Cyber Resilience: More Than Backups and Hope by Derran Guinan, Rick Byrne

[Music] All right, let's kick it off. to begin with. Thank you everybody for joining this and everybody coming to Bsides because like Darren threw out there earlier and asked the question of hey whose main role here is security? It shows everybody in this room and everybody who came to this event that security is top of mind for each and every one of you as it should be because it's not just keeping our organizations data secure. It's about keeping our individual data secure because organizations hold on to our data because we provide it to them for services and we need to come together to make sure that that is safe and secure which so you thought this was a safe

room by me asking that question but I totally set him up to educate you that all of you are security people. >> That's true. That's true. Anybody have one of these binders full of dust? >> Yeah. Ever used? Nice. It's one of the things we all have or had is that thing where they say there's a documented approach to a DR strategy which typically means disaster recovery. And that binder itself is usually built for fires, floods, weather. Simple as that. That's what it's there for. That's what the plan is built for. But it hasn't been updated in quite some time. Being at Edmonson, we don't see a lot of natural disasters. Let's be honest, there is times where it

occurs, but how often is a playbook like that broken out? Not a lot. And that's why it's covered in dust. And of course, I'm based in Edmonton. Being like a seesaw is as simple as this. It's like being a goalie in Edmonton. You can save 99 shots, but you miss the one. And where do you end up? On the newspaper. Fire him. Get rid of him. He's useless. >> Poor Stewart. >> And hey, there could be reasons to say maybe we do need better goalies in Evston. But it's the whole point of it's a team effort. It's not that one individual. There's many different lines of offense, defense. Of course, how do you win a game? Who has the most goals?

But it really boils down. That's what's happening with even our security officers today. Even Quantis as an example. What happened there? The big thing happened. There was a big issue that occurred. the CISO is the one who took the blame for it. Is that really the case? Was it his fault? Maybe he's directly responsible for it and that individual who should keep an eye on it. But it's an organizational problem. It takes direction from the top down. And this is where the world is changing. And it's not just about disaster recovery anymore. It's about cyber recovery. And that's where other things come into play except what we know as natural disasters. It's ransomware, extortion, exfiltration,

right? This is the thing that everybody's having to face today. And what we're going to cover here today is what cyber resiliency really means. On top of that, why DR isn't enough. And I think I already covered off some of those pieces, but I'll get specific on it. Darren's gonna go into some real stories. Of course, we're not going to say names. We're not going to do that. But we're going to talk about real incidents that happened based off of outcomes and playbooks that organizations were leveraging to keep their data resilience, strategy, people, and process. We're not just technology. It's not what we are. We're all doing something with technology in most cases to drive a

service, build up an organization, help our consumers and our clients, and then let's come together to build the standards that we need to implement going into the future. Now, I'm not going to read this off, but what is data resiliency? It's the simplest fact of how can you stop disruptions? How can you make sure your data is accessible to keep the business running and functioning? What it's not, it's not about data classification. It's not about the cleanliness of data. That's another part of the organization. But it comes together to make sure the main point is done that you can recover from failures and outages and also the malicious actors we see today. And as we unpack that used to be if

if not it's not if but when but really it's about how bad can it be. And if we look at the left side we're looking at actual disaster recovery. If we look at the right side we're actually talking about cyber recovery natural disaster with cyber recovery it's a targeted attack in most cases. It doesn't mean it's targeted because you're a specific industry. It means it's targeted because they go after lease resistance. So that could mean you're using a piece of software that hasn't been updated in months and they know that they can get in through that loophole. That's what they're going after. Where natural disasters, we know the outcome. It's as simple as that. If there's a fire takes

out your entire facility, you just need the other facility. Done. If it's a flood, well, you have a data center sitting in another location. You can power everything up. And that's where it goes into the recovery points. Latest backup or with a recovery point for cyber recovery. It's unknown. Do you know what's actually clean? Well, that means you actually have to go through the process of figuring out where it got in, how it got in, what that impact is. Recovery time as close as possible to your latest restore point. Pretty simple. But when we're actually talking about cyber recovery, it's longer due to risk of infection. And are you restoring the bad into your environment?

