Platform
- Data Security Cloud
  Data Security Cloud
  Fully managed data security across enterprise, cloud, SaaS, and end user.
- Data Protection
  Data Protection
  Modernize data protection to reduce costs and complexity
- Cyber Response & Recovery
  Cyber Response & Recovery
  Bounce back from cyber attacks with data that is always safe and ready.
- eDiscovery & Compliance
  eDiscovery & Compliance
  Secure, protect, and streamline data governance.
- Meet Dru - Your Copilot for Data Security
Solutions
- Use Cases
  Use Cases
  Learn how Druva helps you accelerate key business initiatives
- Key Technologies
  - Public Cloud
    Public Cloud
    Protect native AWS and Azure deployments with secure backups without the cost and complexity
    
    AWS
    
    Azure
  - Hybrid Workloads
    Hybrid Workloads
    Transform data center backup and disaster recovery for virtual environments
    
    VMware
    
    Hyper-V
    
    Nutanix
    
    Oracle
    
    MS SQL
    
    SAP HANA
    
    NAS/files
  - Endpoint and SaaS Apps
    Endpoint and SaaS Apps
    Enterprise Cloud Backup and data management across edge, on-premises and cloud workloads
    
    End User Protection
    
    Microsoft 365
    
    Salesforce
    
    Google Workspace
    
    Microsoft Entra ID
    
    Microsoft Dynamics 365
- Free Trial
Customers
- Explore All Customer Stories
  We are trusted by the world's leading organizations to protect their data. Explore customer success stories to see how your peers are using Druva.
- Ransomware recovery ready
  Learn why Medallia chose Druva
  
  SaaS data protection across the enterprise
  See why Regeneron partnered with Druva
Resources
- Druva vs. Veeam TCO Calculator
  Find the hidden costs of legacy backup
  
  Forrester: Total Economic Impact of Druva 2024
  Customers see 224% ROI: Find out how
Partners
- Programs
  Programs
  Learn how you can profit with Druva and a cloud-first SaaS selling motion. Explore partner programs, access resources, and discover the benefits of partnering with Druva.
- Strategic Partners
  Strategic Partners
  Learn about Druva's strategic capabilities across platform, OEM, and other partnerships. Find out how Druva accelerates and protects customers' cloud journeys.
  - Dell Technologies
  - AWS
  - VMware
  - Nutanix
- Become a Partner
Company
- - Company
  - Leadership
  - Investors
  - Careers
  - Contact Us
  - Newsroom
  - Awards
  - Events
  - Diversity, Equity & Inclusion
  - Blog
- Get in touch with us
  Contact Us
  
  News, product innovations, and more
  Blog
Get Started
Support
Login
Language
- English
- Deutsch

Product

Threat Hunting: Search, Contain, and Destroy Cyberthreats with Druva

February 29, 2024 Badri Raghunathan, Sr. Director, Product Management and Vasu Subbiah, Sr. Director, Product Management

Incident Response and Cyber Recovery

Security investments by enterprises are at an all-time high because of incidents like breaches and ransomware. While it is not possible to completely eliminate cyber attacks, organizations can mitigate their risk by ensuring their backup system is fully secure, protects data, and enables fast, clean recovery to minimize downtime and prevent data loss.

Critical to your cyber resiliency strategy is a well-tested incident response and cyber recovery playbook, which typically follows the workflow:

IR and remediation efforts fall under two broad categories:

“Peacetime Activities” — Hunting for Undetected Threats

Mature, at-scale security teams have “peacetime” programs around threat hunting. This is typically to “hunt” for undetected threats that might have penetrated cyber defenses and have a presence in the enterprise. Finding and confirming threats as part of these threat hunts initiate the incident response process to drive the attacker out, contain the incident, and then initiate remediation and recovery operations.

“Wartime Activities” — Following an Incident, Determining Scope, Impact, and Timeline

During the course of regular security operations, if incidents are confirmed, the team will determine the initial intrusion vector, timeline, and scope of infection during the investigation and response. These are dependencies for subsequent actions around containment, remediation, and recovery.

