of losses are you prepared to sustain?
Wow, and you are going to figure this all out when you are going through the process of
trying to bring your organization back after a meltdown? That’s usually the tipping point
where you are going to say, like other organizations have said, “You know what? We are
just going to have to pay the ransom.”
Finley: Yes, and that also begs the question that we often see folks miss. And that is,
“Do you believe that your CEO and/or your board of directors -- the folks who don’t do IT
as an everyday job, the folks who are running the business -- do they understand the
difference between DR and cyber recovery?”
If I were to ask people on the board of any organization if they were secure in their DR
plans, most of them would say, “Yes, that’s what we pay our teams to do.”
If I were to ask them, “Well, do you believe that being able to recover from cyber
disasters is included in that and done well?” The answer would also be, “Yes.” But
oftentimes that is simply not the truth.
They don’t understand the difference between DR and cyber recovery. The data can all
be gone from a cyber event just as easily as it can be gone from a hurricane or a flood.
We have to approach it from that perspective and start thinking through these things.
We have to take that to our boards and have
them understand, “You know what? We’ve
spent a lot of money for 40 years on DR, but
we really need to start spending money on
cyber recovery.”
Yet we still get a lot of pushback from customers saying, “Well, yes, of course making a
third copy and storing it somewhere secure in a way that we can always get it back --
that’s a great idea -- but that costs money.”
Well, you have been spending millions of dollars on DR, so make cyber recovery part of
that effort.
Gardner: To what degree are the bad guys already targeting this discrepancy? Do they
recognize a capability to go in and compromise the backups, the DR, in such a way that
there is no insurance policy? How clever have the bad guys become at understanding
this vulnerability?
We’ve spent a lot of money
for 40 years on DR, but we
really need to start spending
money on cyber recovery.

8. Page 8 of 18
Ingenious bad guys target backups
Peters: What would you do if you were the bad guy and you wanted to extort money
from an organization? If you know they have any way of quickly recovering, then it’s
going to be pretty hard to extort from them. It’s going to be hard to squeeze them.
These guys are not broke, they are often professional organizations. There’s a lot of
focus on the GRU, the former KGB operation that’s in Russia, and Cozy Bear and a
number of these different organizations are well-funded. They have very clever people
there. They are able to obtain technologies, reverse engineer them, understand how the
security technologies operate, and understand how to build tools to avoid them. They
want to get inside of organizations and learn how the operation runs and learn
specifically what’s key and critical to an organization.
The second thing, while they want to take out the primary systems, they also want to
make sure you are not able to restore them. This is not rocket science.
So, of course they are going to target backups. Are they going to pollute the files that
you are going to actually put in your backups so if an organization tries to recover, they
can create a situation that is bad, if not worse, than it was previously? What would you
do? You have to figure that this is exactly what the bad guys are doing in organizations -
- and they are getting better at it.
Finley: Andrew, they are getting better at it. We have been watching this pretty closely
for the last year now. If you go out to any of the pundits or subscribe to folks like
Bleeping Computer, Security Today, CIO.com, or CISO, you see the same thing. They
talk about it getting worse. It’s getting worse on a regular basis.
They are targeting backups. We are finding it actually written in the code. The first part of
what they are going to do when they drop this on the network is they are going to go
seek out security tools to disable them. Then they are going to seek out shadow copies
to link to them and seek out backup catalogs and link to them.
And this is the one that a lot of people miss. I just read this recently, by the FDIC, and
they are publishing this to their member banks. They said DR has been done well for a
number of decades. You copy information from one bank to another or from one banking
location to another and you are able to recover from disasters and spin up applications
and data in a secondary location. That’s all great.
But realize that if you have malware
attacking you in your primary location,
it very often will make its way to your
DR location, too. The FDIC said this
pointblank, they said, “And you will
get infected in both locations.”
If you have malware attacking you in your
primary location, it very often will make
its way to your DR location, too. … And
you will get infected in both locations.