Preparation completely random for cyber recovery because you don't know what you don't know yet. Then the main objective is to get everything back up and functioning when we're talking about disaster recovery. But when it comes to cyber recovery, it's the whole compromise, the accounts. What did they live off the land and what did they already know about your organization? Do they know more than you even knew at this point? Maybe, maybe not. But you still got to figure that out. And the probability of disaster recovery, I kind of covered that already off in Edmonton. It's fairly low. Power outage may be different, but I don't consider that a massive disaster recovery at that point in time. But when you're looking at

cyber recovery, it's high. And that's not changing because there's money to be made. There's no money to be made in a natural disaster. But when somebody's chasing after funds to keep their organization running, I know they're criminals, but it's still an organization. They have quotas to meet. They need to make money to stay functioning. And that's where it boils into our data protection trends report from 2025. And this is vehic organizations paid a ransom and were attacked more than once. Do you ever answer a call from a telemarketer? >> Exactly. >> How about CRA? Yeah, >> you you definitely need to answer calls from CRA. >> Oh, yeah. Especially when they ask you to pay them on credit cards, right?

>> Card. >> I actually had to pay the CRA the other day. You can't even pay on credit card anymore. Do you know that? Or debit card. It has to be debit Visa >> technology, >> right? Took me forever to get into it, too, because of all the multi- factored authentication. Great. I like how that data is protected a little bit better now and that's coming into play. But the whole point is if you answer the call from a telemarketer, you just hit a list. You're going to get another call because you answered. Especially if you were friendly, they're going to call you back. Especially if you bought something from them, they're going to call you

back. If you ever buy a new car and you buy Sirrus satellite radio, they're going to keep calling. They'll keep calling you anyways. But nonetheless, now the victimology in the industries. Does ransomware target a specific industry? Not really. Again, it's about that least resistance. And that's why this is just scattered. There's ones that get hit more than others, don't get me wrong, but they're not again targeted. They're going after specific strands. They're going after specific vulnerabilities. >> The balancing act, right? >> Think about it. They'd love to go after banks, but they know banks put probably the most money into their IT security, their resiliency. So, where's that that balancing act? >> Yeah. And if they can get $2 million

from one organization or another, doesn't matter, it's still $2 million. Nonetheless, they're still getting those funds. And as we look at the challenges of response and recovery, if you look at this timeline, the orange is where we are today. In some cases, as we start to look through this, and this is that whole concept that we all see, and here's your four major categories, whether that's defection detection sorry not defection, I think I made up a word. Is that even a word? >> You not pick up good words. >> I'll have to come up with what that word actually means later. But detection and analyzing everything that comes in. Then you get into containment, eradication, and recovery. But where we

sit today, it's taking days and weeks to even get to the point that we found out what it is. We got to the point where we can at least look at containment. Then we're focusing on eradication, but we're still months away from recovery. The green dots is that sensible place. We need to be sensible and defensible. That's a word. >> It is a word. I was going to say where if you think about your organization you're in, how much time and effort is or and monies is put in those three top categories versus recovery. We're always trying to get the newest security technology. we're always trying to, you know, improve this or that, but really prevention isn't 100%. We know

that attacks are still occurring every day. I think that recovery stage is pretty important. >> Yeah, 100%. And it it is that whole fact of it's risk versus reward. >> And I do go into organizations even sometimes getting them to buy veh and I look at the tool sets they have and I see where they sit and I'm like, you know what? I know I'm not supposed to say this, but maybe you don't even need to buy BEH. Let's focus on the tool set you already have. I know that's not my job to tell you to look at my competitor that you have. My job is to displace that competitor, but I want them to be

safe, secure, to keep my data that way. So, leverage the tool set you have. If it doesn't meet what you need, now it's time to look around and see what else is out there. And that's where really the shift comes in. It's not about cyber security. It's time for us to turn the page as well. set up that new expectation where it's cyber resilience. That's where we really want to be in the overall picture. And this is where the data resiliency maturity model comes into play. You might say, Rick, yeah, I'm sure that's market. You guys just came up with that, threw it in some AI bot and said, "This DRMM sounds beautiful and look how it all comes

together." I'm sure somebody did something like that at marketing, but this is actually a survey that was built with McKenzie or study I guess is the best way to say it. A study that was built with McKenzie, George Washington from MIT as well as the likes of Microsoft, Splunk, Pauloto. We all came together and we reached out to all organizations, not BH customers, but all over the place. And this survey was based off of 54 questions. And it starts to lay out where they sit on a maturity model. And this maturity model itself is built off of three core pillars. You got strategy because guess what? If you're not leveraging strategy, what are you doing? Throwing darts at the wall hoping

