November 1, 2023: Ryan Baker, VP of Sales for Rubrik, joins for an in-depth discussion on backup and cyber resiliency. Do traditional backup methods hold up in today's cyber landscape? Are we being proactive or reactive in the fight against cyber threats? Baker provides intriguing information about how cyber resiliency diverges from simple data backup, focusing on Rubrik's approach to securing, protecting and restoring data. With the increasing move towards cloud-based systems and services, how does this change the complexity of data recovery? Explore these thought-provoking topics and more as we dive into the intersection of healthcare and cybersecurity.
Donate: Alex’s Lemonade Stand: Foundation for Childhood Cancer
This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.
Today on This Week Health.
Just because it's good now doesn't mean it'll be good in three months or six months. You got to be able to test it on a regular basis. You got to be able to prove it. proving it aspect is really coming down to the cyber insurance providers,
📍 all right.
Today we're going to have a solution showcase. We're joined by Ryan Baker, Head of Healthcare for Rubrik. And we're going to have a discussion around backup and cyber resiliency. And Ryan, welcome to the show. Thank you, Bill. Appreciate you having me. Ryan, we're going to hit a slide deck here. We don't do this often on the show, but there's so much information to cover.
I want to make sure we hit it all. I sort set this up as backup and cyber resiliency. What's the main premise of this discussion?
Yeah, Bill, appreciate the question. It's really come down to, if you look at healthcare across North America, across the globe, everybody's got backup.
Everybody's been protecting their data since the beginning of time, right? Since the technology 📍 was able. Backup is not really good enough in the world we live in today from a recovery perspective. So we look at backup and cyber resiliency as. Not one in the same anymore. And when we say cyber resilience, we're looking at the ability to really recover assets and data within 24 hours.
That's really the core differentiation because everybody's got a backup tool, not everybody has cyber resilience. And what that really gets dictated by is time to recovery.
You know, It's interesting I just had a meeting with a bunch of CISOs and they are now really focused in on this whole idea of time to recovery.
Because with ransomware, the stories are out there, understand it's not if but when. And the focus right now is, okay, how quickly can it get back? And we hear buzzwords float around like air gap. Oh, we've air gapped this. We're in good shape and those kinds of things. But that's not always the case, is it?
It's not. And air gap is probably one of the most overused marketing terms since cloud started getting thrown around, right? In my opinion air gap means a lot of different things to a lot of different people, pretty much every. manufacturer, OEM vendor out there can check the air gap box does not mean you are able to recover and does not mean you are cyber resilient.
All right, well, let's hit the slide deck give me a little background. Just so you guys work with a lot of clients within healthcare. Talk to me about what you are seeing in healthcare.
Yeah, so Rubrik came to market 2016 as a better, faster, cheaper mousetrap in the backup world. We did data protection. When I started here in 2017, that's all we did, right? Our technology and our product has evolved. And we got a little bit lucky, honestly.
The way our File system was written from the ground up. It was written in an immutable fashion, right? So that's another buzzword thrown around right now is immutable. If you have immutable this or immutable that, you are protected against ransomware. Just not true, right? So our file system was written in a way where...
We got a little bit lucky, and we actually align very well to what we're seeing in healthcare, right? First of all, healthcare is the number one industry we're seeing for cybercriminals. It's the number one attack vertical. And I think it's pretty self explanatory. If you've been into a hospital or you've been in your doctor's office, every single one of those devices, they hook up to you or they scan.
It has a unique IP. There's more endpoints for these attackers to, to attack. There's a lot of ways in. The trends really, though, is the value is in that data, the value is in the customer data. There's a lot of governance and there's a lot of compliance requirements that are customer based.
They're held to a very high standard, too, when you start talking about PII. Hit the standards you name it. There's a lot of really tight requirements around that data. So it's super sensitive. Right, and the other thing that I'm seeing a lot, and this is really over the last six to nine months, is the adoption of public cloud.
It's finally here in healthcare. When I started here, Cloud was still a no, for a lot of different reasons. Really, I don't think everyone really knew how to leverage it. There's still a lot of tape environments out there for long term archive of data that was held to certain time parameters.
But the cloud, whether it's Google, Amazon, Azure, all three are really, taking strongholds within the healthcare. Shops we're talking to, and it's primarily for cost savings. Cost savings and flexibility.
And as an attack target, I was talking to David Ting at the health conference, and we were talking about the value of a health record.
