Beyond Backup: How Coveware is Revolutionizing Veeam’s Ransomware Defense – Source: securityboulevard.com

In March 2024, Veeam, a leader in data protection, made a strategic move that significantly improved its stance on ransomware: the acquisition of Coveware. This wasn’t just another corporate acquisition. It was a deep integration of specialized expertise and cutting-edge technology, transforming Veeam from a backup and recovery solution moving into the security space into a proactive and robust participant in the entire cybersecurity incident response lifecycle.

Incident Response Expertise and Negotiation: A Calm Port in the Storm

One of Coveware’s most significant contributions is incident response and negotiation expertise. When ransomware strikes, organizations are often thrown into a chaotic, high-pressure environment. Coveware’s team provides a vital, cool-headed presence, guiding affected companies through the complex landscape of cyber extortion. Their aggregation of data regarding decryption keys used by threat actors helps significantly by aiding in ransomware incident recovery without the need to pay up for every incident.

While Coveware facilitates negotiations, it’s crucial to understand that both Veeam and Coveware advocate strongly against paying ransoms. Their primary focus is to empower organizations to avoid payments altogether through proactive measures and informed decision-making. Just like email spam or other forms of extortion, paying the ransom just makes you a more appealing target. After all, if you’ve paid up once you’re more like to pay again.

However, in the immediate aftermath of an attack, Coveware’s negotiation skills are invaluable for buying the one commodity you need: time. Time to bring systems back online, meticulously scan backups for reinfection, and manage critical communications, effectively keeping the threat actor at bay while recovery efforts gain traction. Every minute you can spend responding to the incident with your teams means you are more likely to get access to your data and bring your business back online. When Coveware by Veeam is doing the negotiating that means your incident response teams are focused on what they do best and not bickering over Bitcoin amounts.

Proactive Threat Assessment and Forensic Investigation: Unmasking the Adversary

Coveware’s influence extends far beyond reactive measures. A key piece of their approach is proactive threat assessment. They conduct immersive tabletop exercises with customers, simulating active incidents to provide a realistic understanding of what being impacted truly feels like. That way your teams aren’t surprised should real disaster strike.

https://www.youtube.com/watch?v=nETiBB0dQbw

At the heart of their proactive capabilities lies Recon Scanner, a patent-pending assessment technology now integrated into the Veeam Data Platform. Recon Scanner is a formidable forensic investigation tool. It deploys on impacted systems, meticulously collects logs, and constructs an attack timeline based on observed events and the known behaviors of ransomware groups. This goes beyond the capabilities of typical Endpoint Detection and Response (EDR) or antivirus tools. Recon Scanner excels at detecting a wide array of suspicious activities, including brute force attempts, data exfiltration, and crucial Indicators of Compromise (IoCs) such as permission elevation, new user creation, MFA disabling, firewall rule changes, and shell commands. In a real-world scenario demonstrated at Security Field Day, Recon Scanner’s superiority was on display when it identified a user downloading suspicious files for three weeks, completely bypassing other security tools. The data harvested by Recon Scanner feeds into a sophisticated data pipeline, enabling aggregated learnings from diverse environments to pinpoint potential hot spots and suspicious activity. Critically, Recon Scanner is automated and can be scheduled for regular runs, providing continuous vigilance.

Enhanced Threat Intelligence and Innovation: Learning from the Front Lines

Coveware’s acquisition also imbues Veeam with invaluable threat intelligence. Handling 50-100 ransomware cases monthly, not limited to Veeam customers, provides an unparalleled stream of real-world data. This intelligence, encompassing the techniques, tactics, and procedures (TTPs) of top ransomware groups and the tools they employ for lateral movement, directly informs and enhances Veeam’s product development. For instance, Veeam’s knowledge base is constantly updated with insights gleaned from Coveware’s extensive experience, so you know what Veeam is looking for. This translates to Veeam now actively looking for IoCs like the presence of seemingly innocuous tools such as TeamViewer or FileZilla, which are frequently leveraged by threat actors for exfiltration, even if they aren’t inherently malicious.

Seamless Integration with Veeam’s Security Pillars: A Holistic Defense

Coveware seamlessly integrates into Veeam’s overarching security strategy, which rests on three fundamental pillars: innovation, security ecosystem partnerships, and strategic acquisitions like Coveware. Coveware directly amplifies Veeam’s capacity to assist organizations impacted by security events, perfectly aligning with and strengthening the incident response lifecycle.

The Coveware incident response service is now a core component of Veeam’s Cyber Secure program, which notably includes a ransomware recovery warranty. Veeam proudly reports zero claims on this warranty when backups are immutable and customers have their encryption password, a testament to the efficacy of their comprehensive approach.

Bringing It All Together

The acquisition of Coveware has propelled Veeam beyond its traditional role as a simple backup and recovery solution. It has transformed Veeam into an active, intelligent, and deeply integrated participant in the cybersecurity incident response lifecycle, providing specialized negotiation, cutting-edge forensic capabilities, and invaluable proactive threat intelligence. This strategic move empowers Veeam customers not only to recover from attacks but, more importantly, to prevent them in the first place, securing their digital future.