something sticks. Eyes closed. Just throw. Oh, I hit there. My bad. But it's that whole concept. You need to have a strategy defined. Then we look at people and process. Because you can have all the strategy in the world to find, but if you don't have the skill sets to do that and the organizational buyin and the playbooks, why do pilots typically not crash? Anybody know? Because they use a checklist. They use it all the time. I use checklist even when I'm trying to figure out, okay, I'm going to the grocery store. My wife get me all this stuff. I need to pick it up. I don't want to be calling her every five minutes. So, I'll grab my notes and put

it down and I look like a superstar cuz I actually came back with what she asked for cuz I wasn't going to remember it. But that's that whole point. People and process last technology. And again, it goes down to the tool set you have and the tool set you will need into the future to meet the strategy align with the people and process. And then that's defined in what we call subdimensions of technology. Whether that's backup, recovery, reporting, dare I say it, AI, automation, orchestration, even that freedom and portability of data. This is just to interrupt because I know you're going into them now. This was to me really exciting for biggest thing I get asked by clients all the time is,

you know, what's best practice? How do I do this? What what's the industry doing? Well, it's hard to say what the industry is doing. We Everybody has a different, you know, everybody has business objectives that are different. The business defines that, but if you could get a collection and understand across the board what everybody's doing, >> it makes it a lot easier to define where you're at and how you strive to be better. And to me, this is the the beauty of this uh maturity matrix. >> Well, and the maturity matrix is broken into four horizons. So after you go through the survey kind of baseline across your industry verticals, then it tells you where you sit on this actual

horizon. And this is where we're going to get into some stories about this, but the f first horizon and the basics of it, and I'd say maybe this was great 10 years ago, but it's having manual backups as an example. Nothing's really scheduled. Nothing's really defined. Then you start to look at that onclear resiliency strategy. I've been in I've been a VH customer for about 17 18 years. It's a 19-year-old company. The reason I purchased Beh 17 or 18 years ago was to cover my own behind. I was the IT folk. I had to make sure that I could restore my data should the bad things happen. But that's changed. Now we need organizational support and driving it down from the

highest of the sea suite. Recovery plans equal theory. It's no plans. It's just oh I need to restore cuz you know Darren deleted his Excel document and needs it back again. >> That's no longer that same type of thing. Even reactive security and onclare accountability. Now Darren, I know you have some stories with this. >> Yeah. So these are Canadianwide stories but we had one we call it uh it's an education and all these are learning opportunities right so uh we had one uh education institute where the actual colleges student portal was ransomware and if you think about what that means that means student can't submit professors don't know if they submitted their assignments and they certainly

can't grade their assignments everything went down to a standstill they tried to do some backup uh recovery they looked at the backup ups and they were very much one day they worked, one day they didn't work. Corruption in the data, nobody was managing them. Nobody was understanding really what was going on. And having backups isn't a strategy, right? >> I mean, we we talk about it all the time in data protection is that everybody every company you talk to can do a backup. Come down with it when you need to recover or comes down that it's important. The other big one was and and Rick almost I got to chuckle out when he asked at the beginning. um was a story

about a manufacturing plant that had that DR plan, right? They had the DR plan. Hey, I got the plan. We're good. And then one day they had to actually they got hit with ransomware. Um nobody could place orders. Nothing could manufacturing. Didn't know what to do. They didn't know what to produce. They nothing complete standstill. And they're like we got out the plan and nobody knew what to do with the plan. Nobody had ever practiced the plan. Nobody ever implemented the plan. the technology people I don't think had ever seen the plan. Uh so it was a complete disconnect and it was a complete nightmare and they quickly realized that if you don't plan your if you don't actually practice or

uh practice your plan your idea of resiliency or recovery is based in fantasy right you need to bring it down to reality. We need to know what works and what doesn't. >> Yeah. So basically what you called out there to even summarize it to everything they had technology >> they definitely had technology uh and they had a DR but there was a complete disconnect between the two >> been so no people process >> no people process >> no strategy at the highest level just it was it was a purchase plan that nobody knew what >> good for the the whoever the individual owned that plan when some he was challenged by senior management or you