9. Page 9 of 18
A lot of people don’t think about that. I had a conversation last year with a CISO who
said that if an attack gets to your production environment they can manage to move
laterally and get to your DR site. And then the date is gone. And this particular CISO
said, “You know, we call that an ‘Oh, crap’ moment because there is nothing we can do.”
That’s what we now need to protect against. We have to have a third copy. I can’t stress
it nearly enough.
Gardner: We have talked about this third copy concept quite a bit. Let’s hear more
about the Dell-Unisys partnership. What’s the technology and strategy for getting in front
of this so that cyber recovery becomes your main insurance policy, not your afterthought
insurance policy?
Essential third copy keeps data dynamic
Finley: We want everyone to understand the reality. The bad guys can get in, they can
destroy DR data, we have seen it too many times. It is real. These backups can be
encrypted, deleted, or exfiltrated. And that is the fact, so why not have that insurance
policy of a third copy?
There’s only way to truly protect this information. If the bad guys can see it, get to the
machines that hold it, and get to the data – whether the data is locked on disk or not –
they can destroy it. It’s a real simple proposition.
We identified many years ago that the
only way to really, truly protect against
that is to make a copy of the data and
get it offline. That is evidenced today
by the guidance being given to us by
the US federal government, Homeland
Security agency, and FBI. Everybody
is giving us the same guidance. They are saying take the backups, the copies of your
data, and store them somewhere away from the data that you are protecting – and
ideally on the other side of an air gap and offline.
When we create this third copy from our Dell solution for cyber recovery we take the
data that we backup every day and move that key data to another site, across an air
gap. The idea is the connection between the two locations is dark until we run a job to
actually move the data from production to a cyber recovery vault.
With that in mind, there is no way in until we bring up that connection. Now, that
connection is secured through Unisys Stealth and through key exchanges and certificate
exchanges to where the bad guys can’t get across that connection. They can’t get in. In
other words, if you have a vault that’s going to hold all your important data, the bad guys
can’t get in. They can’t get through the door. Even though we open a connection, they
can’t use that connection to ride into our vault.
Take the backups, the copies of your
data, and store them somewhere
away from the data that you are
protecting – and ideally on the other
side of an air gap and offline.

10. Page 10 of 18
And with that in mind we can take that third copy and store it in this cyber vault and keep
it safe. Now, getting the data there and having the systems outside the vault
communicate to the machines inside the vault – to make sure that all of that is secure –
is something we partnered with Unisys on. I will let Andrew tell you about how that
works.
Secure sound data swiftly in cyber vault
Peters: Okay. First off, Dave, you are not talking about putting all of the data into the
vault, right? Specifically people are looking at only the data that’s critical to an operation,
right?
Finley: Yes. And a quick example of that, Andrew, is an unnamed company in the paint
industry. They create paint around the world and one of their key assets is their color-
matching databases. That’s the data they put into the cyber vault, because they have
determined that if that proprietary data is gone, they can lose $1 million per day.
Another example is an investment firm we work with. This investment firm puts their
trade databases inside of the cyber vault because they have discerned that if their trade
databases are infected, affected, or deleted or encrypted – and they go down – then
they lose multiple millions of dollars per hour.
So, to your point, Andrew, it’s usually about the critical business systems and essential
information, things like that. But we also have to be concerned with the critical IT
materials on your networks, right?
Peters: That’s right, other key assets like your Active Directory and your domain
servers. If you are a bad guy, what are you going to attack? If they want to cripple you so
much that even if you had that essential data, you couldn’t use it. They are going to try
and stop you in your tracks.
From a security perspective, there are a few things that are important – and one is data
efficacy. First is knowing what I am going to protect. Next, how best am I going to
securely move that critical data to a cyber vault? There is going to be automation so I am
not depending on somebody to do this. This should happen automatically.
So, to be clear, I am going to move it into
the secure vault, and I want that vault to
be air gapped. I want it to be abstracted
from the network and the environment so
bad guys can’t find it. Even if they could
find it, they can’t see anything, and they
can’t talk to it.
I want [the vault] to be abstracted
from the network and the
environment so bad guys can’t find it.
Even if they could find it, they can’t
see anything, and they can’t talk to it.

11. Page 11 of 18
The second thing I want is to make sure that the data I’m moving has high efficacy. I
want to know that it’s not been polluted because bad guys are going to want to pollute
that data. Typically, the things you put into the backup – you don’t know, is it good, is it
bad, has it been corrupted? So if it’s going to be moved into the vault, we want to know if
it’s good or if it’s bad. That way, if we are going to be going into a recovery, I can select
the files that I know are good and I can separate them from the bad.
This is really important. That’s one of the critical things when you’re going into any form
of cyber recovery. Typically you aren’t going to know what’s good data unless you have
a system designed to discern good from bad.
You don’t want to be rebuilding your domain server and have the thing find out that it’s
been polluted, that it’s locked, and that it has ransomware embedded in it. Bad guys are
clever. You have to ask, “What would I do if I were a clever bad guy?” Sometimes it’s
hard to think like that unless you put your bad guy hat on.
There’s another important element here, too. The element of time. How quickly am I
going get to this protected data? I have all of this data, these files and these
applications, and they’re in my protected vault. Now, how am I going to move them back
into my production environment?
But my production environment actually might still be polluted. I might still have IT and
security personnel trying to clean up that environment. At the same time, I have to get
my services back up and running, but I have a compromised network. And what’s the
problem? The problem is time.
Ultimately, all of this comes down to business
continuity and time. How quickly can I continue my
critical operations? How quickly am I going to be
able to get them up and running – despite the fact
that I still have a lot of issues with ransomware and
with hackers inside my IT operations?
From a security and rapid recovery perspective, there are some unique things that we
can do with a cyber recovery approach. A cyber recovery solution automates the
movement of your critical data into a secure vault, then analyzes it for data efficacy to
determine if the data has been compromised. It also provides you with a runbook so you
know how you’re going to get that data back out and get those systems operating so you
can get users back online.
So even with a zero-day attack, by being able to use things like cryptography, cloaking,
and basically hiding things from the rest of the network, I can get cryptographic micro-
segmentation to restore the operations of critical services and get users back up on
those services. Even if my network is compromised, I can start doing that very, very
quickly.
Ultimately, it comes down to
business continuity and time.
How quickly can I continue
my critical operations?