And the reality is that the value of a health record is a lot more than the value of a financial record. And the reason is because if your financial information gets compromised, you can change your credit card, you can change your account information, you can do all that stuff. But you're not going to change your mother's maiden name, you're not going to change, your blood type, you're not going to change.
the depth and the breadth of information about you in the medical record is so strong. And then the other thing that makes this so complex we were talking about is. Most organizations have hundreds of applications, not over a thousand applications, which means the data is strewn around entire enterprise.
And so recovery becomes that much harder and protecting that data becomes that much harder. All right, I'll get back to the slide deck here. Where are the attacks coming from and what are we seeing in terms breaches? How are people breaching what does it look like when a breach happens?
Yeah, you lived in this world for a long time, Bill, so I'm not going to tell you anything you don't know, but we live in an assumed breach world now, meaning there's historically been lots of layers of defense, lots of tools to keep the bad guys out, so to speak, right? The fact of the matter is they're getting in, and the data source is the primary objective.
Right, they want to, some dwell time in that data, they want to figure out what's important, and they want to exfiltrate. Right, we were seeing a couple years ago is the backups were the first target. They want to lock up the backups, so then when the primary production copy of all the mission critical Tier 1 data, when customers thought, oh, I can go to backup before hit, the backups were already compromised.
So, right, think about this, so they have your backup, and then they get, hold of your data. You're at their mercy, right? That's when ransoms are paid or Customers are assuming that after a certain period of time, their business is, is in a really compromised spot.
Right, so, again, important parts here is we are living in an assumed breach world. All the tools, we'll get a lot of them. lot of the attacks will be blocked, they will be identified, they will be, quarantined, but not all of them. It's just a fact of the world we live in. So, again, living in an assumed breach environment, this slide's perfect, None of the current legacy technologies the existing data protection world that, again, I sold at a previous employer for a long time, none of them were designed for when an adversary is behind the firewall, when we do work in an assumed breach.
Legacy data protection tools, storage protocols, network protocols, are they open? Nine times out of ten, they are, right? How much legacy Windows operating systems are running in our healthcare shops right now that are either so old they can't even be patched but Windows is the number one attacked OS globally?
And then, is multi factor authentication, is secure one time, based passwords. Are they deployed? More importantly, are they enforced? Can't tell you how many customers that are actually rubric shops now have MFA at their fingertips, still don't have it deployed. Right? So, it's, a lot of this is, you live in this world where you assume the bad guys are in.
Some of it is just user error, right? User compromise, and a lot of stuff that could be prevented.
I remember back in 2012, my internal auditor came to me. And they had just finished breaching our environment. It was part of what we paid them to do was to breach our environment. And they breached it in a pretty creative way.
They actually went through our Citrix servers. They breached Citrix. And as Citrix... is what we use to make the life of the clinicians easier. So they can come into that environment. They can go into all the different things. Well, once they breached that environment, they just sat on the wire and saw all the things that were going on.
And then they were able to get to our core things. it was an interesting conversation. But one of the things they told me back in 2012, You say the assumed breach, and their comment to me was assume they're on the wire. They are on the wire right now. They are looking at your stuff. They are examining it.
And from that moment on, we started to think about security very differently. In fact, one of the things they talked about was, exfiltration could happen from employees. These are people with credentials, people for whatever reason. It could be hardship or whatever. Somebody's offering them money to exfiltrate data and that kind of stuff.
There's so many different ways that people can get in. But if they are on the wire. there's a lot of strategies to keep them from going horizontally across the network. But at the end of the day, once they get their hooks into this stuff, it's really hard to recover.
We're going to come back to how to recover from it. I also want to talk about cloud a little bit because more and more I just had a CIO round table and I asked them, how many of you have moved to the cloud? And even without. stated we're moving to the cloud strategies. A lot of people in this group were at 20, 25, 30 percent because they've gone to SaaS model solutions and whatnot.
And so we're seeing most health care systems by default are at 25 to 30 percent. How does that change the complexity of recovery?
It changes it a lot. I want to go back to your point where along going back to like the average dwell time, the attackers lay dormant, so to speak. It used to be 210 days, a few years ago.
So they'd lay in there, they'd somewhere on your network, 210 days. The average dwell time now is five days from the latest Mandiant report. So think about that. The attackers are getting in. They're figuring it out in five days and they're executing attack and have already started exfiltration within five days, right?
So they understand the tools are getting better, but there's just more frequent attacks, right? So that's one thing we're seeing that average dwell time inside a customer's environment is shrinking. Month over month. To answer your question, what cloud does to this dynamic, this is picture of a legacy environment.