know CEOs and etc. He's like, "I got the plan. Don't worry. We're good." But I often talk about is that it's great to say that, but how do you actually prove it? How can you actually prove that? Somebody comes to you today and says, "Can you prove that our backups are running all the time?" And when we need to do a restore, it's going to work. How do you prove that? You're not going in and pulling off a little log and giving them a little logs, right? A screenshot. You need actual some kind of >> Cheers. He would love that. What are you talking about? >> I know it's great. But you need it more

based in reality and you need to know when the chips are down that what you have for backups is going to work. What you have for a plan is based in reality and it's going to work. >> Okay, so that was 44% sitting in horizon one. Now we shift into horizon 2. That's 30% of organizations. And when you start to look at that, that means they at least have some RTO and RPO targets. At least something's written somewhere. Okay, we're moving up. We're looking a bit good. Immunability scattered for some of it. There's a check mark once in a while to say, "Hey, I have immutable backups." On top of that, there's a little bit of retention

policies. They're looking good, man. Horizon 2 is looking pretty solid. There's some security monitoring capabilities. >> That's good. >> So, popup comes up once in a while and says, "Hey, it's there. You got a problem. What do you do with it?" Broader coverage. So they're starting to make sure they're capturing everything in their scope a little further instead of just the IT folk trying to make sure they got their coverage should they get the help desk ticket that something's been lost. And there's some ransomware simulations. Now I know you've been dealing with some of these customers in that 30% range. What's that look like? >> It's funny. This is coming out of that transition, right? You're out of that

basement, if you will. now moving up and you start to see a mod or a mod podge. I don't know what the right term is there. >> Are you making up words like terms apparently? Uh but one of them we saw was an actual in a healthcare institute uh got hit with ransomware. Um they had immutable backups. They had actually done tabletops etc. They had done a lot of this and when they actually got hit they were able to recover. took a little time but they were able to recover. What they missed which Rick is alluding to is the fact that in that hour as they were down they got back and running then they

found out that their data had been exterrated. So now they have thousands of records patient records on the internet and they're being blackmailed for that. So while their plan really did work in some regard as far as they were able to maybe it wasn't obviously in the next tier where you get orchestrated they were able to do manual process they were able to get back up and running. they had immutable backup but they missed the alerting for that whole exfiltration completely. Uh, another one was actually on the retail side. We uh found this interest and there's been a few of these retail ones. You can if you think back the last two or three years um and it

was a Black Friday sale. They got hit with ransomware. I mean the bad guys are always good, right? They hit you when it counts. It's on a ransomware. How many times I know of uh businesses being attacked on Christmas Eve? It's considerable. So they got hit. They had put a lot of time and money into testing and and and making sure that they were ready and they were able to recover within about an hour or two and their stores back running. You know what they missed? >> The online part. >> It was a complete disconnect. The stores were all up and running, but their online purchases sat at zero. Nobody could get anything to do the scores. It

was a complete misalignment in with in the organization where they were taken care of and they focused on the on-rem. They did a good job. They missed the whole other aspect of what's in the cloud and their online portion. And ultimately what makes them more money, it's the online side. So they had a really bad day. >> Yeah. Somebody had to pay the piper on that one. >> Yeah. And we've seen this especially in retail like I it broke my heart about three years ago. I used to talk about all the time what happened to chapters, right? chapters was pretty much exact scenario. They were back up and running but they were running in on prem only

nothing in the cloud work. Then it was a subset because they couldn't get their data and then took them almost I think 84 days to get back. >> I don't want to look at this as all doom and gloom either. I mean that's a great time to go to your sea level and ask for some money for that new tooling. Right. >> It's unfortunate that that's the time when they open up the the coffers if you will but yeah those are good times. And again, a lot of times when something like this happens, you're going to see everybody say, "We need, you know what, we need the better tool. We need the better security tool. We need the better

EDR, the better firewall." What it really comes down to is, hey, those are important. And if those need to be, those gaps need to be filled. Totally get it. But let's make sure we turn that dial. We're talking about cyber resiliency now. So, let's make sure that we really assess what really happened, how it got in, and what we get the best bang for a buck when we spend money. Maybe it is on improving our EDR or firewall, but maybe it's making sure that we have a resilient plan of the data recovery across onrem, across the cloud etc. >> Nice. All right, time to shift gears. So, where is that sitting us at? 74% of