12. Page 12 of 18
When you put the whole cyber recovery solution that we have together – with
automation, the security built in, to get to the critical data on a daily basis, move it into a
vault, analyze it, and then obtain a runbook capability – you can quickly move it all back
out and get those critical services back up and running.
Manage, monitor, and restore data with Stealth
Finley: One of the things that I hope everyone understands is that we can create a
secure vault, put information in it, and do that all securely. But as Andrew was saying,
most folks also want the ability to monitor, manage, and update that secure vault from
their security operations center (SOC) or from their network operating system (NOS).
When we first began our relationship with Unisys, around the Stealth software, I was
very excited. For a couple years before that, we were working with folks to show them
how to use firewalls to protect information going in and out of our cyber vault, or how to
configure virtual private networks (VPNs) to make that happen.
But when we got together and I looked at the Unisys Stealth software a few years ago,
from a zero trust networks perspective – instead of just agents on the machines – it
becomes invisible.
When I first saw that those tunnels Unisys creates to our Dell vault are as secure as they
are, I quickly realized that not only did it allow us to have a new way to manage
everything from outside – we can also monitor everything from outside. It allows us to
take what we know is clean data inside the vault and be able to restore it quickly through
one of those secure Stealth tunnels back out to the outside.
That is hugely important. We all know there are
various ways to secure communications like this.
Probably the least secure nowadays are VPNs,
or remote access, if you will. The next secure,
quite frankly, is viral access, or import access,
and then the most secure is, I believe, zero trust
software like we get with Unisys Stealth.
Peters: It’s not that I want to beat down on firewalls, because firewalls and ancillary
technologies are very effective in protecting organizations – but they’re not 100 percent
effective. If they were, we wouldn’t be talking about ransomware at all. The reason that
we are is because breaches occur. The bad guys go after the low-hanging fruit, and
they’re going to hit those organizations first. Then they’re going to get better at their craft
and they’re going to go after more-and-more organizations.
Even when organizations have excellent security, you can’t always prevent against the
things that people do. Or now, with SolarWinds, you can’t even trust the software that
you’re supposed to trust. There are more avenues into an organization. There are more
There are various ways to
secure communications … the
most secure is zero trust
software like we get with
Unisys Stealth.

13. Page 13 of 18
means to compromise. And the bad guys can monetize what they are doing through
Bitcoin in these demands for ransoms.
So, at the end of the day, the threats to organizations are changing. They’re evolving,
and even with the best defenses an organization has, you’re probably going to have to
plan on being compromised. When the compromise happens, you have to ask, “What do
we do now?”
Gardner: Are there any examples that you can point to and show how well recovery can
work? Do we have use cases or actual customer stories that we can relate to show how
zero trust cyber recovery works when it’s done properly?
Get educated on the recovery process
Finley: Sure, one happened not too long ago. It was a school system in California. And
that particular school system worked with us to procure the cyber recovery solution,
created a cyber vault, the third copy, and secured all of that. We installed it and got it all
up and running and moved data into the vault on a Thursday of a particular week. And
then they had a cyber event happen to the school system. This is one of the biggest
school systems in that part of California. They had a cyber event over the weekend in
that school system, and they had just gotten the vault up and running and had copied all
of the critical data into it.
The data in the vault was secure. They were able to recover it as soon as they
forensically could, according to the FBI, because the data was secure. It saved a bunch
of time and a lot of effort and money.
Now, I contrast that to a couple other major attacks on other companies that happened
in the last 120 days. One where they had no cyber vault, the customer data was
attacked in production and a lot of DR was attacked. That particular set of events was
done through a whole series of social engineering, but they were taken down encrypted
and a lot of the data was destroyed.
It took them days, if not weeks, to begin the recovery process because of a lot of things
that we all need to be aware of that happen. If you don’t have data that you know is
secured somewhere else and that is clean, you’re going to have to verify that it’s clean
before you can recover it. You’re going to have to do test recoveries to systems and
make sure you’re not restoring malware. That’s going to take a long period of time.
You’re not even going to be able to do that until law enforcement tells you that you can.
Also, when you’re in the middle of an
incident response, regardless of who you
are, the last thing you’re going to do is
connect to the Internet. So if your data is
stuck somewhere in a public cloud or
If your data is stuck somewhere in a
public cloud or clouds, you’re not
going to be able to get it while you’re
in the middle of an incident response.

