Overview
The Recovery Insights feature provides an overview of Cyber Resiliency features specifically for VMware Virtual Machines (VMs), leveraging insights from the Druva console. Understanding these capabilities is crucial for maintaining a strong security posture, detecting anomalies, and ensuring rapid, secure recovery from cyber threats like ransomware.
βImportant:
You must have either a Security Posture & Observability, Accelerated Ransomware Recovery, or a premium license to view and access the Recovery Insights feature.
To view and access the Recovery Insights details for the Threat Hunting feature, the Premium license is mandatory.
Access Path
To access the Recovery insights feature, navigate to the Cyber Recovery tab using the following procedure:
From the Druva Cloud Platform Console, go to the Global Navigation menu -> Enterprise Workloads
From the top menu bar, select your organization if organizations are enabled.
Click Protect > VMware.
The vCenter/ESXi host page lists all the registered vCenter/hypervisors.You can either select the registered vCenter/ESXi host from the card view or list view, or select it from the vCenter/ESXi host list in the left navigation pane.
In the left navigation pane, click Configured VMs. Select the virtual machine you want to restore. For Cyber Recovery restore, click Backups tab > Cyber Recovery tab.
Cyber Recovery tab
The Cyber Recovery tab provides a comprehensive view of your configured VMware VM backups that helps you quickly ascertain:
Total Recovery Points: The total number of available recovery points for restoration.
Data Change: Specifies the amount of data that is changing in the virtual machine between two consecutive backups, as reported by Changed Block Tracking (CBT).
To view the Data Changes, ensure that you have installed VMware backup proxy version 7.0.8::r668999 or higher. Otherwise, the column will display empty dashes (-) instead of the actual data change values.
File Changes: Details of file changes (created, deleted, modified, and encrypted files) within each recovery point, which can be an early indicator of anomalous activity. For more information, see Data Anomalies.
Scan Status: Details of the scan status for each recovery point. The status can be as follows:
Not Scanned: The recovery point was not scanned for malicious data
No Matches Found: The recovery point does not contain malicious files and is deemed safe for restore.
Matches Found: The recovery point contains malicious files. Click to view the file matches details, download the scan report for further investigation and take appropriate action. The Scan Status pop-up is displayed with the details.
Druva offers specialized recovery options designed for cyber incident scenarios:
Cyber Restore: This option allows for the restoration of VMs with an emphasis on security. It is distinct from standard operational recovery and is typically used when there's a suspicion of compromise. There are two ways of performing Cyber Restore:
VM Restore: This interface provides options for restoring data from the virtual machine -
Data Restore: This option allows you to restore specific VMDKs, files, and folders. With an enabled Accelerated Ransomware Recovery license, you can access critical Recovery Insights, including Recovery Point size, Data Change, File Change, and Scan Status. This granular visibility helps ensure that you restore from only truly safe and secure recovery points.
Full VM Restore: This option restores the entire virtual machine. With an enabled Accelerated Ransomware Recovery license, you can access critical Recovery Insights, including Recovery Point size, Data Change, File Change, and Scan Status. This granular visibility helps ensure that you restore from only truly safe and secure recovery points.
Sandbox Recovery: This option enables you to restore a specific recovery point, followed by an antivirus scan in a sandbox environment. With an enabled Accelerated Ransomware Recovery license, you can access critical Recovery Insights, including Recovery Point size, Data Change, File Change, and Scan Status. This granular visibility helps ensure that you restore from only truly safe and secure recovery points.
Download Data Anomalies Log: Download and view the logs for Data Anomalies for each recovery point.
Filters: Sort and view specific Cyber Recovery details based on the following criteria:
Date Range: Specify the start and end date
Recovery Point Type: View the list according to the recovery point type - Hot, Cold, Warm, Transient, and Transient Cold.
Quarantine state of the recovery point
Recovery Points with or without Data Anomalies
Recovery points according to the scan status
Trends tab
This section provides vital security insights over the last 30 days:
Recovery Points Data Trend (Last 30 days): This graph visualizes the data size of your recovery points over time. It highlights key metrics:
Unscanned Recovery Points: Indicates backups that have not yet undergone a security scan.
Action: Ensure regular and comprehensive scanning is configured for all critical backups.
Impacted Recovery Points: Represents recovery points where suspicious activity (e.g., malware, ransomware indicators, or data anomalies) has been detected. These are critical for immediate investigation.
Recovery Points with no file matches: Indicates recovery points that do not have malicious files and can be deemed safe for restore.
Quarantined Recovery Points: Shows backups that have been isolated due to detected threats. These are crucial for preventing re-infection during recovery.
Data Anomalies: Alerts to unusual patterns in data behavior (e.g., sudden spikes in encrypted files, mass deletions, or unusual file creation rates). These are often the first signs of a cyberattack.
π‘ Tip: Click on the vertical bar to navigate to the VMware Restore page.
File Activity and Data Anomaly (Last 30 days): This graph provides a granular view of file activity trends, specifically highlighting:
Number of Files: Tracks the volume of created, deleted, encrypted, and modified files over last 30 days.
Anomaly Detection: Critical warning icons directly flag periods of detected data anomalies. These spikes or unusual patterns warrant immediate investigation as they can indicate ransomware activity, data exfiltration, or other malicious actions.
Actionable Insights for Security Administrators
Based on the console's insights, security administrators should take the following actions:
Configure and verify Scan Status: Ensure that all critical VM backups are being regularly scanned for malware and ransomware. The Not Scanned status (as seen in the Backups tab) indicates a significant security gap. Implement and monitor your scanning policies. For more information, see,Threat Hunting, Restore Scan.
Investigate impacted and anomalous recovery points: Promptly investigate any Impacted Recovery Points or Data Anomalies flagged in the trends.
Utilize the Sandbox Recovery feature to safely analyze these suspicious backups.
Leverage Threat Intelligence: Integrate and utilize Druva's curated Threat Intelligence (IOC Sets) and your custom IOC Sets to enhance detection capabilities during scans.
Utilize Quarantine Bay: Understand and leverage the Quarantine Bay feature to isolate infected snapshots, preventing their accidental restoration and potential re-infection of your environment.
Develop Cyber Recovery Playbooks: Incorporate Druva's Cyber Recovery features (Cyber Restore, Sandbox Recovery) into your organization's incident response and disaster recovery playbooks.
Things to consider
The Data Anomalies column will display as blank for snapshots where no file changes occurred, and also for the very first backup. This is intended functionality (zero counts are not shown) and is not an error. The File Changes count will only be displayed when there are detectable modifications to the VM data.
Related Keywords
recovery insightsvmware
recoveryinsightsvmware
cyberrecoveryvmware
VMware
VMware restore
vmware restore