organizations are sitting in that horizon one and two. Is that good enough? You all think that's good enough? >> No. Okay. Okay. Yeah, just making sure. I'm just making sure. So, let's shift into horizon 3. That's mature and adaptive. We're getting there, right? It's not like when we were 12 out running around. We're starting to mature. We got some experience. We're building it out. We're learning from our life experiences. So, inside of here, when you start to look at what mature and adaptive really means, now you have organizationalwide resilient strategy at least defined. You got buyin from the organization. We're sitting good. We got complete unified workload coverage because I'm sure if I'd ask anybody in this room, if you

have a full document that categorizes every single tier of your application stack, you may. But has that been bought in by the organization? And is it forgetting about that one server, that one application that means employees get paid or it means the most important thing for an organization, but it was never captured because you never really knew that entire workflow that occurs. It could even be a print spooler, right? That could be an important concept of that unified broad coverage. Keeping multiple copies of your data extremely good. making sure one's offsite, making sure it's spread across different mediums, making sure that it's immutable, and hopefully that it can be recovered, meaning you've tested it for zero

errors. Because if you're storing all those recoveries now, those backups, and you try to recover them and it fails, that's also not a great day. And looking across cross system, I'm sure we've all dealt with it. Everybody's looked across multiple different platforms today, whether it was due to cost factor and having to move from one hypervisor to another or one hyperscaler to the next. Can you go across that entire platform? And when we start to look at organizations inside of this, they do have that flexibility built in. Integrated security, meaning it hits a sock. It's not just a security alert that's sitting within an isolated portal. It's going into your entire security operations center with real-

time detection, leveraging tested incident response playbooks. Key word, test it. People learn to do things that they do a lot. Like they say, to become an expert in something, you spend 10,000 hours and then you can at least quantify yourself as that. But that's a lot of time, repetition, so on and so forth. Don't know if anybody's seen the mental health session yesterday, but I was there and my son was there and he's an esports player. He's put 14,000 hours into that game. 14,000 hours. And he's 24. Just do the math on that. That is an expert in that field because he spent so much time. But not just playing the game, becoming good at the game,

learning it, finding the ways to be a little bit better. And that's exactly what this is. But Darren, >> what do you got here? Before we talk about the use cases, I love one thing in here and it it really it's important to me that advanced orchestration automated recovery. So typically this is across maturity across number of different manufacturers we brought in etc. So I look at the orchestration from two different perspective. I look at it from the security side and from the data protection side which is again that whole data uh resiliency right. So I often get asked and about 3 years ago at Bsides I actually did a presentation on the best product you could buy for

security state is not buying a product just having all your products talk to each other >> build orchestrator right you want to get the most bang for your buck and have more efficiency have the firewall say something to your EDR when it says something in like the 4 seconds versus waiting for a manual person to come in and see something and go mad a manual rule orchestration is really important one of the examples we saw that really fit into this mature an adaptive um quadrant was uh was a bank. There was a bank that got hit. Uh they uh took them about two to three hours to get recover to completely recover. They had immutable backups. I went over the line.

I'm sorry. Went over the line. Sorry, camera. Mutable backups. They had orchestration. So, it was pushing a button. Everything was starting to be grabbed from that immutable backups. mutable backups mean the bad guys could not corrupt delete any of it and they started to recover technology win right the backup and running in two or three hours. What they missed part of this whole plan was the fact that for that two to three hours nobody was contacting or giving updates to the public or to clients. So technology win trust lost because that two to three hours nobody knew what was going on. they hit the news, it was a big thing. Instead of them getting out

in front of it from a communication perspective, >> it turned into a complete PR nightmare for them when it should have been more of a win. So again, it's such a simple thing. The communication plan was missing in that part of it, but it was an important one. Another one was um public organization um similar to one we talked about earlier uh that did a really good job on protecting their onrem but they missed the total cloud side. They missed the cloud side. They had been doing uh they were quite mature. They were doing testing all this but they we realized after the fact they were doing siloed. >> They were doing siloed. They had a group

that was doing all this and a group that doing this but then you know what that cloud group really wasn't doing anything. they were completely missed. So while the organization for the most part had orchestration had all this stuff down, it wasn't across the whole organization. They were very siloed and it was felt when the cloud services did come up. This was a public sector organization where people depended on getting access to data that they needed every day for their uh for their lives. So it was a big deal and it took two to three weeks to get the cloud part back up and running. So total win on the on-rem side the side of nature of

