Overview
The Recovery Intelligence (Cyber Recovery) feature provides an overview of Cyber Resiliency features specifically for Azure Virtual Machines (Azure VM) resources, leveraging insights from the Druva console. Understanding these capabilities is crucial for maintaining a strong security posture and ensuring rapid, secure recovery from cyber threats like ransomware. For more information, see How to use the Cyber Recovery feature.
βImportant:
To view and access the Cyber Recovery feature, you must have either an Accelerated Ransomware Recovery or a premium license.
To view and access the Cyber Recovery details for the Threat Hunting feature, the Premium license is mandatory.
Access Path
To access this feature for Azure VM resources, navigate to the Cyber Recovery tab using the following procedure:
From the Druva Cloud Platform Console, go to the Global Navigation menu -> Enterprise Workloads > Azure Workloads. Click Go to Azure. You will be redirected to the Azure Subscription page. By default, all Azure Subscriptions are displayed.
From the Azure Subscription dropdown, select the required subscription. A list of all the protected Azure VMs is displayed.
From the All VMs tab, click the Azure VM Name for which the status is Configured. The resource Summary page appears.
Click Recovery Points tab > Cyber Recovery tab for Cyber Recovery.
How to use the Cyber Recovery feature
You can do the following using the Cyber Recovery tab:
Cyber Recovery tab dashboard: Get a comprehensive view of your configured Azure VM recovery points.
Run Threat Hunt: Manually scan backed-up data for indicators of compromise (IOCs). Once initiated, track progress and results on the Threat Hunting dashboard.
You must have the Druva Cloud Admin role to access this feature.
You can auto-quarantine the impacted recovery points from the Cyber Resiliency > Threat Hunting UI. For more information, see Auto-Quarantine Snapshots.
Cyber Restore: Select a recovery point and perform a Cyber Restore. This feature allows for the restoration of Azure VM with an emphasis on security. It is distinct from standard operational recovery and is typically used when there is a suspicion of compromise.
Filters: Sort and view specific Cyber Recovery details for available recovery points based on the following criteria:
Date Range: Specify the start and end date
Recovery Point Type - The recovery point type - Warm or cold
Indexed - Recovery Point indexing state. Threat Hunt scan eligibility for Snapshots
Quarantine state of the recovery point
Recovery points according to the scan status
Understanding the Cyber Recovery dashboard
The Cyber Recovery dashboard provides a comprehensive view of your configured Azure VM backups that helps you quickly ascertain:
Recovery Points: The total number of available recovery points for restore.
Indexed: Threat Hunt scan eligibility for Snapshots - Specifies if a backed-up snapshot meets the requirements to be scanned for threats. The Threat Hunt scan results are displayed only for the indexed recovery points.
Size: The size of backed up data for a recovery point.
Scan Status: Details of the scan status for each recovery point. The status can be as follows:
Not Scanned: The recovery point was not scanned for malicious data.
No Matches Found: The recovery point does not contain malicious files and is deemed safe for restore. Click to view the details. It displays Zero if no matches are found.
Matches Found: The recovery point contains malicious files. Click to view the file matches details, download the scan report for further investigation, and take appropriate action. The Scan Status pop-up is displayed with the details such as the date and time of the scan; the feature used for scan (Scan Source) which can be Threat Hunt or Cyber Restore (Restore Scan); total count for file matches found in the scan job.
Click Download Report to download Threat Hunt File Level and/or Snapshot level details or Restore Scan Job details report for offline investigation and auditing purposes.
Understanding Cyber Restore feature
Druva offers specialized recovery options designed for cyber incident scenarios - Cyber Restore.
This feature allows for the restoration of Azure VM resources with an emphasis on security. It is distinct from standard operational recovery and is typically used when there's a suspicion of compromise.
Use the Cyber Restore feature in the Azure VM restore workflow to recover a specific recovery point, preceded by an antivirus scan. You can certify whether the selected recovery point is clean and safe for restore based on the scan results.
Cyber Restore for Azure VM resources:
On the Cyber Recovery tab, select the Azure VM resource and click Cyber Restore.
On the Restore pop-up, select the Full VM or Data Restore option and the required snapshot, and then click Proceed to Restore. The Restore VM <Link to Full VM restore article for Azure VM> pop-up is displayed. Enter the required information for each tab and click Next - VM Setup, Advanced Settings, and Tags.
On the Restore Scan pop-up, do the following:
In the Restore Scan section, toggle the Enable Restore Scan to scan the Azure VM recovery point for malware using predefined file hashes and antivirus engine. If this option is enabled, the scan job will also be created on the Ransomware Recovery > Restore Scan Jobs page, mapping it to the restore job that has been triggered.
The Quick Scan option is enabled as a scan option.
π Note:
This option is available only if the Allow Admin to Disable Server Scan checkbox is selected in the Restore Scan > Override Scanning section.
Select the Allow restore of recovery point even if malicious files are found checkbox if you want to proceed with restore with infected data. By default, this is selected.
Click Proceed to Restore. The time taken to restore the data increases when the scan is enabled.
You can view the progress of the scan job from the Restores Jobs page of Azure VM and also from the Restore Scan > Scan Jobs page. Click on the Job ID to view details.
Trends tab
This section provides vital security insights over the last 30 days:
Recovery Points Data Trend (Last 30 days): This graph visualizes the data size of your recovery points over time. It highlights key metrics:
Unscanned Recovery Points: Indicates backups that have not yet undergone a security scan.
β Action: Ensure regular and comprehensive scanning is configured for all critical backups.Impacted Recovery Points: Represents recovery points where suspicious activity (e.g., malware, ransomware indicators, or data anomalies) has been detected. These are critical for immediate investigation.
Recovery Points with no file matches: Indicates recovery points that do not have malicious files and can be deemed safe for restore.
Quarantined Recovery Points: Shows backups that have been isolated due to detected threats. These are crucial for preventing re-infection during recovery.
Data Anomalies: Alerts to unusual patterns in data behavior (e.g., sudden spikes in encrypted files, mass deletions, or unusual file creation rates). These are often the first signs of a cyberattack.
π‘ Tip: Click on the vertical bar to navigate to the Azure VM Restore page.
β
Actionable Insights for Security Administrators
Based on the console's insights, security administrators should take the following actions:
Configure and verify Scan Status: Ensure that all critical EC2 and EBS backups are being scanned for malware and ransomware. The Not Scanned status (as seen in the Recovery Points tab) indicates a significant security gap. Implement and monitor your scanning policies. For more information, see Threat Hunting, Restore Scan.
Leverage Threat Intelligence: Integrate and utilize Druva's curated Threat Intelligence (IOC Sets) and your custom IOC Sets to enhance detection capabilities during scans.
Utilize Quarantine Bay: Understand and leverage the Quarantine Bay feature to isolate infected snapshots, preventing their accidental restoration and potential re-infection of your environment.
Develop Cyber Recovery Playbooks: Incorporate Druva's Cyber Recovery features (Cyber Restore) into your organization's incident response and disaster recovery playbooks.
Things to consider for Cyber Recovery
Run Threat Hunt: You cannot run two Threat Hunt jobs at a time on the same resource triggered by the same administrator for the same resource from the Cyber Recovery tab.