On the left, think of your data center. Think of where the epic crown jewels usually lie. A lot of tier one applications are still within the four data center walls. So, the traditional ways of backing up and protecting that data, That worked for a period of time, but these data sets are massive now. And to your point, a lot of these Tier 1 applications, or SaaS based applications, they're not within your data center walls anymore.
So the cloud sprawl, or wherever these applications live, and they're into dependencies, it becomes very hard to wrap a true protection methodology around all of them. And at scale, this becomes massive. I see the SaaS play a lot, and the SaaS traction a lot, in radiology department. Think of PAX, think of unstructured data.
That's the most frequent. SAS traction, I'm seeing. The other one, and actually it's worked out very well for us, we've actually able to land in a lot of these big health systems is around M365. So, with COVID and even before that, you started seeing M365 become a Tier 1 app. That is a full blown Tier 1 application now, and will bring organizations to its knees if it's not operational.
But Microsoft, right, they actually recommend third party protection of those environments. So, we actually got a lot of traction with that, but that's another SaaS application that is in, nine out of ten shops right now.
Yeah you opened this by saying backup is not cyber resiliency. What is cyber resiliency?
How do we measure it?
Yeah, so cyber resiliency now, as we look at it, is... Do you know where you can recover, assume breach, we are under attack. What is our known good copy to recover to? Within that known good copy, within any kind of attack, what's the blast radius, right? What is the sensitive data that we are dealing with?
How much sensitive data was part of that attack? How do we know it? How can we go back and make sure when we recover within that 24 hours, how do we know we're not going to reinfect ourselves, right? So, there's a lot that goes into this. But cyber resiliency is, A, being able to guarantee a clean copy, of your data, and more importantly, can you test it, right?
Going back to that other slide up here, if you go back one, Bill, this C suite priority, that's new, right? You're seeing a lot of board members now actually carry the responsibility. of the security posture of these institutions, right? This kind of took hold quickly in the financial services space. I'm seeing it more in health care where now sitting board members or C suite actually are part of their core responsibility is to the security posture of the health system.
Now
there's someone on the hook. Yeah, the two of the CISOs actually showed their board report and it had time to recovery was one of the metrics that the board was asking about. Like how long we be down if we were fully
breached? 📍 again, you got to be able to test that, right?
Just because it's good now doesn't mean it'll be good in three months or six months. You got to be able to test it on a regular basis. You got to be able to prove it. And the proving it aspect is really coming down to the cyber insurance providers, right? Cyber insurance is tough to get right now.
It's super expensive. So, A, you got to be able to guarantee recovery within 24 hours, but then, hey, how do you go prove that to your cyber insurance providers and anyone else who asks? That's really important right now.
All right. So, we talked high level. Let's talk specifically about the Rubrik solution set and how you approach this and what makes you distinct in the industry.
So this is high level. So, this is the use cases we're seeing most frequently in healthcare.
Right, and it's getting wider and wider. Right, I'm not going to read them all, but they're obvious ones, right? Everyone's looking to migrate to cloud or leverage cloud in some nation. How are we going to protect the cloud native stuff that customers are rolling out? How are we going to protect our virtual and physical workloads?
Because it's still very much a hybrid environment in every healthcare shop I have right now. When you scale to the right, you're talking more of the security. How are we going to automate this protection as we scale and as we add new applications and VMs to environments? More importantly, how do we guarantee the recovery of those assets?
And then some of the stuff we just talked about, when you look at cyber resiliency, it's not enough to be able to, hey, I have immutable storage, I can recover. Right? But like, what about detecting the anomalies that are in there? Being as proactive as we can before a full blown attack gets hold.
How do we know and discover where the sensitive data is? And that's important because that sensitive data now is no longer just in the four walls of your data center. It's in Amazon, it's in Azure, it's in your SaaS platforms that you're leveraging. That sensitive data is sprawled everywhere. So how do you get your arms around that with one platform to accurately and be, again, being able to prove that you have corralled all your sensitive data, you know exactly where it is, and you know exactly what was exfiltrated in the event of an attack, right?
And then the proactive hunting for cyber threats is a big one. That's our threat hunting capabilities. That one is constantly evolving as new threats are introduced into the market.
So essentially you're able to identify the threats that exist within the backups as it's being backed up and essentially alert people.
and when you do a recovery take those threats out as you're recovering.