14. Page 14 of 18
clouds, you’re not going to be able to get it while you’re in the middle of an incident
response.
The FBI characterizes your systems as a crime scene, right? They put up yellow tape
around the crime scene, which is your network. They are not going to allow anybody in
or out until they’re satisfied they’ve gathered all the date to be able figure out what
happened. A lot of folks don’t know that, but it is simply true.
So having your critical data accessible offline, on the other side of the crime area, having
it scrubbed every day do make sure it is absolutely clean, is very important.
In a case of a second company, it took days if not weeks before they could recover
information.
There is a third example. The IT people there told me the cyber vault saved their
company, and “saved our butts,” they said. In this particular case, the data was
encrypted in all of their systems. They were using backup software to write to a virtual
client and they were copying that day from virtual clients into our cyber vault.
They also had our physical clients, called Data Domain from Dell, in production and
writing into the cyber vault. They did not have our analytics software to scrub and make
sure it was clean because it was an older implementation. But at the end of the day,
everything in production was gone. But they went to the vault data and realized that the
data there was all still good.
The bad guys couldn’t get there. They couldn’t see the cyber vault, didn’t know how to
get there, and so there was no way they could get to that information. In this case, they
were able to spin up and restore it rather quickly.
In another incident example, in the cyber
vault, they had our CyberSense software,
which does cyber analytics on the data being
stored. We can verify the data is clean at a
99.7 percent effective level to tell the
customer the data is restorable and clean. In
this case the FBI got involved.
The FBI actually used the information from our CyberSense software to help them to
ascertain the who, what, when, and where of what happened. Once they knew who,
what, when, and where, they knew the stored data was clean and we were able to do a
more rapid rescue.
Plan ahead with precise procedures, processes
Peters: What’s important too is knowing what to do. For example, what applications are
you going to recover first? What do you need to do to get your operations running?
With our CyberSense software, …
We can verify the data is clean at
a 99.7 percent effective level to
tell the customer the data is
restorable and clean.

15. Page 15 of 18
Where are you going to find the needed files? Who’s going to actually do the work?
What systems you are going to recover them onto?
Have a plan of action versus, “Okay, we’re going to figure this out right now.” Have a
pre-prescribed runbook that’s going to take you through the processes, procedures, and
decisions that need to be made. Where is the data going to be recovered from? What’s
going to be determined? How is it recovered? Who’s going to get access to it?
All of these things. There’s a whole plan
that goes into this. This is different than
DR. This is different than backup, it’s way
different, it’s its own animal. And this is
another place where Dell expertise comes
in, being able to do the consulting work
with an organization to define the plan or the runbook so that they can recover.
Finley: I wanted to also point out a consideration about ransomware payments. It’s not
always a clean option to actually make the payment because of the U.S. Treasury Office
of Foreign Assets’ controls. If an organization pays the ransom, and the recipients of that
payoff are considered a threat to the United States, they may be breaking another law if
you pay them the ransom.
So that needs to be taken into consideration if an organization is breached for ransom. If
they pay the ransom off, they may be breaking a federal law.
Gardner: Do the Dell cyber recovery vault and Unisys Stealth technologies enable a
crawl, walk, and run approach to cyber recovery? Can you identify those corporate
jewels and intellectual property assets, and then broaden it from there? Is there a way to
create a beachhead and then expand?
Build the beachhead first
Finley: Yes, we like to protect what we call critical rebuild materials first. Build the
beachhead around those critical materials first, then get those materials Active Directory
and DNS zone tables in the vault.
Next put the settings for networks, security logs, and event logs into the vault -- the stuff
in your production environment that you could get out of the vault and make everything
work again.
If you have studied the Maersk attack in 2017, they didn’t have any of that, and that was
a very bad day. They finally found those copies in Africa, but if they hadn’t found them it
would’ve been a very bad month or year. So with that kind of a thing in mind, it has
happened to many folks besides just them where this had to be most publicized.
There’s a whole plan that goes
into this. This is different than DR,
different than backup, it’s way
different, it’s its own animal.