their planning and testing and what they had implemented meant that it wasn't a win for the organization. >> So I like that. I mean moving into Horizon 3, there's there's more wins than losses and they don't have much more to get themselves up to that. >> Oh, I think I'll figure something out. >> Okay. Okay. >> You challenging me. I like it. >> Yeah, I like it. So then 8% are sitting in self optimizing. This is when all the pieces come together. You're leveraging strategy. You got the people and process. You have all the technology that's required even from fully automated continuously tested backups. Key word fully automated like Darren was talking about. I'm not going

to read through all these different things, but even leveraging zero trust principles by default, isolation, lease privilege, list goes on and on. Darren, what do you got around there? Well, >> this should look better, right? >> This should look a lot better. There was a global shipping company that got hit by ransomware. They had total automation. They had uh immutable storage. They had everything. And you know what appeared on the news? Absolutely nothing. She didn't hear about it. We hear about some stuff because we we get the inside stories from different companies. But they had they were fully at that self optimizing. They had a full plan. They were checking their plan and and practicing in an

automated way that every day they got those reports. Every day in the morning they got a report at 7:00 saying we tested these 100 systems every at night when their hypervisors were a little quieter. They had all those reports. When something happened, they clicked the button, the orchestration kicked in and they were back up and running. Nobody knew that it happened. >> And you know what there those are far and few between, but they are happening. And people are moving up this matrix. And that's why I like the matrix. It's like a, as Rick said, it's a checklist. You can see where you are. It doesn't matter if you're at the bottom. The point is that if you're on the on the

very bottom and maybe there's seven things there, maybe you're doing four or five of them and you need to do the two more and you get to the next. The point is that we always want to be progressing and improving. Another one that caught flagged in this uh in this that really hit home on the self-optimizing was there was a major energy company in Canada got hit about three or four years ago and they they were ranked over the coals by by uh the regulators. They took that feedback fines etc. They thought about, they came up with a detailed plan and they redid everything from the ground up on their DR disaster recovery and they got hit again and

nobody knew they got hit the second time and regular they did have to report that to regulators of course but the regulars came back and said you know what what a difference between two different things. You had to disclose it but nothing was lost. There was no stealing of data. There's no corruption, no loss of data. Yeah, >> this was a complete It shows what happens is that it's unfortunate that we get hit like that, but at least they learned from it and they went and they put the necessary funding into improve that process and what they had for technology. >> That's the big thing you called out there. It's going to happen. >> It's a given. We used to know servers

will fail whether it was a RAID card, whether it was corruption on a data store, whatever your array is, it's going to happen. >> But how do we come back from the same thing as we all know now? You're gonna get hit by something. >> It's gonna happen. But how do we rebound from that? And this is where we start to break out these horizons. And when we start to look at horizon one and two, it's not good enough. 74% of organizations, so three out of four organizations are still sitting there based off of our survey of 500 organizations. Of course, I'm not saying in this room it's three out of four, but maybe it is. Not asking anybody to put

up their hands. Not I'm just saying what my client base is and my cover Edmonton and and Manitoba. I would say that this is primary 75% typical clients are in those bottom two and then there's somebody the 25% is really most of them are in that mature adaptive and maybe they got a couple points into the top. They're striving, they're pushing to get up to that uh self-optimizing. >> Nice. And that's what this framework's all about. It's not the whole fact of, oh, it's terrible. It's not terrible. It's what we do as humans. We adapt. We evolve. We learn from our experiences. We all fail. I might have failed 12 times today already, but I learn from

it. So, I'm not totally stupid. I'm just dumb. I'm actually >> I did, which was good. I didn't know I was going to be on camera because that could have been awkward. >> And I've stayed in the box the entire time. But that's that whole thing and here's the framework and this is about the enterprise data resiliency eye chart. I'm sure you can read this later but it isn't about the pointing the fingers. It's not what this is about. It's about the opportunity moving up the curve means we go from weeks of outages to predictable recovery in hours in some cases. Of course, if you really get hit by something, am I going to sit here and

be like, "Oh, if you purchase BEH today, we can recover anything in minutes." There's a bigger process that happens. You don't know if your data center's become a crime scene. Do you have the data center? Hopefully, that strategyy's been defined. Do you have the ability to restore to the secondary data center? Again, the strategy, but also the skill set, the people, the process. And if you do everything right, you can move that down from weeks to hopefully hours because guess what? It didn't get into your entire infrastructure. Don't assume it's a wipeout issue. It's an isolated segment that you've stopped, contained, eradicated, and now you can recover. Only a part of the organization was taken down, not the entire organization.

