Ransomware-Proof Your Data: Transform Your Microsoft 365 Backup Strategy

Brian Moody:

So, today we're talking, the topic is ransomware and really what impact ransomware can have on your Microsoft environment. And you know, from our perspective, some strategies that are important around addressing ransomware but really the security associated with how do we protect that environment.

‍

‍

Shahin Pirooz:

Yeah, I think there's a couple of things where I think the market really gets confused about what ransomware is and how it impacts more specifically. The focus that the manufacturing space and security has had has been: let's build more tools, more technology to protect X, protect Y. And it becomes an arms race of which tool is the best tool to do whatever. The challenge is, there's much more to it, and there are a couple of contextual things that have been shifting, and I'm using that word purposefully, in the industry.

‍

For example, in software lifecycle development, we have this notion of "shift left." Back when I was writing code as a kid, security was something you thought about after you wrote your code. You would bring in the security team to evaluate what you wrote, look at the code, and make sure there was no SQL injection or other problems. Now we have this concept—we shifted to a "shift left" methodology—which means taking security and moving it earlier in the timeline from a development perspective.

‍

More and more companies got to a point where, similarly, with infrastructure, security ended up being an afterthought. It was like, "We’ve got this network, we’ve got our infrastructure, we know people can't get in our network because we have firewalls." But that’s not the case anymore. Hackers have figured out how to get past firewalls and trick users into giving up their credentials.

‍

So it’s that same shift-left approach that I’ve been advocating for infrastructure and IT as a whole—what I call a compliance-led security approach. And what do I mean by that? Compliance-led could mean a lot of things. Some may ask, "What if I’m not regulated?" But it’s not just about what is governing you; there is always something governing you. It might be self-imposed, an industry regulation, or a government regulation, but every one of us has some sort of self-imposed set of controls.

‍

Think about it this way: litigators say you need to do certain things to be a productive member of society. Then the sheriffs make sure you're doing those things, and if you don’t, they take corrective actions. Security is not very different from that. We create what governs how we work, how we protect customer data, how we protect our own data, and then we build control sets that we have to comply with—that’s security controls.

‍

A lot of times, security was about getting the tools and figuring out which controls they close. My belief is that we need to focus the energy in reverse and ask, "What do we need to comply with?" and then identify the best way to implement that control—whether through technology, processes, human resources, or something else.

‍

Fast forward to today’s topic: if everybody is focusing on tools—-tool, tool, tool—-to solve this problem, Microsoft creates a gazillion tools. If we’re talking about Office 365, aren’t we protected on their platform?

‍

I think the other aspect, too, is if you've been watching our Sound Bytes, you've been hearing us talk for years about tools and the technology debt associated with these tools. But the reality is, tools are designed to keep people out. Yet, as we just chuckled at the firewall comment, hackers are getting in.

‍

The real question now is: how quickly can we respond when they do get in? Especially in a Microsoft and Office 365 environment, we’re seeing ransomware, deletion, and encryption happening regularly.

‍

So what you’re saying is, maybe what Microsoft embeds in their platforms isn’t enough?

‍

‍

Brian Moody:

There’s no question—it’s not enough.

‍

‍

Shahin Pirooz:

And then what we buy after the fact to further protect it isn’t enough either.

‍

This is the continuous thought process we want you to consider: thinking about solving a problem with "I just have to do this one thing today" only addresses the issue for a short period. What sets the WhiteDog approach apart is that we don’t think about solutions as point-in-time fixes. Instead, we analyze the state of the attack surface, its protection, and recovery mechanisms, and how they evolve over time.

‍

Now, let’s talk about the Microsoft ecosystem. One of the key components of Microsoft’s evolution is Copilot. More and more companies are enabling Copilot for their users, granting it access to their Office 365 tenancy to accelerate productivity. But what happens when Copilot has access to your core business information, intellectual property, and sensitive data?

‍

That’s the crux of this conversation. We have spent too much time trying to keep the bad guys out. They’re not going to stay out. No matter what we do, they’re going to get in—because all it takes is one user clicking one email leading to a bad site.

‍

Our approach is to minimize their dwell time from six months to six minutes. But even then, that doesn’t stop them from getting in. And now, hackers are leveraging generative AI to automate their attacks the moment they infiltrate a system.