16. Page 16 of 18
So with that in mind, get those materials into the vault as a beachhead, if you will. Let’s
build together the notion of this third location, let’s secure it with Unisys Stealth, and let’s
secure it with an air gap that’s engulfed in Stealth, and with all of the connections in and
out of the vaults protected by Stealth using zero trust. Let’s take those critical materials
and build that beachhead there. Ideally, I’ve seen great success when I was doing that,
and then gathering maybe total of three to five of the most critical business applications
that a firm may have and concentrating on them first.
Here’s what we don’t want to do. I see no success in sitting down and saying, “Okay,
we’re going to go through 150 different applications, with all of their dependencies, and
we’re going to decide which of those pieces go into the cyber vault.”
It can be done, it has been done, and we have consulting that can help do that between
Dell and Unisys, but let’s not start that way. Let’s instead start like we did recently with a
big, big company in the U.S. We started with critical materials, we chose five major
applications first, and for the first six months that’s what we did.
We protected that environment and those five
major applications. And as time goes on, we
will move other key applications into that cyber
vault. But we decided not to boil the ocean, not
look at 2,000 different applications and put all
that data into the vault.
I recently talked to a firm that does pharmaceuticals. Intellectual property is huge for
them. Putting their intellectual property into the cyber vault is really key. It doesn’t mean
all of their systems. It means they want intellectual property in the vault, those critical
materials. So build the beachhead and then you can move any number of things into it
over time.
Peters: We have a demonstration to show what this whole thing looks like. We can
show what it looks like to make things disappear on your network through cloaking,
moving data from a production environment into a vault, and in-retention locking that,
analyzing the data, and finding out if something is bad on it, and being able to select the
last known good copy of data and start to rebuild systems in your production
environment.
If somehow you had an environment you’re recovering and malware manages to slip
inside of that we can detect that and we can shut it down in about 10 to 15 seconds. For
organizations interested in seeing this working in real-time, we have a real live demo.
Finley: That’s a powerful, powerful demo for all of the folks who are listening. You can
see this thing work from beginning to end to see how the buttons are put in and how the
data essentially moves out of scrubbing of the data to make sure it’s clean. It was
fascinating for me the first time I saw this. It was great.
We protected that environment
and those five major
applications. As time goes on,
we will move other key
applications into that cyber vault.

17. Page 17 of 18
Gardner: I’m afraid we will have to leave it there. You’ve been listening to a sponsored
BriefingsDirect discussion on new ways of protecting data backups first and foremost so
that cyber recovery becomes an indispensable tool in any IT and business security
arsenal.
And we’ve learned how a joint-solution between Unisys and Dell elevates what was once
data redundancy and backup into a much more resilient and powerful cyber recovery
regime.
So please join me in thanking our guests, Andrew Peters, Director of Global Business
Development for Security at Unisys. Thank you so much, Andrew.
Peters: Thank you.
Gardner: We’ve also been here with David Finley, Director of Information Assurance
and Security in the Data Protection Division at Dell Technologies. Thank you, David.
Finley: Thank you, Dana. Thank you, Andrew.
Peters: Hey, thank you, too, Dave. Cheers.
Gardner: And a big thank you as well to our audience for joining this BriefingsDirect
cybersecurity innovation discussion.
I’m Dana Gardner, Principal Analyst of Interarbor Solutions, your host throughout this
series of Unisys- and Dell-sponsored BriefingsDirect discussions.
Thanks again for listening. Please pass this along to your IT community, and do come
back next time.
Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: Unisys and
Dell Technologies.
A transcript of a discussion on new ways of protecting data backups first and foremost so that
cyber recovery becomes an indispensable tool in any IT and business security arsenal. Copyright
Interarbor Solutions, LLC, 2005-2021. All rights reserved.
You may also be interested in:
• The future of work is happening now thanks to Digital Workplace Services
• How Unisys ClearPath mainframe apps now seamlessly transition to Azure Cloud without
code changes
• How security designed with cloud migrations in mind improves an enterprise’s risk
posture top to bottom
• How Unisys and Microsoft team up to ease complex cloud adoption for governments and
enterprises
• How Unisys and Dell EMC head off backup storage cyber security vulnerabilities
• How Agile Enterprise Architecture Builds Agile Business Advantage

18. Page 18 of 18
• How an agile focus for Enterprise Architects builds competitive advantage for digital
transformation
• The Open Group digital practitioner effort eases the people path to digital business
transformation