Correct. One of our biggest differentiators is we do this scanning and threat hunting on the first copy. Right? So think about it in a legacy way. You take your production systems, you write to a backup, and then you have to take the backups offline to do any kind of scanning for these threats.
And that first write to rubric, as we build our metadata index, we're scanning and classifying that data on the first write. That's huge. So you're getting to anomaly detection quicker than anybody else, and you're able to isolate threats quicker than anybody else. More importantly, alerting the people that stuff is going on.
This slide I added in here, it's a little bit busy, but again, it silos what I'm talking about. If you look at the left, core data protection. Everybody's got this. Think of this as backup. The different world we live in now is in healthcare specifically, unstructured data is one that's coming up more and more.
We got our EMR, right? We cut our teeth in healthcare because we protected and recovered and restored EPIC better than anyone, right? We're able to help with honor roll status, right? That's now evolving. If you look at even the new honor roll, requirements from EPIC The unstructured data piece is a big part of that as they go to Epic Web Blob, right?
They're wrapping new requirements around that. So the legacy way of using production storage to snap and replicate is being good enough. That's just not true anymore, right? You got to be able to guarantee recovery and wrap a Wrap the same security around that as you do with Cache and IRIS.
They're handled one in the same now. If you moved more toward the middle, that's what I was talking about the proactive threat monitoring, right? What are the active threats out there that we're seeing across all the web? What are the ones that are potentially in your environment?
How do we isolate them? How do we quarantine them? Right? And then what are the anomalies as they're happening? So we can proactively, dictate, Hey, we got to probably look into something here. We're seeing an anomaly. Last night's data was backed up. It took, it was two terabytes last night.
Today is 10 terabytes. Something's going on. That data set changed materially. We got to look into it. Right? And then data security posture. This is getting traction quick. I don't know if you were aware, Bill, we acquired a company called Laminar a few months ago. New technology for us.
Where it's folding in is that we actually just did a demo for a large health system this week, where I got to see it firsthand because it's new tech to me, I'm trying to figure it out too. But the fact, the user access and where the sensitive data lives across their Amazon environment, that was something that was a huge gap for them.
So, being able to give them a true view of, hey, where's the sensitive data live across your AWS environment? More importantly, who's got access to it? And what are they doing to it? What are they doing with it? That was something that was a big gap for this client. That was a big aha moment for them. And candidly, it was a big aha moment for me because...
The tech is new. I see where it's going to fold into our suite, but this is getting a lot of traction too, because again, the cloud's blowing up. Customers using it for a lot of different things. You got to be able to wrap the security blanket around that too, right? And then lastly, it's really around recovery.
No one backs up. No one does anything with their data. Backing up nobody wants to do that. That's not very sexy. The recovery aspect, within 24 hours, that's what's good about this. That's the only reason people do this, right? So, being able to fence off the bad data, get a good clean copy to restore operations, that's what this is all about.
Yeah it's pretty amazing. So, you guys have a guarantee, which it's unique in the industry. One of your colleagues was at one of our 229 events and she was in the back of the room and she shared the ransom guarantee and people like turned in their seats.
They're like, really? That's amazing. So let's talk a little bit about, what are some of the things that. makes working with Rubrik different.
Yeah, no, I'm glad you brought that up. The guarantee is, candidly, we brought it to market. It was a little bit of a marketing splash, but when it comes down to it, it's self funded.
We're not using an insurance provider to underwrite that. That's self funded because. Under the covers, that's all supported by our ransomware recovery team and the underlying technology that is Rubrik Security Cloud. So, data behind that, the reason we're offering it is we've recovered 100 percent of data protected by Rubrik with our customers that have been attacked.
Our ransomware recovery team has now seen 170 events in our Rubrik customer base. And we've recovered 100 percent of their data. So think about that. That's where we're able to lay out that guarantee is because the product works, it delivers as advertised. Again, we're not going to keep the bad guys out.
That's not Rubrik's job. Rubrik's job is to protect the crown jewels, which is the data. And then help our customers get back to a operational state. that's been huge. Alright, the marketing splash alone was great, but when customers dig into it, it's a no brainer for them. If they're going to buy a Rubrik, you want to opt into that protection.
Makes it easy for them. You asked what's different, right? We hit a lot about, where the disparate workloads now live. We have the guaranteed ability to recover. Secondly, think single software platform or system that you have a pane of glass.