‍

And this is, I would say the distinctive difference in the WhiteDog approach is we don't think about things as a point in time answer. We try to think about here is where the state of the attack surface and the protection of that attack surface and the recovery after an incident looks like what the state of that is today.

‍

More and more companies are going to turn on Copilot for their users. And now we are giving Copilot access to our Office 365 tenancy in order to be able to accelerate our users productivity. Like how do we take any average intern and turn them into a copywriter? We give them Copilot and we give them access to all of our collateral. We let them create service descriptions and specifications because it's so much easier. They don't have to be an expert. And then all you need is your architects and senior product people to evaluate the output and make tweaks instead of having to create content from the ground up.

‍

‍

Brian Moody:

Well, now we're giving access to all of our information. All of our core information, our crown jewels, our IP, our PII, our corporate information that all now from the infrastructure that it's in or that we're trying to protect. Now Copilot has access to that.

‍

‍

Shahin Pirooz:

So what do we do? I mean that's really the crux of this conversation. The issue is, we have spent too much time, as Brian said earlier, trying to figure out how to keep the bad guys out. They're not going to stay out. No matter how good we are, no matter what we do, they're gonna get in because all it takes is one user to click on one email that gets them to one bad site that didn't have tools on the machine and isn't protected, and now they have credentials. They're on the system, they're in your network, and they begin figuring out how to crawl around.

‍

So our answer to that is let's take their dwell time down from six months on average to six minutes. But that's still not going to keep them out because they're in. Dwell time happened. They got in even for six minutes, but they got in.

‍

And what bad actors are now starting to do is take advantage of these negative generative AI solutions to build attacks that initiate the minute they land in an automated way. As opposed to let me go figure out the crown jewels and all the things and where it is and what it all is. Now they're starting to target the repositories where our generative AIs that we're using internally are getting their content. So now it all starts to circle together.

‍

So, backing up for a second, we recently spoke to an editor about what's coming, and one of the things that we're excited about here is our data risk management offering that we're putting out, coming out in the first quarter. And contextually data risk management, we used to think about it in the notion of data leak prevention (DLP) and it was the opposite of let's not let them in. It was let's not let the data get out.

‍

And the issue with that approach is now you have to go and figure out which data do we not want to let get out. And we have to create a taxonomy of this is classified data, this is public data, this is internal only. And that taxonomy now has to be applied as metadata to every one of your documents, unstructured assets so that the DLP solution can figure out what to do with it.

‍

So, fast forward, we got smarter. We decided we were going to scan the documents and try to interpret what they are. And we've made some success in the industry and had some good valuable tools that actually were able to say I see content in here that looks like PCI, I see content in here that looks like HIPAA, or whatever the case may be. But the problem still exists that DLP still was a notion of now that I've found PCI, I'm not going to let PCI data be attached to an email. I'm not going to let it be sent out of the organization.

‍

It was all blocks. Like let's prevent it from being shared publicly. So somebody who shouldn't have access doesn't get access. We think that model is broken. We got up and spoke about VPNs are broken and there's a reason why zero trust network access has to replace VPN going forward. And by everywhere, not all ZTNA solutions are equal. Similarly DLP is broken. DLP is fundamentally a solution that was trying to solve a problem. And it's the I see every single nail I see or every single screw I see looks like a nail. So I'm going to use a hammer to solve the problem. And DLP was a hammer.

‍

‍

Brian Moody:

But you know, you talk about technology debt associated with those platforms, as you described. The amount of policy writing policy mitigation, discovery, assignment, the amount of effort on the back end from a technology standpoint that the engineers have to, in supporting an application like that.

‍

We had a huge customer, I'm not going to say their name, but we implemented over three years, we implemented a DLP solution and it was an absolute headache.

‍

‍

Shahin Pirooz:

And year four, we had to go back and refresh all the policies. Year five, we had to go back and refresh. It never ends.

‍

‍

Brian Moody:

Well, it never ended, but it actually never really truly came to full fruition because of the challenges associated with just managing the application alone.

‍

‍

Shahin Pirooz:

It can't. And you know where our community is, managed service providers and system integrators who were preaching to the choir, you guys have all done DLP projects. So why am I bringing this context up?