Gaps in the Process

For both peace and wartime actions, security and IR teams typically use primary security tools like SIEM and EDR to search for indicators of compromise (IoCs) and indicators of attack (IoAs). These could include static file attributes (filenames, file hashes, etc.) and behavioral attributes (process, name, etc.). However, security teams might not have all the data available or might need additional information to assess the situation properly.

Fortunately, backups contain this data across an extended timeline and your enterprise fleet (edge, data center, public cloud, and SaaS apps). What if enterprises could access this rich historical archive for more than just recovery, utilize it to search for threats, and take action?

Filling the Gaps in Response — Threat Hunting with Druva

That’s where Druva comes in — we take a comprehensive approach that allows customers to search and take action on threats in their backed-up data. Let’s look at where the security team can investigate threats as part of a wartime or peacetime scenario in their end-user data distributed across edge devices (Win/Mac) or SaaS collaboration apps (Microsoft 365/Google Workspace).

1. Search

Your security team can search for specific static file IoCs. Backups can complement security tools to allow the customer to determine the infection, scope, and timeline, and help initiate the next steps of containment, cleanup, and recovery. Druva’s Federated Search is a powerful tool that leverages metadata of backups. This Federated Search capability is critical to enabling the location of sensitive or malicious data that is backed up by users and offers unique insights that go beyond the raw data itself. Admins can search for data based on the following criteria:

Creation date and time
Author or owner
File size and type
Hash values
Email metadata (subject, recipients, attachment info)

Search based on this metadata provides matching results across historical backups. These offer an indication of which snapshots contain potential infections and the overall timeline of the attack. Admins can take subsequent containment, remediation, and recovery actions based on this information.

Search for files based on metadata across edge and SaaS backups (files, emails)

2. Contain

Admins typically seek to take containment actions upon analyzing results — Druva offers powerful capabilities to contain the infected files (at a file and snapshot level) and prevent restores of infected files that would lead to reinfection in the customer’s primary environment.

Quarantine potentially infected files to prevent re-infections

3. Destroy

Once investigation has completed, admins can take action on the search results. Specific files/snapshots can be released from quarantine and deletion of these files/snapshots can be performed as part of remediation/cleanup.

Druva’s defensible delete feature allows customers to delete particular files from backups and the primary asset (if the file is present). Additionally, Druva provides convenient reports that can be submitted to auditors and cyber insurance, ensuring compliance with the overall security process.

Delete infected files to remove them from backups

Defensible deletion removes infected files from backups

Strengthen Your Security with Druva

Druva is the industry’s first and only at-scale 100% SaaS-based cloud data protection solution. It eliminates complex infrastructure and delivers data resilience via a single platform to simplify management, backup, and recovery across workloads. Customers get access to Threat Hunting capabilities included with their security coverage and strengthen their incident response by:

Searching for threats across an extended timeline of backups and the entire end-user data — endpoint devices and apps like Microsoft 365 and Google Workspace
Locating and quarantining threats to prevent restore of compromised data and eliminate reinfection risks from backups
Destroying threats from backups and primary environments with defensible deletion

As a result, customers receive the following key benefits:

Complement tools across the security stack, including incident investigation
Reduce incident response time by offering built-in containment and remediation tools
Eliminate reinfection risks with containment and remediation capabilities
Consolidate searching for threats based on at-rest file metadata across extended timelines and the full enterprise

Next Steps

See how Druva’s security features bolster your defense against ransomware and today’s data threats. Try our 100% SaaS data protection for yourself free for 30 days — no credit card info required!

Threat Hunting: Search, Contain, and Destroy Cyberthreats with Druva

Incident Response and Cyber Recovery

“Peacetime Activities” — Hunting for Undetected Threats

“Wartime Activities” — Following an Incident, Determining Scope, Impact, and Timeline

Gaps in the Process

Filling the Gaps in Response — Threat Hunting with Druva

1. Search

2. Contain

3. Destroy

Strengthen Your Security with Druva

Next Steps

Druva Blog: Cloud Technology & Data Protection Articles

Druva Data Security Cloud

The Druva Platform

Data Protection

Cyber Response & Recovery

eDiscovery & Compliance

Use Cases

Key Technologies

Customers

Resources

Partners

Company