I think people also and and this was something I learned about three or four months ago. I didn't realize is that if you do get hit by ransomware and you're not able to get all the data back, but you're moving on the regulator or whoever you're you're using for insurance or anything like that, they're going to require that you keep that encrypted data somewhere. So if you had a 100 terabytes that's encrypted and you've moved on, you still they're going to require you to put that 100 terabytes somewhere so that eventually in a year from now or two years from now if that key is found is known that you're going to be able to

get your data back. So a lot of organizations get caught off guard where they don't realize you mean I got to build a new environment. >> I'm quarantined off my but I also need that new environment. I need another environment to keep a copy of that encrypted. >> You're out of the box. >> Get back in. Sorry. Sorry. >> And globally, the amount it's costing us for each data breach is steadily climbing. It's $6.5 million Canadian today, right? And that all comes down into it's not even about the cost. It's the amount of time we're still having to take to detect, analyze it, contain it. sometimes to still sitting in your environment for almost a year before you

even find it. That's a challenge because if I was to sit in any of your environments for a year, I'm gonna get a lot of information. Even if I'm not using tools, I can gather a lot of details in a small amount of time. If they're sitting there that long, they might know your environment better than you do. That's challenge, right? That's what I use GPS for today because I'll get lost going around in circles in the parkade. It doesn't help with parkes, actually. I wish it did. So, I didn't realize I was just going around in C. I didn't do it yesterday. >> Trying to get out of the big parkade here. I can just look it on my GPS and

just see driving around and around and around. >> We haven't talked about V much. So, I guess I should do a little bit of a vendor spiel. And that's what I'll leave that screen there for. It is that whole thing what it actually looks like. And again, this isn't even much of a beam pitch, but these are those core five things you need to think about from your technology provider. Can they provide data backup? If they can't, you shouldn't even talk to them because that's table stakes, but do they have data recovery? And what does that mean? Yeah, you can restore to, you know, that one spot, but do you have data portability? Can you do restore to a

different location, a different hypervisor, a different hyperscaler, dissimilar hardware? The list goes on and on. But what can you do with that data? It's not as simple and I've heard people ask like what's recovery look like with VH like that's a detailed question because where are we recovering it to? What do you need it for? Do you need a file? Do you need a disk? Do you need that entire workload back up and functioning in the organization? Then data security key core compeller for us is that whole fact integrating into your sock immutability encryption based off of stigs and our software appliances that are hardened to the point that if you lose access to it, you're not going

to get access back. Right? I know that sounds bad, but it is a fact because you need to keep the documents in place and then applying data intelligence into it. And Darren, over to you for this. >> Yeah, you know, Rick made a point earlier that this isn't really not is about marketing, right? It's not about marketing. Everything that is part of the maturity matrix that we've shown here maps back to NIST. And as you know, NIST is one of those fundamental compliance frameworks that a lot of other frameworks at least map to, right? So everything in there maps back to NIST and then we'll map to your other framework. That's how this was all

developed. Now, I'm not going to make you go through this entire eye chart. This is probably something you can send out if you want to, but there's a lot of stuff there and how it directly aligns to the NIST CSF with specific features, functions that we offer within the solution, but I don't think we really have time to go through that today. >> No, >> unless you just want to read off everything and >> monotone. I think you said it well enough. And there's also um there's lots of different ways to map a lot of these on the NIST to different frameworks. I know I saw safe here a little couple minutes ago who works for a secured

approach. He's actually come up with a way to map everything together as well on a program. So there's lots of different ways locally externally that you can look at mapping uh feature functionality and other compliance to uh NIST and other frameworks. >> Awesome. Thank you. So really we want to take a shift. We don't want the binder to be dusty. It doesn't even have to be a binder, but it is that whole fact that it's got to be used every single day. It has to be updated. It has to be reflected. The majority of that can also be automated. Let's be honest, it doesn't have to be a static document that you physically fill out yourself.

You have the tools. dare I say even an AI co-pilot, whatever it is to help do some of those things and look for for a provider that can help tie all those different pieces together because if your plan only lives on paper, what makes you think your recovery will live in reality, right? It's a story. It's not true. Make sure you live and breathe it every single day. It's a living document. >> And on that point, anything you take from this session or any questions? We got a couple of minutes, I do believe. [Applause]