‍

We are launching our data risk management (DRM) offering which is really focused on, let's classify the data into what kind of regulatory classification it fits into, that is on our workstations, that is on our file servers, that is in our OneDrive, in our SharePoint, in our Teams. And then, once we have it and we understand the risk associated with that data being ransomed, let's be able to push button, encrypt everything. That's the solution because they're going to get the data. How about if they get it, it's invaluable to them. It doesn't have any value. It's encrypted. They can't do anything with it. When they send you the ransomware request, you can say, go ahead and publish the encrypted data. Good luck with that.

‍

That's the contextual shift of mindset. But that's only really, again, talking about protection because if they do a ransomware attack, that ransomware attack has encrypted your environment and you're waiting for the encryption keys or decryption keys to be able to recover it.

‍

So this is the big missing part and there's an entire conference dedicated to Right of Boom, which is really the context of, okay, we built all this technology and capability that is really designed to jump in, take action at the moment of attack execution. So not the six months before when they got into your network, but the minute they pulled the trigger, all of our tools, and when I say our, I mean the industry, not WhiteDog, all the tools in the industry are designed to be reactive to a behavior. And we call them proactive security, but they are reactive to a behavior happening and then they get proactive. So to me, retroactive or post active reactivity is really reactive. So we've got the tools, we've got the capabilities, let's just assume we pick the best technologies in the industry and we deployed them.

‍

Now we need to recover after the attack because the attack's gonna happen. None of these tools can effectively, 100% of the time prevent ransomware. So that right of boom, the ability to do incident response and have your incident response planning, have your tabletop exercises done so that your team knows what to do, when to do it, having your contracts lined up with your cyber insurance to bring in forensics with whoever your incident response (IR) team is to do IR. By the way, if you're a WhiteDog partner, you know who your IR partner is, it's all included. But all of that is so required.

‍

And I had an interesting conversation with a partner that said, I thought you guys were a security company. Why do you have SaaS backup? And I said, because you have to have right of boom, and 90% of the SaaS backup solutions in the market are terrible. They don't do full recovery, they don't do granular or brick level for those of us who were exchange people, recovery. And there's a lot of infrastructure to allow them to work.

‍

So we've created an offering that allows our partners to resell it simply that allows you to recover point in time, single files, single emails, single calendar items, at scale, Teams, SharePoint, and OneDrive, which means that it's actually backing up all the data on your workstations as well that are being synced up to OneDrive.

‍

‍

Brian Moody:

So let's talk about the challenge there. For a lot of our MSP partners, they're focused on the Microsoft environment. A lot of the environments of I would say the small media market very Microsoft focused. A lot of our partners that have partnered with WhiteDog are Microsoft experts. They offer those IT services and managing those Microsoft environments. So let's talk about that challenge.

‍

So we kind of hinted that well Microsoft has a lot of tools, right. And our partners are working to try to manage those tools. But we also see that those tools aren't necessarily working. So let's kind of talk about the environment a bit with respect to why we need something different than what Microsoft brings to the table and especially around Office 365 environments.

‍

‍

Shahin Pirooz:

So to be fair, before we dive too far deep into that, we're not saying that Microsoft's technology stack doesn't work cause that's not the message we're trying to portray here. What we're saying is Microsoft has done, as they always do in the IT space, they've developed a solid platform that operates and is the productivity suite and the data suite supporting it behind it. What protections they've put in place are the bare minimum protections in case you don't have anything. They're not intended to be the answer, the end all. They're just if you're a small company and don't want to go invest in the right tools to do data recovery, we can get you back emails from they deleted-

‍

‍

Brian Moody:

From 14 to 30 days ago.

‍

‍

Shahin Pirooz:

Exactly. So don't come back six months from now and say hey, I deleted an email. Can we recover it? The answer would be no with their basic rules. Don't try to recover a single file in SharePoint unless it's in the garbage can, because you can restore the whole database and wipe out any work you did. So the tools work, they're functional and they do exactly what they say they're supposed to do. But the protections in terms of the ability to recover--backup, data protection, and recovery--those things are pretty minimal capabilities built into the platform.

‍

‍

Brian Moody:

And that's kind of the key path that I was going down from a standpoint of the ability to recover, which was one of the key things you said. So we know they're getting in. So how do we protect the data at rest? We talk about WhiteDog's solution from a standpoint of encrypting data, identifying, encrypted in place. But they're going to get in. The Microsoft tools have that minimalist approach, right? But they were designed that way from a standpoint of mail. Mail is 15 to 30 days. Nothing past that. SharePoint and OneDrive are 93 days. Up to that point.