More importantly, you have control over that data in SLA protection schemes regardless of where the data lives. Whether it's in M365, whether it's in AWS or Azure, whether it's on prem in your data center walls, it's the same exact software protecting and being managed across the whole shop. Honestly, if I'm talking to a legacy data protection administrator who built their career on TSM or NetWorker, right, or any other legacy, I'm probably a threat to them because of this.
But, right, at the scale in which data is growing, the security threats we're seeing every day, we need to take work off of them because it never does scale, right? You have to be able to go to one place to protect all your workloads wherever they live. Right? And then, we hit on this too. The board level, the C suite, and everyone in between, you've got to be able to prove a testable resiliency.
Right? How are you testing? How can you prove it? That's a big thing for us. that visibility, again, just where the data lives, what's in that data, what sensitive data is impacted, how do we quarantine it? And then, the last point, I put this in here because it's important. We're not creating budget bill, we are, Capturing budget that is being spent on legacy tools.
Again, I lived in that world for 13 years. The company I worked for made a lot of money on renewals, whether they were maintenance or software renewals, keeping things alive. There's a lot of money being tied up in legacy tech where, right, these are self funded projects more times than not.
But it's an opportunity to boost up the cyber posture within every institution.
Yeah, it's interesting with the financial situation that's going on in healthcare. There was a discussion recently with one of our groups, CIOs, and we talked about how there's a lot more scrutiny on the renewals, a lot more scrutiny on the existing applications, and really culling those for savings if we could find it.
I'd love for you to talk about some clients and what they've been able to do.
Yeah, I put St. Luke's in there. They're a great customer. They're a publicly facing reference. Out of respect for the 400 others I have within my region, I will not, I take that very seriously, right? I respect the privacy of our customers and, I love to tell stories, but this one's a public facing.
St. Luke's is a wildly successful story of ours. We got many more, but at the end of the day, right, it's... Massive scale, petabytes of data, millions of patient records. They needed to be protected. They needed to guarantee that they had the ability to recover within 24 hours. And that's across all data sets, right?
It's not just the core EMR anymore. It's not just SAS. lot of these systems have massive NAS workloads, massive radiology departments, massive unstructured data requirements. I mean, I was with a customer up in Maine not long ago, he was telling me one of the doctors brought in this like high performance microscope or some kind of tool and every image that thing created was high definition 4k, like 200 gigs of WAX.
Think about that at scale. This unstructured data doesn't dedupe, it doesn't, right, you've got to be able to store it and back it up because the data is still critical. You still wrap the same compliance and governance requirements around it, so that scale is not going to slow down. So, right, leveraging the cloud, leveraging our tools to wrap the protection around it, regardless of where it goes.
That's where healthcare is going, and that's why I honestly think we're growing as fast as we are. Again, a little bit of marketing, right? The zero test architecture is how we were built. That's our immutable file system from the ground up, and then all the tools, all the threat hunting that we have now added to our portfolio.
Again, homegrown, right? I want to stress this a little bit is a lot of the vulnerabilities we see now are with third party tools across our competitive base. And human error, right? Our zero trust architecture puts everything in place. And the ransomware response team, we hit that. That's a really differentiator for us.
I didn't realize until customers started providing real time feedback. And then hearing customers that actually went through an event, how helpful and thoughtful and how appreciative they were. That's big for us, and I try to bring it up or at least expose our customers and prospects to it whenever we possibly can.
That's fantastic. From an automation standpoint, we didn't really touch on that. I assume there's a fair amount of automation built into
your platform. Everything we do is API based. I have some of our largest customers now who manage their entire Rubrik environment from ServiceNow. Right, if it's automation is core to what we do, we can plug into really any automation tool out there.
There's a million of them out there deployed across our install base. Every customer is different as well, but that is one of our core sweet spots, yes.
Ryan, if people want to get more information, I assume they hit the website. Is there a specific healthcare website or just the Rubrik website?
You know what, honestly, I probably set myself up for failure, but I hope my LinkedIn inbox gets peppered. I would love the activity. Alright, again, I own the team nationally. We'll make sure we get you to the right people as soon as possible, but come to me directly. Come to the Rubrik, go to the Rubrik website, check out whatever you want.
Please spend a bunch of time in there. But again, I can be found on LinkedIn. My name is Ryan Baker. Reach out to me directly. I will steer you in the right direction. I'd love to personally get involved with whoever wants to speak.
Sounds good. Ryan, I want to thank you for your time. Great discussion and very timely.
It's definitely something that is top of mind for boards, for executive teams, and obviously for health IT
leaders. Thanks Bill, I appreciate the opportunity again. Thank you very much.