‍

But if you look at the way Microsoft designed the tools, the retention policies are really for legal and compliance reasons. They're not set up for at scale recovery because they're based on versioning. So the threat, I think, is that if someone comes in and takes that data you need to recover, that's fine. But the recovery mechanism within Microsoft really is based upon how the malware impacted the environment. Did they delete, did they encrypt or did they exfiltrate? And then regardless of that methodology, you now have to recover. Well, you only have 93 days to recover on a standard Microsoft--now it works, but up to 93 days around SharePoint, and that's the standard. Again, like if you're using the basics.

‍

‍

Shahin Pirooz:

So it's important to note, when a ransomware event happens, this individual has been in your network for more than a few days. So it's possible they were there more than 90 days ago, for one thing, and they've dropped little seeds where they can go back and reinitiate the attack even if you recover. You also need to have a clear understanding of when the data was impacted so that you can roll back to the right version.

‍

Now the issue with version controls is that version control is a policy that's set by your admin. So your admin might say, you know, we're only going to keep two versions of a document. So now you don't have 93 days. You have literally the ability to recover from the garbage can. And the garbage can policy is also something that can be set. So if your IT admin decides we're going to do a 15 day garbage retention, you only have 15 days.

‍

So these are things, Microsoft has defaults, but we as IT individuals have the ability to override defaults and set them. So, the mistake that a lot of organizations make is they assume, and it started back when cloud became a thing, it's in AWS, it's in Azure, it's security is their problem. And, it's not. That's why the shared accountability matrices came out. It's their responsibility to protect physical security. It's your responsibility to protect application and all the layers below the application down to the physical infrastructure. So everything from virtualization up. All your responsibility as an organization, even if it's running in AWS's cloud environment. So you can't abdicate responsibilities.

‍

Similarly, as we're talking about Microsoft and Office 365 and all of the collaboration tools around it, Microsoft has built a stack that operates and there's a shared accountability table associated with who does what. And data protection is not Microsoft's responsibility, it's yours. And in that accountability table, they give the very basics so that you can recover from a complete failure because they do full restores of the database. That loses an awful lot of work. Granularity and brick level recovery is key sometimes because only a couple of files might have got encrypted. Not every file.

‍

Let me give you a scenario. Let's say that the ransomware attack hit three days ago. It took your cyber insurance team a week to two weeks to jump in and start responding. By the time you get to the point where you're now ready to recover files and you're in SharePoint, the hackers already deleted everything in the garbage can because they had admin credentials. So you can't go to the trash can and recover.

‍

‍

Brian Moody:

They have access to versions.

‍

‍

Shahin Pirooz:

They've deleted the versions, so you can't go back to versions. So now you have to do a recovery, but your business didn't stop. The files that weren't encrypted, people were changing and editing and modifying. So you got two weeks of changes and you're going to roll back now the entire database to two weeks ago and wipe out all the work your company did for two weeks. There's going to be a lot of angry end users at that point. And that lost productivity might translate to financial impact to the company.

‍

‍

Brian Moody:

And now if you had a backup as a Service or a SaaS backup that was now creating actually snapshot, because versioning is not snapshot, it's not point in time. Versioning is not a backup strategy. If you had that in place, then you could have snapshot it.

‍

‍

Shahin Pirooz:

And restored just those files that were impacted. That's part of the key thing. As we pull all of this back together contextually, we've dropped a lot of data on here. Resilience in this day and age is all about the ability to recover at a granular level, no matter what happens.

‍

‍

Brian Moody:

And at scale. That's the key.

‍

‍

Shahin Pirooz:

And no matter what happens. It's like it doesn't matter if it was ransomware, it doesn't matter if it was human error, it doesn't matter if it was system failure or weather or you name it, you have to be able to recover from whatever the incident was at a granular level, so you're not impacting productivity across the organization as a whole.

‍

The second thing is when you look at these things, that concept of data classification is really important in the notion of risk identification. So now that I've classified data and I know how much data I have out there and where that data is and by the way, what it's going to cost me if I get ransomed, now I have a metric to say here is the impact, the risk associated with this data getting stolen. Bring in a lot of factors here. Bring in your email data, your SharePoint data, your OneDrive data, your Teams data, tap Copilot into all of those data assets. Now you've got an ecosystem that relies heavily on what you have built from documentation, unstructured data throughout your environment, and if you very clearly can identify, I can't do business if my team can't use Copilot against these documents. Now the risk level of those documents goes up.

‍

So tying things together in this context, Microsoft calls their data ecosystem the dataverse, and honestly it's brilliant because they have created a mechanism now where all of the data in the Microsoft ecosystem is something you have access to to make business decisions from. But let's back up. You have to shift left. You have to think about protections, you have to think about recovery, you have to think about not just keeping the bad guys out of this environment with layers and layers of security. There's email, DNS, identity, endpoint, network, and then you have policy based stuff. Like in identity, do we have 2FA turned on and enabled and enforced for every single player? Are we using a third party identity provider? All of these factors really add complexity and challenge. And wouldn't it be great if there was an assessment that could quickly tell you here's the risks we see at a high level and here's the things we would address up front.

‍

‍

Brian Moody:

But not just that. With a click of a button, be able to implement a protection schema that protects that information in its place. So this is what I find so exciting as we come into '25. WhiteDog just continues to innovate with respect to our platform. And again, curated, composable platform that's deliverable inside of 30 days for our partners.

‍

These challenges that continue to come up for our partners' customers, because really it's our end users that are addressing these challenges, is that we continue to innovate to deliver solutions that help our partners to actually take the next step and continue to add value in their business and add value to their customers.

‍

So to your point with our XDR, we've got the mail covered, we've got DNS covered, we've got the endpoint covered, we've got user identity covered, we've got network covered. So from that aspect those layers are there, but now shift left. Now we're looking at the content, we're now looking at the value of the data. They're getting in. Your work, our partner's work every single day is because they're getting in. Protect the data where it's at and then if they do get in and we are impacted, how do we recover and how quickly can you recover? WhiteDog continues to innovate to bring that solution to market.

‍

‍

Shahin Pirooz:

Exactly. And part of where I think that most of the industry falls short is they're not doing the proactive side of security. What they're doing, it's preventative because it's reactive because it's doing something the minute something bad happens. But why wait till the bad actor finds the gap? We try to do a lot of proactive things in our stack that help our partners and our end customers, through those partners, make decisions about what things, what risks they're going to address.

‍

There's no difference in this data risk model we're talking about. There's three layers for us that protect Office 365 and the assets if you ignore all the rest of the XDR stuff. We do API based inbox threat detection and response, crawling through the inboxes and finding existing threats that made it past the security gateways, made it past Microsoft or any other third party gateway that is trying to block and tackle inbound bad emails that contain malware, contain URLs, contain links that are phishing attempts. Add account impersonation and the 13 other attacks that can be targeted at an inbox. Thats the first layer. So try to protect the largest threat vector, which is email and reduce the noise is the best way to talk about that.

‍

The second layer of protection is the SaaS data protection. And that SaaS data protection is really designed for all, not just Microsoft. There's about 13 different SaaS properties we can protect. But the entire Microsoft ecosystem, including Dynamics, we're able to backup and recover at a granular level, which is a very challenging and difficult thing that most tools do poorly. Take that API based inbox detection response and now also apply it to SharePoint, OneDrive, and Teams and do document scans for malware that's sitting out in those locations.

‍

Then on top of that, now add this data risk management offering that we're bringing in. So even if you do nothing at the endpoint or network or all the others, if you're a all Microsoft play, as a partner, we're going to enable you to protect the Microsoft ecosystem for your customers without having to go and investigate, evaluate, integrate, and figure out contracts with all of the manufacturers that make these things happen. And we commit to continuously improving that stack.

‍

So very simply put, for partners who are on our platform, our XDR offering will be enhanced to include a data risk assessment at no additional cost to you for existing customers. It will scan their network and scan their cloud environment for Office 365, and give you a risk report of what would happen, a monetary value for what would happen, if their at-risk data was ransomed. And that's coming in the second quarter.

‍

‍

Brian Moody:

So continued exciting stuff from WhiteDog. I think for partners that are out there, if you've got questions around these platforms please reach out to your WhiteDog team. If you're watching this and you're interested, go to whitedogcyber.com. We have a partner page there. We're happy to get requests. We're happy to reach out and talk to you about any one of these platforms or capability. Feel free to reach out to us with any questions around our platform.

‍